Ian Jackson [Thu, 12 Feb 2009 11:05:55 +0000 (11:05 +0000)]
Avoid trusting client-controlled areas of xenstore.
Various parts of xenstore, specifically /local/GUEST/devices, are
writeable by the guest. Information from these areas must be used
with care, to avoid the guest tricking qemu-dm into improperly using
its privileged access to dom0 resources.
To this end:
* Variables and functions referring to client-controlled data have
had `danger' added to their names.
* There is a new sanitisation/checking arrangement for getting
backend paths and information about the configuration of device
backends, given the frontend information. This is so that when
qemu is providing a data path which is parallel to the PV
frontend/backend arrangements, it only uses the configuration from
a genuine backend which is really configured to serve qemu's own
guest.
* For information which should be read from or written to the `vm'
tree, we obtain the guest's uuid from the hypervisor (the `label'
as the hypercall interface calls it) rather than reading it from
the guest-controlled areas of xenstore.
* The `phantom vbd' feature is disabled. It relies on
guest-controlled xenstore areas indicating device paths on the
guest. We do not believe this feature is currently very relevant.
* We _do_ allow the guest of a stubdom qemu to mess up the
correspondence between pv backends and emulated devices, in the
sense that we don't mind if the guest directs qemu to use a `wrong'
frontend.
Ian Jackson [Wed, 1 Oct 2008 12:54:16 +0000 (13:54 +0100)]
hw/serial.c: Avoid integer multiply overflow in token generation calculation
If calls to serial_get_token are too far apart then delta.tv_sec may
be too large to multiply by 1E9. So we clamp delta to 2s.
(cherry picked from commit d2807803a5ba22003155ed50802f7c4e92c8ddd7)
Ian Jackson [Wed, 17 Dec 2008 11:39:21 +0000 (11:39 +0000)]
stubdom: Fix live migration of HVM domain
Live-migration fails because stubdom-dm doesn't respond to the request
from xc_save for the logdirty bitmap segment. The attached patch
simply generated from old ioemu tree will fix the issue, then.
Ian Jackson [Wed, 10 Dec 2008 15:30:49 +0000 (15:30 +0000)]
Always treat floppy images as raw
The fix for the image format guessing vulnerability breaks raw floppy
images. In our environment it is difficult to apply the same
configuration change as envisaged upstream, so instead we arrange to
always treat a floppy image as raw.
Two-line patch supplied by James Harper <james.harper@bendigoit.com.au> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
(cherry picked from commit f2ce5c35f60bb606bd3ddb55c361bb8a9aad5c5c)
Ian Jackson [Thu, 27 Nov 2008 12:01:00 +0000 (12:01 +0000)]
cirrus vga save/restore and lfb_addr/lfb_end
Cirrus VGA save and restore functions cast lfb_addr into an uint64_t
pointer while lfb_addr is only an unsigned long.
Same thing happened to lfb_end, causing pci_dev to be partially
overwritten by mistake.
Ian Jackson [Wed, 26 Nov 2008 17:18:19 +0000 (17:18 +0000)]
Contain MSI errors in msi emulation code
If msi=0 is specified and guest want to enable msi, qemu finds it can
not enable it and quits. (This problem is not appicable for xen
unstable since the "msi=x" switch is removed.) This patch let these
cases be handled inside msi emulation code. If qemu can not enable
msi, guest will not receive MSI. But Qemu can still go on. But if
guest driver does not test MSI's functionality, guest device will stop
to function.
Submitted-By: Haitao Shan Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Original patch by Zhang xiantao <xiantao.zhang@intel.com> Signed-off-by: KUWAMURA Shin'ya <kuwa@jp.fujitsu.com>
(cherry picked from commit 6bb40e81b938beb53eb4102cdfae03dd79edbf13)
Ian Jackson [Wed, 26 Nov 2008 14:14:06 +0000 (14:14 +0000)]
vnc and xenfb integer overflow and division by zero vuln fixes
row_stride_div0.patch: a malicious frontend can send row_stride==0 and force
qemu-dm to perform division by 0
vnc_resize_doublecheck.patch: there is an unchecked multiplication when
calculating framebuffer size. Cs 17630 sanitizes framebuffer dimensions
passed by the frontend, so most probably no integer overflow can happen, but
there should be a check for overflow close to the actual computation (to
make code review easier and to cope with other codepaths in the future).
(Patches submitted by Rafal Wojtczuk <rafal@invisiblethingslab.com>
against xen-3.2 ioemu; adapted for xen-unstable by Ian Jackson and also
edited to actually compile and do be correct.)
Contributed-by: Rafal Wojtczuk <rafal@invisiblethingslab.com> Modified-by: Ian Jackson <ian.jackson@eu.citrix.com> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cherry picked from xen-unsstable a83c1174b942d0f0f0e05927eb5b69fe8489b7ab
PLUS
vnc integer overflow check fix overzealous zero checking
In a83c1174b942d0f0f0e05927eb5b69fe8489b7ab, we arranged to avoid
integer overflow and calls to realloc(nonzero,0). However
vs->depth==0 is legitimate on entry to vnc_dpy_resize_shared.
We need to move the check for vs->depth until after vnc_colourdepth.
Ian Jackson [Wed, 3 Sep 2008 10:26:06 +0000 (11:26 +0100)]
support PCI Express Capability Structure version 1
Suppport PCI Express Capability Structure version 1. The format of
PCI Express Capability Structure is different between version 1 and
version 2. Current code supports only version 2. This might cause
conflict with other capability structure if device implement
version 1.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
although this was probably a mistake; it should have been committed
separately. In any case we cherry pick that half of the change now.
Ian Jackson [Tue, 9 Sep 2008 13:02:03 +0000 (14:02 +0100)]
Fix map cache low/high/low bug
This small patch fixes an issue leading to a crash (segfault, although
with earlier changesets I was seeing sigbus - not sure what changed)
in qemu-dm when the following conditions occur:
1. A valid mapping for a bucket on a low address exists
2. Immediately after accessing memory mapped in this bucket, an access
occurs to a high (beyond assigned ram) address beyond the 1GB limit
for 32bit map cache wrapping around to the previous bucket's entry
number.
3. The next call to map cache again accesses the low address.
In this scenario, the guest mem for the low bucket has been unmapped
by the remap_bucket caused by 2., but because the valid_mapping
bit-test fails, map_cache returns before last_address_index has been
updated. The subsequent call to map_cache therefore never remaps the
low, valid bucket and instead returns a vaddr pointing to memory that
has failed to get mapped.
Ian Jackson [Fri, 5 Sep 2008 09:32:49 +0000 (10:32 +0100)]
fix offset of MSI-X memory mapped table.
This patch fixes offset of MSI-X memory mapped table.
Current code does not set dev->msix->table_off variable.
The offset of MSI-X memory mapped table is treated as 0.
The wrong region is unmapped from guest physical memory space.
As a result, guest device driver can't access memory mapped resource.
The patch fixes this issue. My MegaRAID SAS assigned to guest domain
becomes working with the patch.
Ian Jackson [Fri, 15 Aug 2008 10:38:06 +0000 (11:38 +0100)]
Try to fix USB HID and make the HID reports readable.
Decode HID report Items in the comments.
Invert mouse wheel direction as per Alexander Graf's report and as we already do in the tablet.
Clamp the Relative values to -127:127 as we claimed in the HID descriptors.
Ian Jackson [Fri, 1 Aug 2008 16:15:24 +0000 (17:15 +0100)]
Fix medium change device lookup.
Previously, medium change notifications would be handled with respect
to the wrong emulated disk drive. This would make many configurations
(particularly ones with CDs and many hard disks) break. (A medium
change notification occurs at the start for every removeable device.)
Thanks to Haicheng Li at Intel for the report,
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1314
Keir Fraser [Fri, 1 Aug 2008 09:06:13 +0000 (10:06 +0100)]
passthrough: fix flag for expansion rom base address register.
pt_bar_reg_parse() is called for expansion rom base address register.
Currently it returns PT_BAR_FLAG_MEM if bit 0 is 0. It returns
PT_BAR_FLAG_IO if bit 0 is 1.
But bit 0 in expansion rom base address register is enable bit. If bit
0 is 1 for some reason, it returns PT_BAR_FLAG_IO. Expansion rom is
mapped to memory space. It should return PT_BAR_FLAG_MEM.
After applying this patch, it returns PT_BAR_FLAG_MEM regardless
of bit 0, when it is called for expansion rom base address register.
Keir Fraser [Fri, 1 Aug 2008 09:05:36 +0000 (10:05 +0100)]
passthrough: fix corrupting register value in pt_pci_write_config().
I forgot to shift value read from real device. If the emulated register offset
is not aligned with 4 byte, the write emulation will not be handled well
because of corrupting register value read from real device.
The patch fixes this issue.
Keir Fraser [Fri, 1 Aug 2008 09:04:39 +0000 (10:04 +0100)]
passthru: fix libpci error handling.
libpci returns ALL F when error occurs. Currently, if libpci returns ALL
F, emulation stops. But it is possible that the field of real register
which is read by guest software is ALL F.
After applying this patch, if libpci returns ALL F, ioemu will log
warning message and continue the emulation.
Keir Fraser [Fri, 1 Aug 2008 09:01:05 +0000 (10:01 +0100)]
passthrough: fix writing handlers for base address registers.
- Current implementation can not work fine when base address registers
are accessed via 1 byte write access and 2 byte write access. This
patch enables them.
- Currently guest software can set address which is not aligned
with resource size and page size. The patch does not allow guest
software to set unaligned address.
Ian Jackson [Wed, 30 Jul 2008 15:46:30 +0000 (16:46 +0100)]
fix SDL mouse events processing
This fixes SDL mouse events processing:
- GetRelativeMouseState() always returns the last position, so when the
polling loop gets several mouse events in one go, we would send
useless 'no move' events, let's avoid that.
- So as to make sure we don't miss any mouse click / double click, we
should not use GetRelativeMouseState() to get the button state, but
rather keep records of the button state ourselves (I've requested SDL
developers to provide it directly in the event in SDL 1.3).
- bev->state doesn't contain the button state but whether the event is a press
or a release. Use bev->button instead.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Ian Jackson [Wed, 30 Jul 2008 11:06:29 +0000 (12:06 +0100)]
Use fd signal trick to break us out of select; do not sigwait
* The sigwait approach to detecting aio does not work because some
versions of glibc forget to block signals on the private aio thread.
This means that blocking SIGUSR2 is ineffective; the signals can be
lost and the program can block in sigwait (!)
* Use of SIGUSR2 to interrupt select() does not work because signals
which arrive just before entry to select() do not interrupt it.
So instead we use the time-honoured self-pipe trick: in the signal
handler we write to a pipe, which we select on when we want to wait
for the signal, and which we read from (to empty out) just before
actually doing the `top half' processing which deals with the condition
to which the signal relates.
Following discussion on xen-devel and elsewhere, we have concluded
that the real problem here was that the S3 resume flag was in the ROM
memory region rather than the EBDA. This has been fixed in
xen-unstable 18120.
We can therefore keep the whole of the ROM/BIOS area readonly.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 15:28:06 +0000 (16:28 +0100)]
Nicer fix for spurious messages from configure when GCC3 is missing.
This reverts b5123e05cce4be4c6c8c822fad0f0df4c053da06 and replaces it
with a nice simple change, namely to change test ... -a ... with
test ... && test ... . That provides shortcut evaluation.
Thanks to Andre Przywara who provided this one-line change as an
update to the previous commit.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 15:23:47 +0000 (16:23 +0100)]
Pass --disable-gfx-check to allow VNC-only builds.
Qemu upstream inexplicably falls over during configuration if you will
be forced to use VNC for graphics, as if that were somehow an
unreasonable thing to do. So hit that check on the head.
Thanks to Christoph Egger for the report.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Tue, 22 Jul 2008 14:49:52 +0000 (15:49 +0100)]
Fix HVM direct kernel booting.
This was broken during the merge with qemu upstream.
Fixes:
* Properly update kernel loading address so that qemu actually
loads the kernel where we want it.
* Use 0x200000 not 0x20000 as the updated kernel loading address.
* Use stl_phys(real_addr+0x214,) rather than stl_p(header+0x214,),
as the header has already been copied into target memory so we
need to update it there.
Ian Jackson [Tue, 22 Jul 2008 10:52:24 +0000 (11:52 +0100)]
pci passthrough changes ported across from xen-unstable by Yuji Shimada
The patch contains following patches which have been applied to Xen
Unstable Changeset 17959-18076.
pci_config_passthrough_with_msi_msix.patch
[Xen-devel] [PATCH] Support more Capability Structures (including
MSI/MSI-X) and Device Specific Registers for pt device.
Yuji Shimada <shimada-yxb@necst.nec.co.jp>
Fri, 04 Jul 2008 15:26:52 +0900
fix_pt_iomap.patch
Re: [Xen-devel] [PATCH] Support more Capability Structures
(including MSI/MSI-X) and Device Specific Registers for pt device.
NISHIGUCHI Naoki <nisiguti@jp.fujitsu.com>
Tue, 08 Jul 2008 14:14:55 +0900
Ian Jackson [Fri, 18 Jul 2008 13:28:52 +0000 (14:28 +0100)]
Do not disturb old fd flags (eg O_APPEND) when setting nonblock.
socket_set_nonblock should not unconditionally call
fcntl(,F_SETFL,O_NONBLOCK) because that would clear other flags which
might be intentionally set on the fd.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 18 Jul 2008 13:24:17 +0000 (14:24 +0100)]
Always use nonblocking mode for qemu_chr_open_fd.
The rest of qemu assumes that IO operations on a CharDriverState do
not block. Currently there are a couple of cases where such a driver
was set up but the calls to set nonblocking mode were missing:
* qemu_chr_open_pty
* qemu_chr_open_pipe
* qemu_chr_open_stdio
This is fixed by adding two calls to socket_set_nonblock to
qemu_chr_open_fd.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Ian Jackson [Fri, 18 Jul 2008 13:33:07 +0000 (14:33 +0100)]
ide: enable single word DMA
Windows XP doesn't enable DMA by default on dvd-rom devices emulated by QEMU.
Furthermore if I try to manually enable DMA using Device Manager, the
DMA mode chosen by Windows is inexplicably one of the few modes
unsupported by QEMU: single word mode 2.
Since on virtual hardware single word DMA is not really slower than
multi word DMA, it makes sense for QEMU to support single word dma as
well.
This patch does exactly this. We also make sure that mdma is
deactivated when sdma is active and vice versa.
This has various compatibility problems, including breaking
restoration of old images. It is also likely that we will want to
increase this amount in the future.
projects / qemu-xen-3.3-testing.git / log