[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 248de5: char: restore read callback on a reat
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 248de5: char: restore read callback on a reattached (hotpl... |
|
Date: |
Wed, 23 Jul 2014 10:30:11 -0700 |
Branch: refs/heads/stable-1.7
Home: https://github.com/qemu/qemu
Commit: 248de52cf84185b3bafea8ba31333bd0d7a34893
https://github.com/qemu/qemu/commit/248de52cf84185b3bafea8ba31333bd0d7a34893
Author: Gal Hammer <address@hidden>
Date: 2014-06-20 (Fri, 20 Jun 2014)
Changed paths:
M qemu-char.c
Log Message:
-----------
char: restore read callback on a reattached (hotplug) chardev
Fix a bug that was introduced in commit 386a5a1e. A removal of a device
set the chr handlers to NULL. However when the device is plugged back,
its read callback is not restored so data can't be transferred from the
host to the guest (e.g. via the virtio-serial port).
https://bugzilla.redhat.com/show_bug.cgi?id=1027181
Signed-off-by: Gal Hammer <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit ac1b84dd1e020648db82a99260891aa982d1142c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8b8dd2c4b50abe5647de7c336496c253dc474d3b
https://github.com/qemu/qemu/commit/8b8dd2c4b50abe5647de7c336496c253dc474d3b
Author: Markus Armbruster <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/scsi/scsi-bus.c
Log Message:
-----------
scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b
The transfer length depends on field BYTCHK, which is encoded in byte
1, bits 1..2. However, the guard for for case BYTCHK=11b doesn't
work, and we get case 01b instead. Fix it.
Note that since emulated scsi-hd fails the command outright, it takes
SCSI passthrough of a device that actually implements VERIFY with
BYTCHK=11b to make the bug bite.
Screwed up in commit d12ad44. Spotted by Coverity.
Cc: address@hidden
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7ef8cf9a0861b6f67f5e57428478c31bfd811651)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0a77a92d74f98e4898cb54c945ada84768427851
https://github.com/qemu/qemu/commit/0a77a92d74f98e4898cb54c945ada84768427851
Author: Peter Lieven <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block/iscsi.c
Log Message:
-----------
block/iscsi: fix deadlock on scsi check condition
the retry logic was broken because the complete status
of the task structure was not reset. this resulted in
an infinite loop retrying the command over and over.
CC: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 837c390137193e715fee20b35c0ddb164b1c4fa4)
Conflicts:
block/iscsi.c
*only modified retry clauses present before 063c3378
Signed-off-by: Michael Roth <address@hidden>
Commit: 91ae1d30ec5b3b8826c2f9e3742e1d52f2fadb0b
https://github.com/qemu/qemu/commit/91ae1d30ec5b3b8826c2f9e3742e1d52f2fadb0b
Author: Thomas Huth <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/s390x/s390-virtio-hcall.c
Log Message:
-----------
s390x/virtio-hcall: Add range check for hypervisor call
The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Signed-off-by: Christian Borntraeger <address@hidden>
CC: address@hidden
(cherry picked from commit f2c55d1735175ab37ab9f69854460087112d2756)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2e191f8e545c3235849508bd555e4856347e9cc5
https://github.com/qemu/qemu/commit/2e191f8e545c3235849508bd555e4856347e9cc5
Author: Richard Henderson <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M target-i386/cc_helper.c
M target-i386/translate.c
Log Message:
-----------
target-i386: Fix CC_OP_CLR vs PF
Parity should be set for a zero result.
Cc: address@hidden
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Edgar E. Iglesias <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit d2fe51bda8adf33d07c21e034fdc13a1e1fa4e19)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6be38ee9e711dd89ea9693d317baa7a8ec9c9d12
https://github.com/qemu/qemu/commit/6be38ee9e711dd89ea9693d317baa7a8ec9c9d12
Author: Richard Henderson <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M target-i386/translate.c
Log Message:
-----------
target-i386: Fix ucomis and comis memory access
We were loading 16 bytes for both single and double-precision
scalar comparisons.
Reported-by: Alexander Bluhm <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit cb48da7f8140b5cbb648d990876720da9cd04d8f)
Conflicts:
target-i386/translate.c
*removed dependency on 323d1876
Signed-off-by: Michael Roth <address@hidden>
Commit: 4f577e9e69c0ac8befd75d67ca591398e4994719
https://github.com/qemu/qemu/commit/4f577e9e69c0ac8befd75d67ca591398e4994719
Author: Fam Zheng <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/scsi/scsi-generic.c
M hw/scsi/spapr_vscsi.c
M include/hw/scsi/scsi.h
Log Message:
-----------
scsi: Change scsi sense buf size to 252
Current buffer size fails the assersion check in like
hw/scsi/scsi-bus.c:1655: assert(req->sense_len <= sizeof(req->sense));
when backend (block/iscsi.c) returns more data then 96.
Exercise the core dump path by booting an Gentoo ISO with scsi-generic
device backed with iscsi (built with libiscsi 1.7.0):
x86_64-softmmu/qemu-system-x86_64 \
-drive file=iscsi://localhost:3260/iqn.foobar/0,if=none,id=drive-disk \
-device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 \
-device scsi-generic,drive=drive-disk,bus=scsi1.0,id=iscsi-disk \
-boot d \
-cdrom gentoo.iso
qemu-system-x86_64: hw/scsi/scsi-bus.c:1655: scsi_req_complete:
Assertion `req->sense_len <= sizeof(req->sense)' failed.
According to SPC-4, section 4.5.2.1, 252 is the limit of sense data. So
increase the value to fix it.
Also remove duplicated define for the macro.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c5f52875b980e54e6bebad6121c76863356e1d7f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7e42cd6f35a48b20651eb84894ba8df9039e7ccb
https://github.com/qemu/qemu/commit/7e42cd6f35a48b20651eb84894ba8df9039e7ccb
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M qom/object.c
Log Message:
-----------
qom: Avoid leaking str and bool properties on failure
When object_property_add_str() and object_property_add_bool() fail, they
leak their internal StringProperty and BoolProperty structs. Remember
to free the structs on error.
Luckily this is a low-impact memory leak since most QOM properties are
static qdev properties that will never take the error case.
object_property_add() only fails if the property name is already in use.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit a01aedc8d32e6f5b08a4041b62be3c5fab7a3382)
Signed-off-by: Michael Roth <address@hidden>
Commit: a290aeebc477e9b17b5aeded425be0009798faa2
https://github.com/qemu/qemu/commit/a290aeebc477e9b17b5aeded425be0009798faa2
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M net/tap.c
Log Message:
-----------
tap: avoid deadlocking rx
The net subsystem has a control flow mechanism so peer NetClientStates
can tell each other to stop sending packets. This is used to stop
monitoring the tap file descriptor for incoming packets if the guest rx
ring has no spare buffers.
There is a corner case when tap_can_send() is true at the beginning of
an event loop iteration but becomes false before the tap_send() fd
handler is invoked.
tap_send() will read the packet from the tap file descriptor and attempt
to send it. The net queue will hold on to the packet and return 0,
indicating that further I/O is not possible. tap then stops monitoring
the file descriptor for reads.
This is unlike the normal case where tap_can_send() is the same before
and during the event loop iteration. The event loop would simply not
monitor the file descriptor if tap_can_send() returns true. Upon next
iteration it would check tap_can_send() again and begin monitoring if we
can send.
The deadlock happens because tap_send() explicitly disabled read_poll.
This is done with the expectation that the peer will call
qemu_net_queue_flush(). But hw/net/virtio-net.c does not monitor
vm_running transitions and issue the flush. Hence we're left with a
broken tap device.
Cc: address@hidden
Reported-by: Neil Skrypuch <address@hidden>
Tested-by: Neil Skrypuch <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 68e5ec64009812dbaa03ed9cfded9344986f5304)
Signed-off-by: Michael Roth <address@hidden>
Commit: 151be4f61f305b695c844bd7768090790b554fa8
https://github.com/qemu/qemu/commit/151be4f61f305b695c844bd7768090790b554fa8
Author: Stefan Weil <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M tests/tcg/test_path.c
Log Message:
-----------
tests: Fix 'make test' for i686 hosts (build regression)
'make test' is broken at least since commit
baacf04799ace72a9c735dd9306a1ceaf305e7cf. Several source files were moved
to util/, and some of them there split, so add the missing prefix and new
files to fix the compiler and linker errors.
There remain more issues, but these changes allow running the test on a
Linux i686 host.
Cc: address@hidden
Signed-off-by: Stefan Weil <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 6d4adef48dd6bb738474ab857f4fcb240ff9d2d6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0414abe04f9782404ef08179763bca5e26633177
https://github.com/qemu/qemu/commit/0414abe04f9782404ef08179763bca5e26633177
Author: Stefan Weil <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M configure
Log Message:
-----------
configure: Don't use __int128_t for clang versions before 3.2
Those versions don't fully support __int128_t.
Cc: address@hidden
Signed-off-by: Stefan Weil <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit a00f66ab9b3021e781695a73c579b6292501ab37)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8211eeb7d26915d99a1d6a7eb79d09e862784f4a
https://github.com/qemu/qemu/commit/8211eeb7d26915d99a1d6a7eb79d09e862784f4a
Author: Paolo Bonzini <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block/mirror.c
M trace-events
Log Message:
-----------
mirror: fix throttling delay calculation
The throttling delay calculation was using an inaccurate sector count to
calculate the time to sleep. This broke rate-limiting for the block
mirror job.
Move the delay calculation into mirror_iteration() where we know how
many sectors were transferred. This lets us calculate an accurate delay
time.
Reported-by: Joaquim Barrera <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit cc8c9d6c6f28e4e376a6561a2a31524fd069bc2d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0fd56fb8443d52a20d6bd8b4b543c4a8f9d0756d
https://github.com/qemu/qemu/commit/0fd56fb8443d52a20d6bd8b4b543c4a8f9d0756d
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block/mirror.c
Log Message:
-----------
mirror: fix early wake from sleep due to aio
The mirror blockjob coroutine rate-limits itself by sleeping. The
coroutine also performs I/O asynchronously so it's important that the
aio callback doesn't wake the coroutine early as that breaks
rate-limiting.
Reported-by: Joaquim Barrera <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 7b770c720b28b8ac5b82ae431f2f354b7f8add91)
Signed-off-by: Michael Roth <address@hidden>
Commit: 11088abadf88c39dc87b9cb0d7b4fbfdbe8df810
https://github.com/qemu/qemu/commit/11088abadf88c39dc87b9cb0d7b4fbfdbe8df810
Author: Stefan Fritsch <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: Do not filter VLANs without F_CTRL_VLAN
If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.
This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).
Signed-off-by: Stefan Fritsch <address@hidden>
Signed-off-by: Amos Kong <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 0b1eaa8803e680de9a05727355dfe3d306b81e17)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7d09facec7d0b39bf1e8642ceb9a8a70f80919e6
https://github.com/qemu/qemu/commit/7d09facec7d0b39bf1e8642ceb9a8a70f80919e6
Author: Peter Maydell <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 38a55f30700346b8b53e52445eaaf6b0e579a17b
https://github.com/qemu/qemu/commit/38a55f30700346b8b53e52445eaaf6b0e579a17b
Author: Peter Maydell <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
hw/net/stellaris_enet: Correct handling of packet padding
The PADEN bit in the transmit control register enables padding of short
data packets out to the required minimum length. However a typo here
meant we were adjusting tx_fifo_len rather than tx_frame_len, so the
padding didn't actually happen. Fix this bug.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 7fd5f064d1c1a827a95ffe678418b3d5b8d2f108)
Signed-off-by: Michael Roth <address@hidden>
Commit: a8b7e73901487ed4f3e2794815945437585881af
https://github.com/qemu/qemu/commit/a8b7e73901487ed4f3e2794815945437585881af
Author: Kevin Wolf <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/039
M tests/qemu-iotests/039.out
Log Message:
-----------
qcow2: Flush metadata during read-only reopen
If lazy refcounts are enabled for a backing file, committing to this
backing file may leave it in a dirty state even if the commit succeeds.
The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush
refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare()
doesn't take care to flush metadata.
In order to fix this, this patch also fixes qcow2_mark_clean(), which
contains another ineffective bdrv_flush() call beause lazy refcounts are
disabled only afterwards. All existing callers of qcow2_mark_clean()
either don't modify refcounts or already flush manually, so that this
fixes only a latent, but not yet actually triggerable bug.
Another instance of the same problem is live snapshots. Again, a real
corruption is prevented by an explicit flush for non-read-only images in
external_snapshot_prepare(), but images using lazy refcounts stay dirty.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 4c2e5f8f46a17966dc45b5a3e07b97434c0eabdf)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3239a20294691eaaa81f41654e57fc9543234eee
https://github.com/qemu/qemu/commit/3239a20294691eaaa81f41654e57fc9543234eee
Author: Max Reitz <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M blockdev.c
Log Message:
-----------
block-commit: speed is an optional parameter
As speed is an optional parameter for the QMP block-commit command, it
should be set to 0 if not given (as it is undefined if has_speed is
false), that is, the speed should not be limited.
Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 5450466394c95cea8b661fb197ed215a4ab5d700)
Signed-off-by: Michael Roth <address@hidden>
Commit: c5dae2f4c50ef848f224da718154af4438862cdb
https://github.com/qemu/qemu/commit/c5dae2f4c50ef848f224da718154af4438862cdb
Author: Benoît Canet <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
ide: Correct improper smart self test counter reset in ide core.
The SMART self test counter was incorrectly being reset to zero,
not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
* We would write off the beginning of a dynamically allocated buffer
* We forgot the SMART history
Fix this.
Signed-off-by: Benoit Canet <address@hidden>
Message-id: address@hidden
Reviewed-by: Markus Armbruster <address@hidden>
Cc: address@hidden
Acked-by: Kevin Wolf <address@hidden>
[PMM: tweaked commit message as per suggestions from Markus]
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5cfd43b79d4ceb3dd22f8503c53fdf337f8a1792
https://github.com/qemu/qemu/commit/5cfd43b79d4ceb3dd22f8503c53fdf337f8a1792
Author: Hannes Reinecke <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/scsi/megasas.c
M hw/scsi/mfi.h
M trace-events
Log Message:
-----------
megasas: Implement LD_LIST_QUERY
Newer firmware implement a LD_LIST_QUERY command, and due to a driver
issue no drives might be detected if this command isn't supported.
So add emulation for this command, too.
Cc: address@hidden
Signed-off-by: Hannes Reinecke <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 34bb4d02e00e508fa9d111a6a31b45bbfecbdba5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0655eeed184d94dc55b6a5ea16a4d5d2ab188b23
https://github.com/qemu/qemu/commit/0655eeed184d94dc55b6a5ea16a4d5d2ab188b23
Author: Peter Crosthwaite <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M target-arm/translate.c
Log Message:
-----------
arm: translate.c: Fix smlald Instruction
The smlald (and probably smlsld) instruction was doing incorrect sign
extensions of the operands amongst 64bit result calculation. The
instruction psuedo-code is:
operand2 = if m_swap then ROR(R[m],16) else R[m];
product1 = SInt(R[n]<15:0>) * SInt(operand2<15:0>);
product2 = SInt(R[n]<31:16>) * SInt(operand2<31:16>);
result = product1 + product2 + SInt(R[dHi]:R[dLo]);
R[dHi] = result<63:32>;
R[dLo] = result<31:0>;
The result calculation should be done in 64 bit arithmetic, and hence
product1 and product2 should be sign extended to 64b before calculation.
The current implementation was adding product1 and product2 together
then sign-extending the intermediate result leading to false negatives.
E.G. if product1 = product2 = 0x4000000, their sum = 0x80000000, which
will be incorrectly interpreted as -ve on sign extension.
We fix by doing the 64b extensions on both product1 and product2 before
any addition/subtraction happens.
We also fix where we were possibly incorrectly setting the Q saturation
flag for SMLSLD, which the ARM ARM specifically says is not set.
Reported-by: Christina Smith <address@hidden>
Signed-off-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 33bbd75a7c3321432fe40a8cbacd64619c56138c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 792a40384f80264074266d62727c71f7765ceb0f
https://github.com/qemu/qemu/commit/792a40384f80264074266d62727c71f7765ceb0f
Author: Benoît Canet <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block.c
Log Message:
-----------
block: Prevent coroutine stack overflow when recursing in
bdrv_open_backing_file.
In 1.7.1 qcow2_create2 reopen the file for flushing without the
BDRV_O_NO_BACKING
flags.
As a consequence the code would recursively open the whole backing chain.
These three stack arrays would pile up through the recursion and lead to a
coroutine
stack overflow.
Convert these array to malloced buffers in order to streamline the coroutine
footprint.
Symptoms where freezes or segfaults on production machines while taking QMP
externals
snapshots. The overflow disturbed coroutine switching.
Signed-off-by: Benoit Canet <address@hidden>
*note: backport of upstream's 1ba4b6a
Signed-off-by: Michael Roth <address@hidden>
Commit: b1a86eb532b4d32e4527a5373307873d95729aea
https://github.com/qemu/qemu/commit/b1a86eb532b4d32e4527a5373307873d95729aea
Author: Kevin Wolf <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M block.c
M block/qcow2.c
M block/vmdk.c
Log Message:
-----------
block: Use BDRV_O_NO_BACKING where appropriate
If you open an image temporarily just because you want to check its size
or get it flushed, there's no real reason to open the whole backing file
chain.
This is a backport of c9fbb99d41b05acf0d7b93deb2fcdbf9047c238e to
qemu 1.7.1.
The backport was done to fix a bug where QEMU 1.7.1 would crash or freeze
when the user take around 80 consecutives snapshots in a row.
git bisect would lead to commit: ba2ab2f2ca4150a7e314fbb19fa158bd8ddc36eb
and it was clear that BDRV_NO_BACKING was missing.
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Benoit Canet <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: dd8f80b83c47ce6298a0a40a357d2ad738b0a0c2
https://github.com/qemu/qemu/commit/dd8f80b83c47ce6298a0a40a357d2ad738b0a0c2
Author: Thomas Huth <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M target-s390x/cpu.h
M target-s390x/helper.c
Log Message:
-----------
s390x/helper: Added format control bit to MMU translation
With the EDAT-1 facility, the MMU translation can stop at the
segment table already, pointing to a 1 MB block. And while we're
at it, move the page table entry handling to a separate function,
too, as suggested by Alexander Graf.
Acked-by: Alexander Graf <address@hidden>
Signed-off-by: Thomas Huth <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit c4400206d43b6a235299c7047cca0af93269fc03)
Conflicts:
target-s390x/helper.c
*removed unecessary context
Signed-off-by: Michael Roth <address@hidden>
Commit: 012d778c07841409dd5ce31d6069b9dfbfa15453
https://github.com/qemu/qemu/commit/012d778c07841409dd5ce31d6069b9dfbfa15453
Author: David Hildenbrand <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M target-s390x/kvm.c
Log Message:
-----------
s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG
This patch creates empty function stubs (used by the gdbserver) in preparation
for the hw debugging support by kvm on s390, which will enable the
__KVM_HAVE_GUEST_DEBUG define in the linux headers and require these methods on
the qemu side.
Signed-off-by: David Hildenbrand <address@hidden>
Signed-off-by: Jens Freimann <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 8c0124490bcd78c9c54139cd654c71c5fbd95e6b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1a6ea3105220c67ba22820ab9f5d5854680605d4
https://github.com/qemu/qemu/commit/1a6ea3105220c67ba22820ab9f5d5854680605d4
Author: Michael Tokarev <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M po/Makefile
Log Message:
-----------
po/Makefile: fix $SRC_PATH reference
The rule for messages.po appears to be slightly wrong.
Move the `cd' command within parens.
Signed-off-by: Michael Tokarev <address@hidden>
Tested-by: Stefan Weil <address@hidden>
(cherry picked from commit b920cad6693d6f2baa0217543c9f9cca5ebaf6ce)
Signed-off-by: Michael Roth <address@hidden>
Commit: 636fa8aec3dbe75504931147565823d740325046
https://github.com/qemu/qemu/commit/636fa8aec3dbe75504931147565823d740325046
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/i386/acpi-build.c
Log Message:
-----------
acpi: fix tables for no-hpet configuration
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled. If no tables follow hpet, this could lead to a malformed
rsdt.
Fix it up.
To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.
Reported-by: TeLeMan <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: address@hidden
(cherry picked from commit 9ac1c4c07e7e6ab16a3e2149e9b32c0d092cb3f5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6bbbb937aa4e8e59480b026e50a202bcae7785e7
https://github.com/qemu/qemu/commit/6bbbb937aa4e8e59480b026e50a202bcae7785e7
Author: Dmitry Fleytman <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
vmxnet3: validate interrupt indices coming from guest
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 8c6c0478996e8f77374e69b6df68655b0b4ba689)
Signed-off-by: Michael Roth <address@hidden>
Commit: ed995c6c2fd065b9a01169e0824c4d12f5ef1e20
https://github.com/qemu/qemu/commit/ed995c6c2fd065b9a01169e0824c4d12f5ef1e20
Author: Dmitry Fleytman <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
vmxnet3: validate queues configuration coming from guest
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 9878d173f574df74bde0ff50b2f81009fbee81bb)
Signed-off-by: Michael Roth <address@hidden>
Commit: 709cc0434514d7bd243ce96bc9744584a9b29ff4
https://github.com/qemu/qemu/commit/709cc0434514d7bd243ce96bc9744584a9b29ff4
Author: Dmitry Fleytman <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
vmxnet3: validate interrupt indices read on migration
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 3c99afc779c2c78718a565ad8c5e98de7c2c7484)
Signed-off-by: Michael Roth <address@hidden>
Commit: f93614c93633caf4181e9f8281ae6be4f2f543c8
https://github.com/qemu/qemu/commit/f93614c93633caf4181e9f8281ae6be4f2f543c8
Author: Dmitry Fleytman <address@hidden>
Date: 2014-06-25 (Wed, 25 Jun 2014)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
vmxnet3: validate queues configuration read on migration
CVE-2013-4544
Signed-off-by: Dmitry Fleytman <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit f12d048a523780dbda702027d4a91b62af1a08d7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 25062a7521bd8499277e8453517112853faac57c
https://github.com/qemu/qemu/commit/25062a7521bd8499277e8453517112853faac57c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M savevm.c
Log Message:
-----------
vmstate: reduce code duplication
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 35fc1f71899fd42323bd8f33da18f0211e0d2727)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
Commit: a075a3a27e97c1f1f7cf924f6d48827644229581
https://github.com/qemu/qemu/commit/a075a3a27e97c1f1f7cf924f6d48827644229581
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M include/migration/vmstate.h
M savevm.c
Log Message:
-----------
vmstate: add VMS_MUST_EXIST
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 29e2bbef19a9593eb20fd2286f38f1a90c0fdefd
https://github.com/qemu/qemu/commit/29e2bbef19a9593eb20fd2286f38f1a90c0fdefd
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M include/migration/vmstate.h
Log Message:
-----------
vmstate: add VMSTATE_VALIDATE
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 95f118fa825416f8791d5f93614f9e766afffa79
https://github.com/qemu/qemu/commit/95f118fa825416f8791d5f93614f9e766afffa79
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M include/hw/virtio/virtio-net.h
Log Message:
-----------
virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be different from the saved image */
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2b15f410bd2c333add4db2e7c96f457cdac3d149
https://github.com/qemu/qemu/commit/2b15f410bd2c333add4db2e7c96f457cdac3d149
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7b6444a2e4f5e777d05142277c842a3f3465beb3
https://github.com/qemu/qemu/commit/7b6444a2e4f5e777d05142277c842a3f3465beb3
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5544b7e419fd47f6ad4552d30189e3a922acdfb1
https://github.com/qemu/qemu/commit/5544b7e419fd47f6ad4552d30189e3a922acdfb1
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
address@hidden/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
Signed-off-by: Michael Roth <address@hidden>
Commit: d34e6f796097bd46d1bf8b26916df757d54aba03
https://github.com/qemu/qemu/commit/d34e6f796097bd46d1bf8b26916df757d54aba03
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: fix buffer overrun on invalid state load
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
Signed-off-by: Michael Roth <address@hidden>
Commit: d8aba740f274514bdda2a240f8b881f8d928f5cd
https://github.com/qemu/qemu/commit/d8aba740f274514bdda2a240f8b881f8d928f5cd
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/timer/hpet.c
Log Message:
-----------
hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
Signed-off-by: Michael Roth <address@hidden>
Commit: e83444f71eb48d18c7bcf3616846a6c2f9575f5c
https://github.com/qemu/qemu/commit/e83444f71eb48d18c7bcf3616846a6c2f9575f5c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/pci/pcie_aer.c
Log Message:
-----------
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
Signed-off-by: Michael Roth <address@hidden>
Commit: f217f379a8ce520cce1e905c33660ca5a7ecad1c
https://github.com/qemu/qemu/commit/f217f379a8ce520cce1e905c33660ca5a7ecad1c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/ssi/pl022.c
Log Message:
-----------
pl022: fix buffer overun on invalid state load
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <address@hidden
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
Signed-off-by: Michael Roth <address@hidden>
Commit: a2b4e846b350f78fcb737195a40c5900923d5be8
https://github.com/qemu/qemu/commit/a2b4e846b350f78fcb737195a40c5900923d5be8
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M savevm.c
Log Message:
-----------
Fix vmstate_info_int32_le comparison/assign
Fix comparison of vmstate_info_int32_le so that it succeeds if loaded
value is (l)ess than or (e)qual
When the comparison succeeds, assign the value loaded
This is a change in behaviour but I think the original intent, since
the idea is to check if the version/size of the thing you're loading is
less than some limit, but you might well want to do something based on
the actual version/size in the file
Fix up comment and name text
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 24a370ef2351dc596a7e47508b952ddfba79ef94)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 630ebeffb4a08f85db748b6908339a60fc213cae
https://github.com/qemu/qemu/commit/630ebeffb4a08f85db748b6908339a60fc213cae
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M savevm.c
Log Message:
-----------
vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1
https://github.com/qemu/qemu/commit/8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1
Author: Michael Roth <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 609f5bf6fecb78ada914b88598ae8ba43e304e36
https://github.com/qemu/qemu/commit/609f5bf6fecb78ada914b88598ae8ba43e304e36
Author: Michael Roth <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/intc/openpic.c
Log Message:
-----------
openpic: avoid buffer overrun on incoming migration
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 68801b7be1ddabe3495f68145b1202049b1486c2
https://github.com/qemu/qemu/commit/68801b7be1ddabe3495f68145b1202049b1486c2
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: Amit Shah <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Signed-off-by: Michael Roth <address@hidden>
Commit: d92a7683e8cc4d3daab1ae9197f9311a72c9d1e6
https://github.com/qemu/qemu/commit/d92a7683e8cc4d3daab1ae9197f9311a72c9d1e6
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/arm/pxa2xx.c
Log Message:
-----------
pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <address@hidden>
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Don Koch <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 45edb0ca7a8a527ecf9fb36180df4b9664a9227c
https://github.com/qemu/qemu/commit/45edb0ca7a8a527ecf9fb36180df4b9664a9227c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/sd/ssi-sd.c
Log Message:
-----------
ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
Signed-off-by: Michael Roth <address@hidden>
Commit: af443645c3383f26a309d200413649ecac9ac58f
https://github.com/qemu/qemu/commit/af443645c3383f26a309d200413649ecac9ac58f
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/display/ssd0323.c
Log Message:
-----------
ssd0323: fix buffer overun on invalid state load
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
Signed-off-by: Michael Roth <address@hidden>
Commit: c75e43b871fb0a777ae1101a26a42ea213f7aff6
https://github.com/qemu/qemu/commit/c75e43b871fb0a777ae1101a26a42ea213f7aff6
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/input/tsc210x.c
Log Message:
-----------
tsc210x: fix buffer overrun on invalid state load
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8d948a000d4963fe5ef20ba8478a0119b659c4ad
https://github.com/qemu/qemu/commit/8d948a000d4963fe5ef20ba8478a0119b659c4ad
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/gpio/zaurus.c
Log Message:
-----------
zaurus: fix buffer overrun on invalid state load
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
Signed-off-by: Michael Roth <address@hidden>
Commit: a7fcb4c5e0ef930e102efba44cb04a8d8182b321
https://github.com/qemu/qemu/commit/a7fcb4c5e0ef930e102efba44cb04a8d8182b321
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/scsi/virtio-scsi.c
Log Message:
-----------
virtio-scsi: fix buffer overrun on invalid state load
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0776525e77ac1c2e1b7a45ecde1597bb0f460877
https://github.com/qemu/qemu/commit/0776525e77ac1c2e1b7a45ecde1597bb0f460877
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/pci/pci.c
M include/migration/vmstate.h
M target-arm/machine.c
Log Message:
-----------
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57)
Signed-off-by: Michael Roth <address@hidden>
Commit: c4bd2e4cb0550fd83321029b9ae7582073fcac67
https://github.com/qemu/qemu/commit/c4bd2e4cb0550fd83321029b9ae7582073fcac67
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/usb/bus.c
Log Message:
-----------
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7abee6c9883f242b680736b4d9c730b1556498e5
https://github.com/qemu/qemu/commit/7abee6c9883f242b680736b4d9c730b1556498e5
Author: Peter Maydell <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M docs/migration.txt
M savevm.c
Log Message:
-----------
savevm: Ignore minimum_version_id_old if there is no load_state_old
At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.
Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 767adce2d9cd397de3418caa16be35ea18d56f22)
Conflicts:
vmstate.c
*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2003205fd2799fdeebe56a6c700d34555d114142
https://github.com/qemu/qemu/commit/2003205fd2799fdeebe56a6c700d34555d114142
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 73d8965bcc7cdec00dae7912f98f0db30bd1ba1b
https://github.com/qemu/qemu/commit/73d8965bcc7cdec00dae7912f98f0db30bd1ba1b
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
stellaris_enet: block migration
Incoming migration with stellaris_enet is unsafe.
It's being reworked, but for now, simply block it
since noone is using it anyway.
Block outgoing migration for good measure.
CVE-2013-4532
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 3c1162e47121d4f511cc55bc9ffdd425d172f6f8
https://github.com/qemu/qemu/commit/3c1162e47121d4f511cc55bc9ffdd425d172f6f8
Author: Paolo Bonzini <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M target-i386/cpu.c
M target-i386/cpu.h
Log Message:
-----------
target-i386: fix set of registers zeroed on reset
BND0-3, BNDCFGU, BNDCFGS, BNDSTATUS were not zeroed on reset, but they
should be (Intel Instruction Set Extensions Programming Reference
319433-015, pages 9-4 and 9-6). Same for YMM.
XCR0 should be reset to 1.
TSC and TSC_RESET were zeroed already by the memset, remove the explicit
assignments.
Cc: Andreas Faerber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 05e7e819d7d159a75a46354aead95e1199b8f168)
Conflicts:
target-i386/cpu.c
target-i386/cpu.h
*removed dependency on 79e9ebeb
Signed-off-by: Michael Roth <address@hidden>
Commit: 7c569521833786a502ca0861e2f7885d2e2e3428
https://github.com/qemu/qemu/commit/7c569521833786a502ca0861e2f7885d2e2e3428
Author: Edgar E. Iglesias <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M target-arm/helper.c
Log Message:
-----------
target-arm: Make vbar_write 64bit friendly on 32bit hosts
Signed-off-by: Edgar E. Iglesias <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit fed3ffb9f157f33bc9b2b1c3ef68e710ee6b7b4b)
Conflicts:
target-arm/helper.c
Signed-off-by: Michael Roth <address@hidden>
Commit: f6de3526a0c853c22c55e7087e4c7d04e408bf2c
https://github.com/qemu/qemu/commit/f6de3526a0c853c22c55e7087e4c7d04e408bf2c
Author: Peter Maydell <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Fix incorrect ARM HWCAP bits
The ELF HWCAP bits for ARM features THUMBEE, NEON, VFPv3 and VFPv3D16 are
all off by one compared to the kernel definitions. Fix this discrepancy
and add in the missing CRUNCH bit which was the cause of the off-by-one
error. (We don't emulate any of the CPUs which have that weird hardware,
so it's otherwise uninteresting to us.)
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 43ce393ee5f7b96d2ac22fedc40d6b6fb3f65a3e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 64b210d4d570602ac232337c295d87e8188104ed
https://github.com/qemu/qemu/commit/64b210d4d570602ac232337c295d87e8188104ed
Author: Peter Maydell <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Update ARM HWCAP bits
The kernel has added support for a number of new ARM HWCAP bits;
add them to QEMU, including support for setting them where we have
a corresponding CPU feature bit.
We were also incorrectly setting the VFPv3D16 HWCAP -- this means
"only 16 D registers", not "supports 16-bit floating point format";
since QEMU always has 32 D registers for VFPv3, we can just remove
the line that incorrectly set this bit.
The kernel does not set the HWCAP_FPA even if it is providing FPA
emulation via nwfpe, so don't set this bit in QEMU either.
Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 24682654654a2e7b50afc27880f4098e5fca3742)
Signed-off-by: Michael Roth <address@hidden>
Commit: b6760b6203cb22ce6343c947a1dc14d61d1f1619
https://github.com/qemu/qemu/commit/b6760b6203cb22ce6343c947a1dc14d61d1f1619
Author: Peter Maydell <address@hidden>
Date: 2014-06-26 (Thu, 26 Jun 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
The ARM target-specific code in elfload.c was incorrectly allowing
the 64-bit ARM target to use most of the existing 32-bit definitions:
most noticably this meant that our HWCAP bits passed to the guest
were wrong, and register handling when dumping core was totally
broken. Fix this by properly separating the 64 and 32 bit code,
since they have more differences than similarities.
Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 24e76ff06bcd0936ee8b04b15dca42efb7d614d1)
Conflicts:
linux-user/elfload.c
Signed-off-by: Michael Roth <address@hidden>
Commit: 74dd27cecb97a97a53f95094981eceb9cbd3b2f2
https://github.com/qemu/qemu/commit/74dd27cecb97a97a53f95094981eceb9cbd3b2f2
Author: Alexey Kardashevskiy <address@hidden>
Date: 2014-06-29 (Sun, 29 Jun 2014)
Changed paths:
M hw/ppc/spapr_pci.c
Log Message:
-----------
spapr_pci: Fix number of returned vectors in ibm, change-msi
Current guest kernels try allocating as many vectors as the quota is.
For example, in the case of virtio-net (which has just 3 vectors)
the guest requests 4 vectors (that is the quota in the test) and
the existing ibm,change-msi handler returns 4. But before it returns,
it calls msix_set_message() in a loop and corrupts memory behind
the end of msix_table.
This limits the number of vectors returned by ibm,change-msi to
the maximum supported by the actual device.
Signed-off-by: Alexey Kardashevskiy <address@hidden>
Cc: address@hidden
[agraf: squash in bugfix from aik]
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit b26696b519f853c9844e5154858e583600ee3cdc)
*s/error_report/fprintf/ to reflect v1.7.x error reporting style
Signed-off-by: Michael Roth <address@hidden>
Commit: 9fbc298a478656dce0f9f25f1ea98e406cac3016
https://github.com/qemu/qemu/commit/9fbc298a478656dce0f9f25f1ea98e406cac3016
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M hw/i386/kvm/pci-assign.c
Log Message:
-----------
pci-assign: limit # of msix vectors
KVM only supports MSIX table size up to 256 vectors,
but some assigned devices support more vectors,
at the moment attempts to assign them fail with EINVAL.
Tweak the MSIX capability exposed to guest to limit table size
to a supported value.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Tested-by: Gonglei <address@hidden>
Cc: address@hidden
Acked-by: Alex Williamson <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 639973a4740f38789057744b550df3a175bc49ad)
Signed-off-by: Michael Roth <address@hidden>
Commit: 84321ba2b6412bc507d8b3df3ed53cb5e2861193
https://github.com/qemu/qemu/commit/84321ba2b6412bc507d8b3df3ed53cb5e2861193
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: allow mapping up to max queue size
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3102b1a2211eb64b296326fd593b1dec309de6d0
https://github.com/qemu/qemu/commit/3102b1a2211eb64b296326fd593b1dec309de6d0
Author: ChenLiang <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
migration: remove duplicate code
version_id is checked twice in the ram_load.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 21a246a43b606ee833f907d589d8dcbb54a2761e)
*prereq for db80fac backport
Signed-off-by: Michael Roth <address@hidden>
Commit: 69b7aacc013ce99fe0c945c40c614228ce604a83
https://github.com/qemu/qemu/commit/69b7aacc013ce99fe0c945c40c614228ce604a83
Author: Peter Lieven <address@hidden>
Date: 2014-07-01 (Tue, 01 Jul 2014)
Changed paths:
M arch_init.c
M migration.c
Log Message:
-----------
migration: catch unknown flags in ram_load
if a saved vm has unknown flags in the memory data qemu
currently simply ignores this flag and continues which
yields in an unpredictable result.
This patch catches all unknown flags and aborts the
loading of the vm. Additionally error reports are thrown
if the migration aborts abnormally.
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit db80facefa62dff42bb50c73b0f03eda5f732b49)
Conflicts:
arch_init.c
*removed unecessary context from 4798fe55
Signed-off-by: Michael Roth <address@hidden>
Commit: 95139b786a510a52d4488a57dba068f3e4658c35
https://github.com/qemu/qemu/commit/95139b786a510a52d4488a57dba068f3e4658c35
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M tests/qemu-iotests/common
M tests/qemu-iotests/common.rc
Log Message:
-----------
qemu-iotests: add ./check -cloop support
Add the cloop block driver to qemu-iotests.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 47f73da0a7d36e399eaa353d93afce90de9b599d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 46c5cacbb43ff3129e4cde352ed5e1e47f69757a
https://github.com/qemu/qemu/commit/46c5cacbb43ff3129e4cde352ed5e1e47f69757a
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
A tests/qemu-iotests/075
A tests/qemu-iotests/075.out
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
Log Message:
-----------
qemu-iotests: add cloop input validation tests
Add a cloop format-specific test case. Later patches add tests for
input validation to the script.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 05560fcebb1528f4354f6f24d1eb8cdbcdf2c4b2)
Conflicts:
tests/qemu-iotests/group
*fixed context mismatches in group file
Signed-off-by: Michael Roth <address@hidden>
Commit: 1f6bda93015b6842d37343acda0c93986e78e842
https://github.com/qemu/qemu/commit/1f6bda93015b6842d37343acda0c93986e78e842
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: validate block_size header field (CVE-2014-0144)
Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value. Also enforce the
assumption that the value is a non-zero multiple of 512.
These constraints conform to cloop 2.639's code so we accept existing
image files.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d65f97a82c4ed48374a764c769d4ba1ea9724e97)
Signed-off-by: Michael Roth <address@hidden>
Commit: d723971b5d0c22c5c8bd1b8bdba94bc17cc8f36d
https://github.com/qemu/qemu/commit/d723971b5d0c22c5c8bd1b8bdba94bc17cc8f36d
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
[...]
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets */
offsets_size = s->n_blocks * sizeof(uint64_t);
s->offsets = g_malloc(offsets_size);
[...]
for(i=0;i<s->n_blocks;i++) {
s->offsets[i] = be64_to_cpu(s->offsets[i]);
offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.
This patch refuses to open files if offsets_size would overflow.
Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 509a41bab5306181044b5fff02eadf96d9c8676a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7dcffbb2bfcb38c98cff911cd002c09e9326e3cc
https://github.com/qemu/qemu/commit/7dcffbb2bfcb38c98cff911cd002c09e9326e3cc
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0fda3e2d639fee7c3262485c48c3b5fd6c9b4114
https://github.com/qemu/qemu/commit/0fda3e2d639fee7c3262485c48c3b5fd6c9b4114
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f56b9bc3ae20fc93815b34aa022be919941406ce)
Signed-off-by: Michael Roth <address@hidden>
Commit: dbd3e4a75cddbd99be51d1af5b26a5f3f6a134c2
https://github.com/qemu/qemu/commit/dbd3e4a75cddbd99be51d1af5b26a5f3f6a134c2
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/cloop.c
M tests/qemu-iotests/075
M tests/qemu-iotests/075.out
Log Message:
-----------
block/cloop: fix offsets[] size off-by-one
cloop stores the number of compressed blocks in the n_blocks header
field. The file actually contains n_blocks + 1 offsets, where the extra
offset is the end-of-file offset.
The following line in cloop_read_block() results in an out-of-bounds
offsets[] access:
uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];
This patch allocates and loads the extra offset so that
cloop_read_block() works correctly when the last block is accessed.
Notice that we must free s->offsets[] unconditionally now since there is
always an end-of-file offset.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 42d43d35d907579179a39c924d169da924786f65)
Signed-off-by: Michael Roth <address@hidden>
Commit: ae9b5df87713688150e187a85cc67568b6c4ad73
https://github.com/qemu/qemu/commit/ae9b5df87713688150e187a85cc67568b6c4ad73
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
A tests/qemu-iotests/078
A tests/qemu-iotests/078.out
M tests/qemu-iotests/common
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/empty.bochs.bz2
Log Message:
-----------
qemu-iotests: Support for bochs format
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 24f3078a049c52070adfc659fc3a1a71a11a7765)
Conflicts:
tests/qemu-iotests/group
*fix context mismatches in group file
Signed-off-by: Michael Roth <address@hidden>
Commit: bb8b2018154f300b2fce9dc01e97d59caf0e2ed7
https://github.com/qemu/qemu/commit/bb8b2018154f300b2fce9dc01e97d59caf0e2ed7
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/bochs.c
Log Message:
-----------
bochs: Unify header structs and make them QEMU_PACKED
This is an on-disk structure, so offsets must be accurate.
Before this patch, sizeof(bochs) != sizeof(header_v1), which makes the
memcpy() between both invalid. We're lucky enough that the destination
buffer happened to be the larger one, and the memcpy size to be taken
from the smaller one, so we didn't get a buffer overflow in practice.
This patch unifies the both structures, eliminating the need to do a
memcpy in the first place. The common fields are extracted to the top
level of the struct and the actually differing part gets a union of the
two versions.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0e748624bd2261e7589b40b31413d62dc841957a
https://github.com/qemu/qemu/commit/0e748624bd2261e7589b40b31413d62dc841957a
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 246f65838d19db6db55bfb41117c35645a2c4789)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6b94cfeca8f9727ae6de41f2b53f1f906620c49a
https://github.com/qemu/qemu/commit/6b94cfeca8f9727ae6de41f2b53f1f906620c49a
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Check catalog_size header field (CVE-2014-0143)
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e3737b820b45e54b059656dc3f914f895ac7a88b)
Signed-off-by: Michael Roth <address@hidden>
Commit: b0a7517c244d09bbb087af0f8b455cabedc126ee
https://github.com/qemu/qemu/commit/b0a7517c244d09bbb087af0f8b455cabedc126ee
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/bochs.c
M tests/qemu-iotests/078
M tests/qemu-iotests/078.out
Log Message:
-----------
bochs: Check extent_size header field (CVE-2014-0142)
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6ee0d5fdc7bbeb5419fb41fd949fd0b0ebe085db
https://github.com/qemu/qemu/commit/6ee0d5fdc7bbeb5419fb41fd949fd0b0ebe085db
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/bochs.c
Log Message:
-----------
bochs: Fix bitmap offset calculation
32 bit truncation could let us access the wrong offset in the image.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a9ba36a45dfac645a810c31ce15ab393b69d820a)
Signed-off-by: Michael Roth <address@hidden>
Commit: b2390c7008561c595127090688960a145a592f6b
https://github.com/qemu/qemu/commit/b2390c7008561c595127090688960a145a592f6b
Author: Jeff Cody <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vpc.c
Log Message:
-----------
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
This adds checks to make sure that max_table_entries and block_size
are in sane ranges. Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded memory allocation, or invalid memory accesses.
Also, the allocation of the pagetable is changed from g_malloc0()
to qemu_blockalign().
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 97f1c45c6f456572e5b504b8614e4a69e23b8e3a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 76d1eddbe533d828eb866c36b7b13837986c7fc3
https://github.com/qemu/qemu/commit/76d1eddbe533d828eb866c36b7b13837986c7fc3
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vpc.c
A tests/qemu-iotests/088
A tests/qemu-iotests/088.out
M tests/qemu-iotests/group
Log Message:
-----------
vpc: Validate block size (CVE-2014-0142)
This fixes some cases of division by zero crashes.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 5e71dfad763d67bb64be79e20e93411c0c30ad25)
Conflicts:
tests/qemu-iotests/group
*fixed context mismatches in group file
Signed-off-by: Michael Roth <address@hidden>
Commit: 37173f54b7925f02045a93c081deabca1b8a6abd
https://github.com/qemu/qemu/commit/37173f54b7925f02045a93c081deabca1b8a6abd
Author: Jeff Cody <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vdi.c
Log Message:
-----------
vdi: add bounds checks for blocks_in_image and disk_size header fields
(CVE-2014-0144)
The maximum blocks_in_image is 0xffffffff / 4, which also limits the
maximum disk_size for a VDI image to 1024TB. Note that this is the maximum
size that QEMU will currently support with this driver, not necessarily the
maximum size allowed by the image format.
This also fixes an incorrect error message, a bug introduced by commit
5b7aa9b56d1bfc79916262f380c3fc7961becb50 (Reported by Stefan Weil)
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 63fa06dc978f3669dbfd9443b33cde9e2a7f4b41)
Conflicts:
block/vdi.c
*modified to retain 1.7's usage of logout() over error_setg()
Signed-off-by: Michael Roth <address@hidden>
Commit: 1786c4225db1ff1241d76e1f96a2acc1bea51d2d
https://github.com/qemu/qemu/commit/1786c4225db1ff1241d76e1f96a2acc1bea51d2d
Author: Jeff Cody <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vhdx.c
Log Message:
-----------
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.
The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
LogicalSectorSize is required to be either 512 or 4096 bytes.
Reported-by: Kevin Wolf <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 1d7678dec4761acdc43439da6ceda41a703ba1a6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4854971ac1bbc95c41f6c99c8482903c2ef8d1bb
https://github.com/qemu/qemu/commit/4854971ac1bbc95c41f6c99c8482903c2ef8d1bb
Author: Fam Zheng <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/curl.c
Log Message:
-----------
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6d4b9e55fc625514a38d27cff4b9933f617fa7dc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 665f3ad58f040cc1a09cbd4f91b2e7355a874c6e
https://github.com/qemu/qemu/commit/665f3ad58f040cc1a09cbd4f91b2e7355a874c6e
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
A tests/qemu-iotests/080
A tests/qemu-iotests/080.out
M tests/qemu-iotests/group
Log Message:
-----------
qcow2: Check header_length (CVE-2014-0144)
This fixes an unbounded allocation for s->unknown_header_fields.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 24342f2cae47d03911e346fe1e520b00dc2818e0)
Conflicts:
tests/qemu-iotests/group
*fixed context mismatches in group file
Signed-off-by: Michael Roth <address@hidden>
Commit: 6f6db0c7aff11b233442d5e9e105f9b8bb66f2c5
https://github.com/qemu/qemu/commit/6f6db0c7aff11b233442d5e9e105f9b8bb66f2c5
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check backing_file_offset (CVE-2014-0144)
Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a1b3955c9415b1e767c130a2f59fee6aa28e575b)
Signed-off-by: Michael Roth <address@hidden>
Commit: f6027f805b111deccc0e09eec53d8be9812493fa
https://github.com/qemu/qemu/commit/f6027f805b111deccc0e09eec53d8be9812493fa
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check refcount table size (CVE-2014-0144)
Limit the in-memory reference count table size to 8 MB, it's enough in
practice. This fixes an unbounded allocation as well as a buffer
overflow in qcow2_refcount_init().
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21)
Signed-off-by: Michael Roth <address@hidden>
Commit: 818ce8487eba6b460af5a7e9f3ae38533ff85bf1
https://github.com/qemu/qemu/commit/818ce8487eba6b460af5a7e9f3ae38533ff85bf1
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate refcount table offset
The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.
Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8c7de28305a514d7f879fdfc677ca11fbf60d2e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 04bc6981ca7ea65d9d4e61b4758dcb9336fd045d
https://github.com/qemu/qemu/commit/04bc6981ca7ea65d9d4e61b4758dcb9336fd045d
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-snapshot.c
M block/qcow2.c
M block/qcow2.h
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
This avoid unbounded memory allocation and fixes a potential buffer
overflow on 32 bit hosts.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ce48f2f441ca98885267af6fd636a7cb804ee646)
Signed-off-by: Michael Roth <address@hidden>
Commit: cd598d41616189f33b35f69a5f7ba70c8112c272
https://github.com/qemu/qemu/commit/cd598d41616189f33b35f69a5f7ba70c8112c272
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 2d51c32c4b511db8bb9e58208f1e2c25e4c06c85)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5ba151f4dcca96d47896a5f77fa74ab5b6e9b06f
https://github.com/qemu/qemu/commit/5ba151f4dcca96d47896a5f77fa74ab5b6e9b06f
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Fix backing file name length check
len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.
This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6d33e8e7dc9d40ea105feed4b39caa3e641569e8)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f59c95f16f3c98534b49e145da3cac0957c02a7
https://github.com/qemu/qemu/commit/2f59c95f16f3c98534b49e145da3cac0957c02a7
Author: Hu Tao <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: fix offset overflow in qcow2_alloc_clusters_at()
When cluster size is big enough it can lead to an offset overflow
in qcow2_alloc_clusters_at(). This patch fixes it.
The allocation is stopped each time at L2 table boundary
(see handle_alloc()), so the possible maximum bytes could be
2^(cluster_bits - 3 + cluster_bits)
cluster_bits - 3 is used to compute the number of entry by L2
and the additional cluster_bits is to take into account each
clusters referenced by the L2 entries.
so int is safe for cluster_bits<=17, unsafe otherwise.
Signed-off-by: Hu Tao <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 33304ec9fa484e765c6249673e09e1b7d49c5b85)
Signed-off-by: Michael Roth <address@hidden>
Commit: aeba41549da75d5775165e9205170e5b7a30f016
https://github.com/qemu/qemu/commit/aeba41549da75d5775165e9205170e5b7a30f016
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
Log Message:
-----------
qcow2: Zero-initialise first cluster for new images
Strictly speaking, this is only required for has_zero_init() == false,
but it's easy enough to just do a cluster-aligned write that is padded
with zeros after the header.
This fixes that after 'qemu-img create' header extensions are attempted
to be parsed that are really just random leftover data.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f8413b3c23b08a547ce18609acc6fae5fd04ed5c)
Signed-off-by: Michael Roth <address@hidden>
Commit: ffa3ab02174f7cb474366bc325bd35264364c9fd
https://github.com/qemu/qemu/commit/ffa3ab02174f7cb474366bc325bd35264364c9fd
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M tests/qemu-iotests/026.out
M tests/qemu-iotests/044.out
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Don't rely on free_cluster_index in alloc_refcount_block()
(CVE-2014-0147)
free_cluster_index is only correct if update_refcount() was called from
an allocation function, and even there it's brittle because it's used to
protect unfinished allocations which still have a refcount of 0 - if it
moves in the wrong place, the unfinished allocation can be corrupted.
So not using it any more seems to be a good idea. Instead, use the
first requested cluster to do the calculations. Return -EAGAIN if
unfinished allocations could become invalid and let the caller restart
its search for some free clusters.
The context of creating a snapsnot is one situation where
update_refcount() is called outside of a cluster allocation. For this
case, the change fixes a buffer overflow if a cluster is referenced in
an L2 table that cannot be represented by an existing refcount block.
(new_table[refcount_table_index] was out of bounds)
[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
11.
--Stefan]
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7a6088c87030b84e9f4b70ed9b656bec999dfc77
https://github.com/qemu/qemu/commit/7a6088c87030b84e9f4b70ed9b656bec999dfc77
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
This ensures that the checks catch all invalid cluster indexes
instead of returning the refcount of a wrong cluster.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit db8a31d11d6a60f48d6817530640d75aa72a9a2f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 610ab7bd3d22dcd328eaabff1be627510bae23b5
https://github.com/qemu/qemu/commit/610ab7bd3d22dcd328eaabff1be627510bae23b5
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.c
M block/qcow2.h
Log Message:
-----------
qcow2: Check new refcount table size on growth
If the size becomes larger than what qcow2_open() would accept, fail the
growing operation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 2b5d5953eec0cc541857c3df812bdf8421596ab2)
Signed-off-by: Michael Roth <address@hidden>
Commit: c8748374758cffffd903ff08d54c1d8d492c6c72
https://github.com/qemu/qemu/commit/c8748374758cffffd903ff08d54c1d8d492c6c72
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
M block/qcow2.h
Log Message:
-----------
qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
In order to avoid integer overflows.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit bb572aefbdac290363bfa5ca0e810ccce0a14ed6)
Signed-off-by: Michael Roth <address@hidden>
Commit: e1c8770f56d59bad1056825228eec01caee24117
https://github.com/qemu/qemu/commit/e1c8770f56d59bad1056825228eec01caee24117
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: Protect against some integer overflows in bdrv_check
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 0abe740f1de899737242bcba1fb4a9857f7a3087)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3c6347ce8c3edc677c95da437bd40321e6d57b00
https://github.com/qemu/qemu/commit/3c6347ce8c3edc677c95da437bd40321e6d57b00
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-cluster.c
Log Message:
-----------
qcow2: Fix new L1 table size check (CVE-2014-0143)
The size in bytes is assigned to an int later, so check that instead of
the number of entries.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit cab60de930684c33f67d4e32c7509b567f8c445b)
Signed-off-by: Michael Roth <address@hidden>
Commit: dedf4a5f79d8dcb384c1324b44dae536ec938d9d
https://github.com/qemu/qemu/commit/dedf4a5f79d8dcb384c1324b44dae536ec938d9d
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: coding style and indentation cleanup
Clean up the mix of tabs and spaces, as well as the coding style
violations in block/dmg.c. There are no semantic changes since this
patch simply reformats the code.
This patch is necessary before we can make meaningful changes to this
file, due to the inconsistent formatting and confusing indentation.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 2c1885adcf0312da80c7317b09f9adad97fa0fc6)
Signed-off-by: Michael Roth <address@hidden>
Commit: ad08cae75c444366ad7a5222c6b7867f31a338f7
https://github.com/qemu/qemu/commit/ad08cae75c444366ad7a5222c6b7867f31a338f7
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: prevent out-of-bounds array access on terminator
When a terminator is reached the base for offsets and sectors is stored.
The following records that are processed will use this base value.
If the first record we encounter is a terminator, then calculating the
base values would result in out-of-bounds array accesses. Don't do
that.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 73ed27ec28a1dbebdd2ae792284151f029950fbe)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4ee5b9c8cbe05d1865924dce226b4c3aedc4dae6
https://github.com/qemu/qemu/commit/4ee5b9c8cbe05d1865924dce226b4c3aedc4dae6
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: drop broken bdrv_pread() loop
It is not necessary to check errno for EINTR and the block layer does
not produce short reads. Therefore we can drop the loop that attempts
to read a compressed chunk.
The loop is buggy because it incorrectly adds the transferred bytes
twice:
do {
ret = bdrv_pread(...);
i += ret;
} while (ret >= 0 && ret + i < s->lengths[chunk]);
Luckily we can drop the loop completely and perform a single
bdrv_pread().
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit b404bf854217dbe8a5649449eb3ad33777f7d900)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4b50bd735711928869f14824481ac2cbda5333d5
https://github.com/qemu/qemu/commit/4b50bd735711928869f14824481ac2cbda5333d5
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: use appropriate types when reading chunks
Use the right types instead of signed int:
size_t new_size;
This is a byte count for g_realloc() that is calculated from uint32_t
and size_t values.
uint32_t chunk_count;
Use the same type as s->n_chunks, which is used together with
chunk_count.
This patch is a cleanup and does not fix bugs.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit eb71803b041f55779ea10d860c0f66df285c68de)
Signed-off-by: Michael Roth <address@hidden>
Commit: 758c4840c64d2f0faed18c16c02cbb2c2a3bdfe3
https://github.com/qemu/qemu/commit/758c4840c64d2f0faed18c16c02cbb2c2a3bdfe3
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument. Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c165f7758009a4f793c1fc19ebb69cf55313450b)
Signed-off-by: Michael Roth <address@hidden>
Commit: d400b5dc4acaa883d8e856a137c37f7aea1b2707
https://github.com/qemu/qemu/commit/d400b5dc4acaa883d8e856a137c37f7aea1b2707
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: use uint64_t consistently for sectors and lengths
The DMG metadata is stored as uint64_t, so use the same type for
sector_num. int was a particularly poor choice since it is only 32-bit
and would truncate large values.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 686d7148ec23402a172628c800022b3a95a022c9)
Signed-off-by: Michael Roth <address@hidden>
Commit: b6f7fbdd1d9e27822e829e983fb6f907576a24e4
https://github.com/qemu/qemu/commit/b6f7fbdd1d9e27822e829e983fb6f907576a24e4
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/dmg.c
Log Message:
-----------
dmg: prevent chunk buffer overflow (CVE-2014-0145)
Both compressed and uncompressed I/O is buffered. dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.
There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:
switch (s->types[chunk]) {
case 1: /* copy */
ret = bdrv_pread(bs->file, s->offsets[chunk],
s->uncompressed_chunk, s->lengths[chunk]);
We must account against the maximum uncompressed buffer size for type=1
chunks.
This patch fixes the maximum buffer size calculation to take into
account the chunk type. It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f0dce23475b5af5da6b17b97c1765271307734b6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 759d38652ae6bbe1253b921c13c43d2c6c25b8d5
https://github.com/qemu/qemu/commit/759d38652ae6bbe1253b921c13c43d2c6c25b8d5
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block.c
Log Message:
-----------
block: Limit request size (CVE-2014-0143)
Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8f4754ede56e3f9ea3fd7207f4a7c4453e59285b)
Signed-off-by: Michael Roth <address@hidden>
Commit: c2c52728f5719a4534f52fd2f0c6f3d04e230bdf
https://github.com/qemu/qemu/commit/c2c52728f5719a4534f52fd2f0c6f3d04e230bdf
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2.c
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 11b128f4062dd7f89b14abc8877ff20d41b28be9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 641c3ec44252f077100269e631a3583046848f18
https://github.com/qemu/qemu/commit/641c3ec44252f077100269e631a3583046848f18
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-cluster.c
M tests/qemu-iotests/029
M tests/qemu-iotests/029.out
Log Message:
-----------
qcow2: Fix copy_sectors() with VM state
bs->total_sectors is not the highest possible sector number that could
be involved in a copy on write operation: VM state is after the end of
the virtual disk. This resulted in wrong values for the number of
sectors to be copied (n).
The code that checks for the end of the image isn't required any more
because the code hasn't been calling the block layer's bdrv_read() for a
long time; instead, it directly calls qcow2_readv(), which doesn't error
out on VM state sector numbers.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6b7d4c55586a849aa8313282d79432917eade3bf)
Signed-off-by: Michael Roth <address@hidden>
Commit: d99c4e2d857fbd5e95bf61971d59eb10499289c0
https://github.com/qemu/qemu/commit/d99c4e2d857fbd5e95bf61971d59eb10499289c0
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-snapshot.c
M tests/qemu-iotests/029
M tests/qemu-iotests/029.out
Log Message:
-----------
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c05e4667be91b46ab42b5a11babf8e84d476cc6b)
Signed-off-by: Michael Roth <address@hidden>
Commit: cfa8008cc01ed811a5c2aca30af44e7d4ece97e6
https://github.com/qemu/qemu/commit/cfa8008cc01ed811a5c2aca30af44e7d4ece97e6
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow2-snapshot.c
M block/qcow2.c
M block/qcow2.h
M tests/qemu-iotests/080
M tests/qemu-iotests/080.out
Log Message:
-----------
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
This avoids an unbounded allocation.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 750336bc908fd6e728d9ff127d532af70b4ff776
https://github.com/qemu/qemu/commit/750336bc908fd6e728d9ff127d532af70b4ff776
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/parallels.c
A tests/qemu-iotests/076
A tests/qemu-iotests/076.out
M tests/qemu-iotests/common
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/fake.parallels.bz2
Log Message:
-----------
parallels: Fix catalog size integer overflow (CVE-2014-0143)
The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.
The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit afbcc40bee4ef51731102d7d4b499ee12fc182e1)
Conflicts:
tests/qemu-iotests/group
*fixed mismatches in group file
Signed-off-by: Michael Roth <address@hidden>
Commit: 97a0e27e719ad2d01420969adebb52f337fa6b94
https://github.com/qemu/qemu/commit/97a0e27e719ad2d01420969adebb52f337fa6b94
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/parallels.c
M tests/qemu-iotests/076
M tests/qemu-iotests/076.out
Log Message:
-----------
parallels: Sanity check for s->tracks (CVE-2014-0142)
This avoids a possible division by zero.
Convert s->tracks to unsigned as well because it feels better than
surviving just because the results of calculations with s->tracks are
converted to unsigned anyway.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 9302e863aa8baa5d932fc078967050c055fa1a7f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 41819e90af4228c40a92da828a82446073412a5a
https://github.com/qemu/qemu/commit/41819e90af4228c40a92da828a82446073412a5a
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow.c
Log Message:
-----------
qcow1: Make padding in the header explicit
We were relying on all compilers inserting the same padding in the
header struct that is used for the on-disk format. Let's not do that.
Mark the struct as packed and insert an explicit padding field for
compatibility.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
Signed-off-by: Michael Roth <address@hidden>
Commit: e6c55cf7c25ceb0c14a292520a61786374f69bcf
https://github.com/qemu/qemu/commit/e6c55cf7c25ceb0c14a292520a61786374f69bcf
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow.c
A tests/qemu-iotests/092
A tests/qemu-iotests/092.out
M tests/qemu-iotests/group
Log Message:
-----------
qcow1: Check maximum cluster size
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
Conflicts:
block/qcow.c
tests/qemu-iotests/group
*removed mismatch due to error msgs from upstream's b6d5066d
*removed context from upstream block tests
Signed-off-by: Michael Roth <address@hidden>
Commit: 8b17eb6e6cdd4d5b4f3291c7e8afff83960f00d7
https://github.com/qemu/qemu/commit/8b17eb6e6cdd4d5b4f3291c7e8afff83960f00d7
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Validate L2 table size (CVE-2014-0222)
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Signed-off-by: Michael Roth <address@hidden>
Commit: b53d8665a2665978d7f7da47d2fca13e9481b067
https://github.com/qemu/qemu/commit/b53d8665a2665978d7f7da47d2fca13e9481b067
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Validate image size (CVE-2014-0223)
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f1eb049dffa7ef0f5e1cf8fd9effa0aeab20870
https://github.com/qemu/qemu/commit/2f1eb049dffa7ef0f5e1cf8fd9effa0aeab20870
Author: Kevin Wolf <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Stricter backing file length check
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 44564f82264447979f774039f73b9343fb505127
https://github.com/qemu/qemu/commit/44564f82264447979f774039f73b9343fb505127
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M hw/scsi/virtio-scsi.c
Log Message:
-----------
virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path
Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 91e7fcca4743cf694eb0c8e7a8d938cf359b5bd8)
Signed-off-by: Michael Roth <address@hidden>
Commit: 26b51027f9b658f28c9f1c90f8b0eb342ca42ab4
https://github.com/qemu/qemu/commit/26b51027f9b658f28c9f1c90f8b0eb342ca42ab4
Author: Max Filippov <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M target-xtensa/translate.c
Log Message:
-----------
target-xtensa: fix cross-page jumps/calls at the end of TB
Use tb->pc instead of dc->pc to check for cross-page jumps.
When TB translation stops at the page boundary dc->pc points to the next
page allowing chaining to TBs in it, which is wrong.
Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 433d33c555deeed375996e338df1a9510df401c6)
Signed-off-by: Michael Roth <address@hidden>
Commit: c2fb0f287011b23183739e183ab4b0668476cc4b
https://github.com/qemu/qemu/commit/c2fb0f287011b23183739e183ab4b0668476cc4b
Author: Stefan Weil <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M cputlb.c
Log Message:
-----------
cputlb: Fix regression with TCG interpreter (bug 1310324)
Commit 0f842f8a246f2b5b51a11c13f933bf7a90ae8e96 replaced GETPC_EXT() which
was derived from GETPC() by GETRA_EXT() without fixing cputlb.c. A later
patch replaced GETRA_EXT() by GETRA() in exec/softmmu_template.h which
is included in cputlb.c.
The TCG interpreter failed because the values returned by GETRA() were no
longer explicitly set to 0. The redefinition of GETRA() introduced here
fixes this.
In addition, GETPC_ADJ which is also used in exec/softmmu_template.h is
set to 0. Both changes reduce the compiled code size for cputlb.c by more
than 100 bytes, so the normal TCG without interpreter also profits from
the reduced code size and slightly faster code.
Cc: address@hidden
Reported-by: Giovanni Mascellani <address@hidden>
Signed-off-by: Stefan Weil <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7e4e88656c1e6192e9e47a2054d2dc190c1b840b)
Signed-off-by: Michael Roth <address@hidden>
Commit: d2b987479a322f246753ce82a5b6f535e15626f4
https://github.com/qemu/qemu/commit/d2b987479a322f246753ce82a5b6f535e15626f4
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M blockdev.c
Log Message:
-----------
blockdev: Plug memory leak in blockdev_init()
blockdev_init() leaks bs_opts when qemu_opts_create() fails, i.e. when
the ID is bad. Missed in commit ec9c10d.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 6376f9522372d589f3efe60001dc0486237dd375)
Signed-off-by: Michael Roth <address@hidden>
Commit: d1775fe94a1bbfb337c7e6d178a81de3c5339d3f
https://github.com/qemu/qemu/commit/d1775fe94a1bbfb337c7e6d178a81de3c5339d3f
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M blockdev.c
Log Message:
-----------
blockdev: Plug memory leak in drive_init()
bs_opts is leaked on all paths from its qdev_new() that don't got
through blockdev_init(). Add the missing QDECREF(), and zap bs_opts
after blockdev_init(), so the new QDECREF() does nothing when we go
through blockdev_init().
Leak introduced in commit f298d07. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 3cb0e25c4b417b7336816bd92de458f0770d49ff)
Conflicts:
blockdev.c
*fixed trivial context mismatch due to blockdev_init signature change
Signed-off-by: Michael Roth <address@hidden>
Commit: 7267e51b324dd23837b244261417c7002054430f
https://github.com/qemu/qemu/commit/7267e51b324dd23837b244261417c7002054430f
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/qapi.c
Log Message:
-----------
block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR
Introduced in commit a8d8ecb. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit f25391c2a6ef1674384204265429520ea50e82bc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 501da9369cc96d19b8973eed33d1161bb200b035
https://github.com/qemu/qemu/commit/501da9369cc96d19b8973eed33d1161bb200b035
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vvfat.c
Log Message:
-----------
block/vvfat: Plug memory leak in check_directory_consistency()
On error path. Introduced in commit a046433a. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 6262bbd363b53a1f19c473345d7cc40254dd5c73)
Signed-off-by: Michael Roth <address@hidden>
Commit: d3cd48a85fc8f0aa4358a866da31842480edf1e6
https://github.com/qemu/qemu/commit/d3cd48a85fc8f0aa4358a866da31842480edf1e6
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/vvfat.c
Log Message:
-----------
block/vvfat: Plug memory leak in read_directory()
Has always been leaky. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b122c3b6d020e529b203836efb8f611ece787293)
Signed-off-by: Michael Roth <address@hidden>
Commit: df9c108acd5aaf4f5ac6e5b799b619c6b6a88975
https://github.com/qemu/qemu/commit/df9c108acd5aaf4f5ac6e5b799b619c6b6a88975
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M block/sheepdog.c
Log Message:
-----------
block/sheepdog: Plug memory leak in sd_snapshot_create()
Has always been leaky. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2df5fee2dbd56a9c34afd6d7df6744da2d951ccb)
Signed-off-by: Michael Roth <address@hidden>
Commit: cb34d1e9e938f42aacbd85c8d0ac08b66d44ad29
https://github.com/qemu/qemu/commit/cb34d1e9e938f42aacbd85c8d0ac08b66d44ad29
Author: Markus Armbruster <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M qemu-img.c
Log Message:
-----------
qemu-img: Plug memory leak in convert command
Introduced in commit 661a0f7. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit bb9cd2ee99f6537c072d5f4bac441717d3cd2bed)
Signed-off-by: Michael Roth <address@hidden>
Commit: ccb08f53d5cb084b2ea5449f0176b9bbe20571ed
https://github.com/qemu/qemu/commit/ccb08f53d5cb084b2ea5449f0176b9bbe20571ed
Author: Peter Maydell <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Don't overrun guest buffer in sched_getaffinity
If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.
Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24)
Signed-off-by: Michael Roth <address@hidden>
Commit: e34feec2641228394cafd8a7559f463cf4091138
https://github.com/qemu/qemu/commit/e34feec2641228394cafd8a7559f463cf4091138
Author: Richard Henderson <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M tcg/i386/tcg-target.c
Log Message:
-----------
tcg-i386: Fix win64 qemu store
The first non-register argument isn't placed at offset 0.
Cc: address@hidden
Reviewed-by: Stefan Weil <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit 0b919667302aa395bfde0328749dc21a0b123c44)
Signed-off-by: Michael Roth <address@hidden>
Commit: f784615221c6018896d985101edc7e6de3cc9119
https://github.com/qemu/qemu/commit/f784615221c6018896d985101edc7e6de3cc9119
Author: Peter Maydell <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M target-arm/helper.c
Log Message:
-----------
target-arm: Fix errors in writes to generic timer control registers
The code for handling writes to the generic timer control registers
had several bugs:
* ISTATUS (bit 2) is read-only but we forced it to zero on any write
* the check for "was IMASK (bit 1) toggled?" incorrectly used '&' where
it should be '^'
* the handling of IMASK was inverted: we should set the IRQ if
ISTATUS is set and IMASK is clear, not if both are set
The combination of these bugs meant that when running a Linux guest
that uses the generic timers we would fairly quickly end up either
forgetting that the timer output should be asserted, or failing to
set the IRQ when the timer was unmasked. The result is that the guest
never gets any more timer interrupts.
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
(cherry picked from commit d3afacc7269fee45d54d1501a46b51f12ea7bb15)
Signed-off-by: Michael Roth <address@hidden>
Commit: 501910686272349efbb0458d008fd76d2695a5c4
https://github.com/qemu/qemu/commit/501910686272349efbb0458d008fd76d2695a5c4
Author: Cornelia Huck <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M hw/s390x/css.c
Log Message:
-----------
s390x/css: handle emw correctly for tsch
We should not try to store the emw portion of the irb if extended
measurements are not applicable. In particular, we should not surprise
the guest by storing a larger irb if it did not enable extended
measurements.
Cc: address@hidden
Reviewed-by: David Hildenbrand <address@hidden>
Tested-by: Christian Borntraeger <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit f068d320def7fd83bf0fcdca37b305f1c2ac5413)
Signed-off-by: Michael Roth <address@hidden>
Commit: 404194562406e71d41c52742e674279e601903d6
https://github.com/qemu/qemu/commit/404194562406e71d41c52742e674279e601903d6
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-07-03 (Thu, 03 Jul 2014)
Changed paths:
M async.c
Log Message:
-----------
aio: fix qemu_bh_schedule() bh->ctx race condition
qemu_bh_schedule() is supposed to be thread-safe at least the first time
it is called. Unfortunately this is not quite true:
bh->scheduled = 1;
aio_notify(bh->ctx);
Since another thread may run the BH callback once it has been scheduled,
there is a race condition if the callback frees the BH before
aio_notify(bh->ctx) has a chance to run.
Reported-by: Stefan Priebe <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Tested-by: Stefan Priebe <address@hidden>
(cherry picked from commit 924fe1293c3e7a3c787bbdfb351e7f168caee3e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 23dbc56d22b3de291a75ae40563bf45573569840
https://github.com/qemu/qemu/commit/23dbc56d22b3de291a75ae40563bf45573569840
Author: Gonglei <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M qga/commands-win32.c
Log Message:
-----------
qga: Fix handle fd leak in acquire_privilege()
token should be closed in all conditions.
So move CloseHandle(token) to "out" branch.
Signed-off-by: Wang Rui <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit 374044f08fe18a18469b981812cd8695f5b3569c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 63bf1e0ea53479271debccaad05c993996cf2ea9
https://github.com/qemu/qemu/commit/63bf1e0ea53479271debccaad05c993996cf2ea9
Author: Michael R. Hines <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M migration-rdma.c
Log Message:
-----------
rdma: bug fixes
1. Fix small memory leak in parsing inet address from command line in
data_init()
2. Fix ibv_post_send() return value check and pass error code back up correctly.
3. Fix rdma_destroy_qp() segfault after failure to connect to destination.
Reported-by: address@hidden
Reported-by: address@hidden
Signed-off-by: Michael R. Hines <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit e325b49a320b493cc5d69e263751ff716dc458fe)
Signed-off-by: Michael Roth <address@hidden>
Commit: 36afdba00af1ebcf311fa17b8c77402a19fe4492
https://github.com/qemu/qemu/commit/36afdba00af1ebcf311fa17b8c77402a19fe4492
Author: Ulrich Obergfell <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c
This patch fixes a bug in scsi_block_new_request() that was introduced
by commit 137745c5c60f083ec982fe9e861e8c16ebca1ba8. If the host cache
is used - i.e. if BDRV_O_NOCACHE is _not_ set - the 'break' statement
needs to be executed to 'fall back' to SG_IO.
Cc: address@hidden
Signed-off-by: Ulrich Obergfell <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2fe5a9f73b3446690db2cae8a58473b0b4beaa32)
Signed-off-by: Michael Roth <address@hidden>
Commit: 79bd7781dd0cc4583902f67661cbad8d4d9eecfc
https://github.com/qemu/qemu/commit/79bd7781dd0cc4583902f67661cbad8d4d9eecfc
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: fix resource leak in error handling
vhost_verify_ring_mappings leaks mappings on error.
Fix this up.
Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 8617343faae6ba7e916137c6c9e3ef22c00565d8)
Signed-off-by: Michael Roth <address@hidden>
Commit: f0c609dedeb06d939f4544280a6a23f6ca75211d
https://github.com/qemu/qemu/commit/f0c609dedeb06d939f4544280a6a23f6ca75211d
Author: Hani Benhabiles <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/usb/dev-bluetooth.c
Log Message:
-----------
usb: Fix usb-bt-dongle initialization.
Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.
Signed-off-by: Hani Benhabiles <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit c340a284f382a5f40774521f41b4bade76ddfa58)
Signed-off-by: Michael Roth <address@hidden>
Commit: b47506f55cf4fb01d04e3c76c77ca09b75cf75c6
https://github.com/qemu/qemu/commit/b47506f55cf4fb01d04e3c76c77ca09b75cf75c6
Author: Alexander Graf <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M kvm-all.c
Log Message:
-----------
KVM: Fix GSI number space limit
KVM tells us the number of GSIs it can handle inside the kernel. That value is
basically KVM_MAX_IRQ_ROUTES. However when we try to set the GSI mapping table,
it checks for
r = -EINVAL;
if (routing.nr >= KVM_MAX_IRQ_ROUTES)
goto out;
erroring out even when we're only using all of the GSIs. To make sure we never
hit that limit, let's reduce the number of GSIs we get from KVM by one.
Cc: address@hidden
Signed-off-by: Alexander Graf <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 00008418aa22700f6c49e794e79f53aeb157d10f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8a93721d04a55b3f23d1594287fe812da01c0d31
https://github.com/qemu/qemu/commit/8a93721d04a55b3f23d1594287fe812da01c0d31
Author: Peter Maydell <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M coroutine-win32.c
Log Message:
-----------
coroutine-win32.c: Add noinline attribute to work around gcc bug
A gcc codegen bug in x86_64-w64-mingw32-gcc (GCC) 4.6.3 means that
non-debug builds of QEMU for Windows tend to assert when using
coroutines. Work around this by marking qemu_coroutine_switch
as noinline.
If we allow gcc to inline qemu_coroutine_switch into
coroutine_trampoline, then it hoists the code to get the
address of the TLS variable "current" out of the while() loop.
This is an invalid transformation because the SwitchToFiber()
call may be called when running thread A but return in thread B,
and so we might be in a different thread context each time
round the loop. This can happen quite often. Typically.
a coroutine is started when a VCPU thread does bdrv_aio_readv:
VCPU thread
main VCPU thread coroutine I/O coroutine
bdrv_aio_readv ----->
start I/O operation
thread_pool_submit_co
<------------ yields
back to emulation
Then I/O finishes and the thread-pool.c event notifier triggers in
the I/O thread. event_notifier_ready calls thread_pool_co_cb, and
the I/O coroutine now restarts *in another thread*:
iothread
main iothread coroutine I/O coroutine (formerly in VCPU thread)
event_notifier_ready
thread_pool_co_cb -----> current = I/O coroutine;
call AIO callback
But on Win32, because of the bug, the "current" being set here the
current coroutine of the VCPU thread, not the iothread.
noinline is a good-enough workaround, and quite unlikely to break in
the future.
(Thanks to Paolo Bonzini for assistance in diagnosing the problem
and providing the detailed example/ascii art quoted above.)
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
(cherry picked from commit ff4873cb8c81db89668d8b56e19e57b852edb5f5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7a3cd5ab408d06fac4e1ae6aa88b823a48db085c
https://github.com/qemu/qemu/commit/7a3cd5ab408d06fac4e1ae6aa88b823a48db085c
Author: Eduardo Habkost <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M target-i386/cpu.c
Log Message:
-----------
target-i386: Filter FEAT_7_0_EBX TCG features too
The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a
typo that was never noticed). Make the existing TCG feature filtering
code use it.
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f)
Conflicts:
target-i386/cpu.c
*fixed simple context mismatch
Signed-off-by: Michael Roth <address@hidden>
Commit: 0fd14a556436386311c3c5aeeac501ce468c8df0
https://github.com/qemu/qemu/commit/0fd14a556436386311c3c5aeeac501ce468c8df0
Author: Cédric Le Goater <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: byteswap virtio-net header
TCP connectivity fails when the guest has a different endianness.
The packets are silently dropped on the host by the tap backend
when they are read from user space because the endianness of the
virtio-net header is in the wrong order. These lines may appear
in the guest console:
[ 454.709327] skbuff: bad partial csum: csum=8704/4096 len=74
[ 455.702554] skbuff: bad partial csum: csum=8704/4096 len=74
The issue that got first spotted with a ppc64le PowerKVM guest,
but it also exists for the less common case of a x86_64 guest run
by a big-endian ppc64 TCG hypervisor.
Signed-off-by: Cédric Le Goater <address@hidden>
[ Ported from PowerKVM,
Greg Kurz <address@hidden> ]
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611)
Signed-off-by: Michael Roth <address@hidden>
Commit: 62c754e67cc5eb74a176e4de71028f1fc8638bb5
https://github.com/qemu/qemu/commit/62c754e67cc5eb74a176e4de71028f1fc8638bb5
Author: Alexander Graf <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/char/virtio-serial-bus.c
Log Message:
-----------
virtio-serial: don't migrate the config space
The device configuration is set at realize time and never changes. It
should not be migrated as it is done today. For the sake of compatibility,
let's just skip them at load time.
Signed-off-by: Alexander Graf <address@hidden>
[ added missing casts to uint16_t *,
added From, SoB and commit message,
Greg Kurz <address@hidden> ]
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit e38e943a1fa20d04deb1899be19b12aadec7a585)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3c3d8c6d19f704796de9a7873b13ba723161d3bd
https://github.com/qemu/qemu/commit/3c3d8c6d19f704796de9a7873b13ba723161d3bd
Author: Hani Benhabiles <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M blockdev-nbd.c
Log Message:
-----------
nbd: Don't export a block device with no medium.
The device is exported with erroneous values and can't be read.
Before the patch:
$ sudo nbd-client localhost -p 10809 /dev/nbd0 -name floppy0
Negotiation: ..size = 17592186044415MB
bs=1024, sz=18446744073709547520 bytes
$ sudo mount /dev/nbd0 /mnt/tmp/
mount: block device /dev/nbd0 is write-protected, mounting read-only
mount: /dev/nbd0: can't read superblock
After the patch:
(qemu) nbd_server_add ide0-hd0
(qemu) nbd_server_add floppy0
Device 'floppy0' has no medium
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 60fe4fac22895576973e317d7148b084c31cc64c)
Signed-off-by: Michael Roth <address@hidden>
Commit: cf392d2c7c0f10adc5d9d4f740e034b646605fff
https://github.com/qemu/qemu/commit/cf392d2c7c0f10adc5d9d4f740e034b646605fff
Author: Hani Benhabiles <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M nbd.c
Log Message:
-----------
nbd: Don't validate from and len in NBD_CMD_DISC.
These values aren't used in this case.
Currently, the from field in the request sent by the nbd kernel module leading
to a false error message when ending the connection with the client.
$ qemu-nbd some.img -v
// After nbd-client -d /dev/nbd0
nbd.c:nbd_trip():L1031: From: 18446744073709551104, Len: 0, Size: 20971520,
Offset: 0
nbd.c:nbd_trip():L1032: requested operation past EOF--bad client?
nbd.c:nbd_receive_request():L638: read failed
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 8c5d1abbb79193dca8e4823ef53d8d1e650362ae)
Signed-off-by: Michael Roth <address@hidden>
Commit: 25351f6a9ad55990d5140a928fd6ea29e48943af
https://github.com/qemu/qemu/commit/25351f6a9ad55990d5140a928fd6ea29e48943af
Author: Hani Benhabiles <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M blockdev-nbd.c
M qemu-nbd.c
Log Message:
-----------
nbd: Close socket on negotiation failure.
Otherwise, the nbd client may hang waiting for the server response.
Signed-off-by: Hani Benhabiles <address@hidden>
Acked-by: Paolo Bonzini <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 36af599417dde11747a27dc8550ff2281657a8ff)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0c60b74a0cc17a8fedb1b300b7b65ae946d917c9
https://github.com/qemu/qemu/commit/0c60b74a0cc17a8fedb1b300b7b65ae946d917c9
Author: Hani Benhabiles <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M blockdev-nbd.c
M qemu-nbd.c
Log Message:
-----------
nbd: Shutdown socket before closing.
This forces finishing data sending to client before closing the socket like in
exports listing or replying with NBD_REP_ERR_UNSUP cases.
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 27e5eae4577316f7e86a56eb7363d4e78f79e3e5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 41ee91810e8ae15ac9bc84ccf358c6f425f7ba6f
https://github.com/qemu/qemu/commit/41ee91810e8ae15ac9bc84ccf358c6f425f7ba6f
Author: Michael Roth <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M scripts/qapi-commands.py
Log Message:
-----------
qapi: zero-initialize all QMP command parameters
In general QMP command parameter values are specified by consumers of the
QMP/HMP interface, but in the case of optional parameters these values may
be left uninitialized.
It is considered a bug for code to make use of optional parameters that have
not been flagged as being present by the marshalling code (via corresponding
has_<parameter> parameter), however our marshalling code will still pass
these uninitialized values on to the corresponding QMP function (to then
be ignored). Some compilers (clang in particular) consider this unsafe
however, and generate warnings as a result. As reported by Peter Maydell:
This is something clang's -fsanitize=undefined spotted. The
code generated by qapi-commands.py in qmp-marshal.c for
qmp_marshal_* functions where there are some optional
arguments looks like this:
bool has_force = false;
bool force;
mi = qmp_input_visitor_new_strict(QOBJECT(args));
v = qmp_input_get_visitor(mi);
visit_type_str(v, &device, "device", errp);
visit_start_optional(v, &has_force, "force", errp);
if (has_force) {
visit_type_bool(v, &force, "force", errp);
}
visit_end_optional(v, errp);
qmp_input_visitor_cleanup(mi);
if (error_is_set(errp)) {
goto out;
}
qmp_eject(device, has_force, force, errp);
In the case where has_force is false, we never initialize
force, but then we use it by passing it to qmp_eject.
I imagine we don't then actually use the value, but clang
complains in particular for 'bool' variables because the value
that ends up being loaded from memory for 'force' is not either
0 or 1 (being uninitialized stack contents).
Fix this by initializing all QMP command parameters to {0} in the
marshalling code prior to passing them on to the QMP functions.
Signed-off-by: Michael Roth <address@hidden>
Reported-by: Peter Maydell <address@hidden>
Tested-by: Peter Maydell <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit fc13d937269c1cd01a4b7720c1dcce01722727a2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 02835d57444ce7308931b71cabbe5fb1d7d8b9eb
https://github.com/qemu/qemu/commit/02835d57444ce7308931b71cabbe5fb1d7d8b9eb
Author: Markus Armbruster <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M ui/vnc-enc-tight.c
Log Message:
-----------
vnc: Fix tight_detect_smooth_image() for lossless case
VncTight member uint8_t quality is either (uint8_t)-1 for lossless or
less than 10 for lossy.
tight_detect_smooth_image() first promotes it to int, then compares
with -1. Always unequal, so we always execute the lossy code. Reads
beyond tight_conf[] and returns crap when quality is actually
lossless.
Compare to (uint8_t)-1 instead, like we do elsewhere.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 2e7bcdb99adbd8fc10ad9ddcf93bd2bf3c0f1f2d)
Signed-off-by: Michael Roth <address@hidden>
Commit: bb485bf2e85e134f8f7869ac2e8855adad8ee688
https://github.com/qemu/qemu/commit/bb485bf2e85e134f8f7869ac2e8855adad8ee688
Author: Andreas Färber <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/sd/sdhci.c
Log Message:
-----------
sdhci: Fix misuse of qemu_free_irqs()
It does a g_free() on the pointer, so don't pass a local &foo reference.
Reviewed-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit 127a4e1a51c038ec9167083b65d376dddcc64530)
Signed-off-by: Michael Roth <address@hidden>
Commit: 53e4895c985c7dbadd47915706c9bdfe7471aa51
https://github.com/qemu/qemu/commit/53e4895c985c7dbadd47915706c9bdfe7471aa51
Author: Andreas Färber <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/arm/omap1.c
M hw/arm/omap2.c
M hw/arm/pxa2xx.c
M hw/arm/spitz.c
M hw/arm/z2.c
M hw/core/irq.c
M hw/dma/omap_dma.c
M hw/ide/microdrive.c
M hw/misc/cbus.c
M hw/pcmcia/pxa2xx.c
M hw/sd/omap_mmc.c
M hw/sd/sdhci.c
M hw/sh4/sh7750.c
M hw/timer/omap_gptimer.c
Log Message:
-----------
hw: Fix qemu_allocate_irqs() leaks
Replace qemu_allocate_irqs(foo, bar, 1)[0]
with qemu_allocate_irq(foo, bar, 0).
This avoids leaking the dereferenced qemu_irq *.
Cc: Markus Armbruster <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
[PC Changes:
* Applied change to instance in sh4/sh7750.c
]
Signed-off-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Kirill Batuzov <address@hidden>
[AF: Fix IRQ index in sh4/sh7750.c]
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit f3c7d0389fe8a2792fd4c1cf151b885de03c8f62)
Signed-off-by: Michael Roth <address@hidden>
Commit: 14d9fb02c26133f637b3184fb4c766098e2f635e
https://github.com/qemu/qemu/commit/14d9fb02c26133f637b3184fb4c766098e2f635e
Author: Le Tan <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/pci/pci.c
Log Message:
-----------
pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
In function do_pci_register_device() in file hw/pci/pci.c, move the assignment
of pci_dev->devfn to the position before the call to
pci_device_iommu_address_space(pci_dev) which will use the value of
pci_dev->devfn.
Fixes: 9eda7d373e9c691c070eddcbe3467b991f67f6bd
pci: Introduce helper to retrieve a PCI device's DMA address space
Cc: address@hidden
Signed-off-by: Le Tan <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit efc8188e9398e54567b238b756eec2cc746cd2a4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8fde73e13858e6acd33ce5dea1e11e81ad0848af
https://github.com/qemu/qemu/commit/8fde73e13858e6acd33ce5dea1e11e81ad0848af
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-07-15 (Tue, 15 Jul 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
Allow mismatched virtio config-len
Commit 'virtio: validate config_len on load' restricted config_len
loaded from the wire to match the config_len that the device had.
Unfortunately, there are cases where this isn't true, the one
we found it on was the wce addition in virtio-blk.
Allow mismatched config-lengths:
*) If the version on the wire is shorter then fine
*) If the version on the wire is longer, load what we have space
for and skip the rest.
(This is address@hidden's rework of what I originally posted)
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 2f5732e9648fcddc8759a8fd25c0b41a38352be6)
Signed-off-by: Michael Roth <address@hidden>
Commit: adba377ea7880c0aa43787fdfbadbc5f6afeaa16
https://github.com/qemu/qemu/commit/adba377ea7880c0aa43787fdfbadbc5f6afeaa16
Author: Michael Roth <address@hidden>
Date: 2014-07-21 (Mon, 21 Jul 2014)
Changed paths:
M VERSION
Log Message:
-----------
Update VERSION for 1.7.2 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/ba014af39c6f...adba377ea788
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 248de5: char: restore read callback on a reattached (hotpl...,
GitHub <=