Gerd Hoffmann [Mon, 28 Aug 2017 12:29:06 +0000 (14:29 +0200)]
vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).
Impact: DoS for privileged guest users. qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.
Jan Beulich [Wed, 21 Jun 2017 15:43:09 +0000 (16:43 +0100)]
xen/disk: don't leak stack data via response ring
Rather than constructing a local structure instance on the stack, fill
the fields directly on the shared ring, just like other (Linux)
backends do. Build on the fact that all response structure flavors are
actually identical (the old code did make this assumption too).
This is XSA-216.
Reported-by: Anthony Perard <anthony.perard@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Gerd Hoffmann [Tue, 14 Feb 2017 18:09:59 +0000 (19:09 +0100)]
cirrus/vnc: zap bitblit support from console code.
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.
Gerd Hoffmann [Tue, 21 Feb 2017 18:54:59 +0000 (10:54 -0800)]
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
Bruce Rogers [Tue, 21 Feb 2017 18:54:38 +0000 (10:54 -0800)]
display: cirrus: ignore source pitch value as needed in blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Message-id: 20170109203520.5619-1-brogers@suse.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Li Qiang [Thu, 9 Feb 2017 22:36:41 +0000 (14:36 -0800)]
cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: qemu-stable@nongnu.org Cc: P J P <ppandit@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
P J P [Mon, 25 Jul 2016 12:07:18 +0000 (17:37 +0530)]
virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits.
The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size. This requires reusing
vring descriptors in more than one request, which is incorrect but
possible. Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.
Exit with an error if the guest provides more requests than the
virtqueue size permits. This bounds memory allocation and makes the
buggy guest visible to the user.
upstream-commit-id: afd9096eb1882f23929f5b5c177898ed231bac66 Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Paolo Bonzini [Wed, 16 Sep 2015 15:38:44 +0000 (17:38 +0200)]
trace: remove malloc tracing
The malloc vtable is not supported anymore in glib, because it broke
when constructors called g_malloc. Remove tracing of g_malloc,
g_realloc and g_free calls.
Note that, for systemtap users, glib also provides tracepoints
glib.mem_alloc, glib.mem_free, glib.mem_realloc, glib.slice_alloc
and glib.slice_free.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com>
Message-id: 1442417924-25831-1-git-send-email-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
upstream-commit-id: 98cf48f60aa4999f5b2808569a193a401a390e6a
Ian Jackson [Thu, 26 May 2016 15:21:56 +0000 (16:21 +0100)]
main loop: Big hammer to fix logfile disk DoS in Xen setups
Each time round the main loop, we now fstat stderr. If it is too big,
we dup2 /dev/null onto it. This is not a very pretty patch but it is
very simple, easy to see that it's correct, and has a low risk of
collateral damage.
There is no limit by default but can be adjusted by setting a new
environment variable.
This fixes CVE-2014-3672.
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Set the default to 0 so that it won't affect non-xen installation. The
limit will be set by Xen toolstack.
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Acked-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f)
Gerd Hoffmann [Tue, 17 May 2016 08:54:54 +0000 (10:54 +0200)]
vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
writes go to sr[]. Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.
This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.
vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT
registers, to make sure the vga registers will always have the
values needed by vbe mode. This makes sure the sanity checks
applied by vbe_fixup_regs() are effective.
Without this guests can muck with shift_control, can turn on planar
vga modes or text mode emulation while VBE is active, making qemu
take code paths meant for CGA compatibility, but with the very
large display widths and heigts settable using VBE registers.
Which is good for one or another buffer overflow. Not that
critical as they typically read overflows happening somewhere
in the display code. So guests can DoS by crashing qemu with a
segfault, but it is probably not possible to break out of the VM.
When enabling vbe mode qemu will setup a bunch of vga registers to make
sure the vga emulation operates in correct mode for a linear
framebuffer. Move that code to a separate function so we can call it
from other places too.
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.
The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register. The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.
Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.
Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.
Wei Liu [Tue, 12 Apr 2016 10:43:14 +0000 (11:43 +0100)]
xenfb: use the correct condition to avoid excessive looping
In commit ac0487e1 ("xenfb.c: avoid expensive loops when prod <=
out_cons"), ">=" was used. In fact, a full ring is a legit state.
Correct the test to use ">".
xenfb.c: avoid expensive loops when prod <= out_cons
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.
Don Slutz [Mon, 30 Nov 2015 22:11:04 +0000 (17:11 -0500)]
exec: Stop using memory after free
memory_region_unref(mr) can free memory.
For example I got:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f43280d4700 (LWP 4462)]
0x00007f43323283c0 in phys_section_destroy (mr=0x7f43259468b0)
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
1023 if (mr->subpage) {
(gdb) bt
at /home/don/xen/tools/qemu-xen-dir/exec.c:1023
at /home/don/xen/tools/qemu-xen-dir/exec.c:1034
at /home/don/xen/tools/qemu-xen-dir/exec.c:2205
(gdb) p mr
$1 = (MemoryRegion *) 0x7f43259468b0
On Xen MSIs can be remapped into pirqs, which are a type of event
channels. It's mostly for the benefit of PCI passthrough devices, to
avoid the overhead of interacting with the emulated lapic.
However remapping interrupts and MSIs is also supported for emulated
devices, such as the e1000 and virtio-net.
When an interrupt or an MSI is remapped into a pirq, masking and
unmasking is done by masking and unmasking the event channel. The
masking bit on the PCI config space or MSI-X table should be ignored,
but it isn't at the moment.
As a consequence emulated devices which use MSI or MSI-X, such as
virtio-net, don't work properly (the guest doesn't receive any
notifications). The mechanism was working properly when xen_apic was
introduced, but I haven't narrowed down which commit in particular is
causing the regression.
Fix the issue by ignoring the masking bit for MSI and MSI-X which have
been remapped into pirqs.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
net: pcnet: add check to validate receive data size(CVE-2015-7504)
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Reported by: Qinghao Tang <luodalongde@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Jason Wang [Mon, 30 Nov 2015 07:00:06 +0000 (15:00 +0800)]
pcnet: fix rx buffer overflow(CVE-2015-7512)
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.
Cc: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Gerd Hoffmann [Mon, 14 Dec 2015 08:21:23 +0000 (09:21 +0100)]
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
While checking r/w access in 'memory_access_is_direct' routine
a glitch in the expression leads to segmentation fault while
performing dma read operation.
net: cadence_gem: check packet size in gem_recieve
While receiving packets in 'gem_receive' routine, if Frame Check
Sequence(FCS) is enabled, it copies the packet into a local
buffer without checking its size. Add check to validate packet
length against the buffer size to avoid buffer overflow.
Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
When processing NCQ commands, AHCI device emulation prepares a
NCQ transfer object; To which an aio control block(aiocb) object
is assigned in 'execute_ncq_command'. In case, when the NCQ
command is invalid, the 'aiocb' object is not assigned, and NCQ
transfer object is left as 'used'. This leads to a use after
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
Reset NCQ transfer object to 'unused' to avoid it.
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
net: ne2000: fix bounds check in ioport operations
While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.
Reported-by: Ling Liu <liuling-it@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
P J P [Mon, 21 Dec 2015 09:43:13 +0000 (15:13 +0530)]
scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: P J P <ppandit@redhat.com>
P J P [Tue, 15 Dec 2015 06:57:54 +0000 (12:27 +0530)]
net: vmxnet3: avoid memory leakage in activate_device
Vmxnet3 device emulator does not check if the device is active
before activating it, also it did not free the transmit & receive
buffers while deactivating the device, thus resulting in memory
leakage on the host. This patch fixes both these issues to avoid
host memory leakage.
Reported-by: Qinghao Tang <luodalongde@gmail.com> Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com>
While sending 'SetPixelFormat' messages to a VNC server,
the client could set the 'red-max', 'green-max' and 'blue-max'
values to be zero. This leads to a floating point exception in
write_png_palette while doing frame buffer updates.
Reported-by: Lian Yihan <lianyihan@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Laszlo Ersek [Tue, 19 Jan 2016 13:17:20 +0000 (14:17 +0100)]
e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
area,
- while the TDH and RDH registers store the offset (in whole tx / rx
descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
that QEMU currently has here is a check against reaching the original
TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
"total_size" bytes have been received; preferably in a single step, or
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
RX descriptors are skipped without receiving data, while RDH is
incremented just the same. QEMU tries to prevent an infinite loop
(processing only null RX descriptors) by detecting whether RDH assumes
its original value during the loop. (Again, wrapping from RDLEN to 0 is
normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Cc: Prasad Pandit <ppandit@redhat.com> Cc: Michael Roth <mdroth@linux.vnet.ibm.com> Cc: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Roger Pau Monne [Fri, 13 Nov 2015 17:38:06 +0000 (17:38 +0000)]
xen: fix usage of xc_domain_create in domain builder
Due to the addition of HVMlite and the requirement to always provide a
valid xc_domain_configuration_t, xc_domain_create now always takes an arch
domain config, which can be NULL in order to mimic previous behaviour.
Add a small stub called xen_domain_create that encapsulates the correct
call to xc_domain_create depending on the libxc version detected.
When processing firmware configurations, an OOB r/w access occurs
if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
Add a check to validate 's->cur_entry' to avoid such access.
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
Gerd Hoffmann [Tue, 9 Jun 2015 19:08:47 +0000 (21:08 +0200)]
spice-display: fix segfault in qemu_spice_create_update
Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different. So use
separate variables for them.
P J P [Tue, 15 Sep 2015 11:16:59 +0000 (16:46 +0530)]
net: avoid infinite loop when receiving packets(CVE-2015-5278)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
P J P [Tue, 15 Sep 2015 11:10:49 +0000 (16:40 +0530)]
net: add checks to validate ring buffer pointers(CVE-2015-5279)
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Signed-off-by: P J P <pjp@fedoraproject.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Gerd Hoffmann [Fri, 21 Aug 2015 18:59:27 +0000 (20:59 +0200)]
vnc: fix memory corruption (CVE-2015-5225)
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative. Result is (possibly
exploitable) memory corruption. Reason for that is it uses the stride
instead of bytes per scanline to apply limits.
For the server surface is is actually fine. vnc creates that itself,
there is never any padding and thus scanline length always equals stride.
For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way. So add and use a new variable
(guest_ll) for the guest scanline length. Also rename min_stride to
line_bytes to make more clear what it actually is. Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.
Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com> Reviewed-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 17:16:59 +0000 (18:16 +0100)]
rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Stefan Hajnoczi [Wed, 15 Jul 2015 17:16:58 +0000 (18:16 +0100)]
rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Kevin Wolf [Mon, 27 Jul 2015 03:42:53 +0000 (23:42 -0400)]
ide: Clear DRQ after handling all expected accesses (CVE-2015-5154)
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Kevin Wolf [Mon, 27 Jul 2015 03:42:53 +0000 (23:42 -0400)]
ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Paolo Bonzini [Tue, 21 Jul 2015 06:59:39 +0000 (08:59 +0200)]
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Jan Beulich [Fri, 24 Jul 2015 09:38:28 +0000 (03:38 -0600)]
xen/HVM: atomically access pointers in bufioreq handling
The number of slots per page being 511 (i.e. not a power of two) means
that the (32-bit) read and write indexes going beyond 2^32 will likely
disturb operation. The hypervisor side gets I/O req server creation
extended so we can indicate that we're using suitable atomic accesses
where needed, allowing it to atomically canonicalize both pointers when
both have gone through at least one cycle.
The Xen side counterpart (which is not a functional prereq to this
change, albeit a build one) went in already (commit b7007bc6f9).
Since e02bc6de30c44fd668dc0d6e1cd1804f2eed3ed3, add_watch() is called
with G_IO_HUP. Even if spice-qemu-char ignores this flag, the
precondition must be changed.
The original commit fixes a bug when assigning a large number of
devices which require option roms to a guest. (One known
configuration that needs extra memory is having more than 4 emulated
NICs assigned. Three or fewer NICs seems to work without this
functionality.)
However, by unilaterally increasing maxmem, it introduces two
problems.
First, now libxl's calculation of the required maxmem during migration
is broken -- any guest which exercised this functionality will fail on
migration. (Guests which have the default number of devices are not
affected.)
Secondly, it makes it impossible for a higher-level toolstack or
administer to predict how much memory a VM will actually use, making
it much more difficult to effectively use all of the memory on a
machine.
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Fri, 5 Jun 2015 12:04:55 +0000 (13:04 +0100)]
xen/pass-through: constify some static data
This is done indirectly by adjusting two typedefs and helps emphasizing
that the respective tables aren't supposed to be modified at runtime
(as they may be shared between devices).
Jan Beulich [Mon, 8 Jun 2015 13:11:51 +0000 (14:11 +0100)]
xen/pass-through: ROM BAR handling adjustments
Expecting the ROM BAR to be written with an all ones value when sizing
the region is wrong - the low bit has another meaning (enable/disable)
and bits 1..10 are reserved. The PCI spec also mandates writing all
ones to just the address portion of the register.
Use suitable constants also for initializing the ROM BAR register field
description.
The code introduced to address XSA-126 allows simplification of other
code in xen_pt_initfn(): All we need to do is update "cmd" suitably,
as it'll be written back to the host register near the end of the
function anyway.
Petr Matousek [Sun, 24 May 2015 08:53:44 +0000 (10:53 +0200)]
pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Matt Tait <matttait@google.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: unknown PCI config space fields should be read-only
... by default. Add a per-device "permissive" mode similar to pciback's
to allow restoring previous behavior (and hence break security again,
i.e. should be used only for trusted guests).
This is part of XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>)
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: add a few PCI config space field descriptions
Since the next patch will turn all not explicitly described fields
read-only by default, those fields that have guest writable bits need
to be given explicit descriptors.
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: mark reserved bits in PCI config space fields
The adjustments are solely to make the subsequent patches work right
(and hence make the patch set consistent), namely if permissive mode
(introduced by the last patch) gets used (as both reserved registers
and reserved fields must be similarly protected from guest access in
default mode, but the guest should be allowed access to them in
permissive mode).
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: mark all PCIe capability bits read-only
xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read-
only to avoid unintended write-back (just a precaution, the field ought
to be read-only in hardware).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:08 +0000 (15:43 +0000)]
xen/pt: split out calculation of throughable mask in PCI config space handling
This is just to avoid having to adjust that calculation later in
multiple places.
Note that including ->ro_mask in get_throughable_mask()'s calculation
is only an apparent (i.e. benign) behavioral change: For r/o fields it
doesn't matter > whether they get passed through - either the same flag
is also set in emu_mask (then there's no change at all) or the field is
r/o in hardware (and hence a write won't change it anyway).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/pt: consolidate PM capability emu_mask
There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing
PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local
emu_mask variable - we can have the same effect by setting the field
descriptor's emu_mask member suitably right away. Note that
xen_pt_pmcsr_reg_write() is being retained in order to allow later
patches to be less intrusive.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/MSI: don't open-code pass-through of enable bit modifications
Without this the actual XSA-131 fix would cause the enable bit to not
get set anymore (due to the write back getting suppressed there based
on the OR of emu_mask, ro_mask, and res_mask).
Note that the fiddling with the enable bit shouldn't really be done by
qemu, but making this work right (via libxc and the hypervisor) will
require more extensive changes, which can be postponed until after the
security issue got addressed.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen/MSI-X: limit error messages
Limit error messages resulting from bad guest behavior to avoid allowing
the guest to cause the control domain's disk to fill.
The first message in pci_msix_write() can simply be deleted, as this
is indeed bad guest behavior, but such out of bounds writes don't
really need to be logged.
The second one is more problematic, as there guest behavior may only
appear to be wrong: For one, the old logic didn't take the mask-all bit
into account. And then this shouldn't depend on host device state (i.e.
the host may have masked the entry without the guest having done so).
Plus these writes shouldn't be dropped even when an entry is unmasked.
Instead, if they can't be made take effect right away, they should take
effect on the next unmasking or enabling operation - the specification
explicitly describes such caching behavior. Until we can validly drop
the message (implementing such caching/latching behavior), issue the
message just once per MSI-X table entry.
Note that the log message in pci_msix_read() similar to the one being
removed here is not an issue: "addr" being of unsigned type, and the
maximum size of the MSI-X table being 32k, entry_nr simply can't be
negative and hence the conditonal guarding issuing of the message will
never be true.
This is XSA-130.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen: don't allow guest to control MSI mask register
It's being used by the hypervisor. For now simply mimic a device not
capable of masking, and fully emulate any accesses a guest may issue
nevertheless as simple reads/writes without side effects.
This is XSA-129.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Jan Beulich [Tue, 2 Jun 2015 15:43:07 +0000 (15:43 +0000)]
xen: properly gate host writes of modified PCI CFG contents
The old logic didn't work as intended when an access spanned multiple
fields (for example a 32-bit access to the location of the MSI Message
Data field with the high 16 bits not being covered by any known field).
Remove it and derive which fields not to write to from the accessed
fields' emulation masks: When they're all ones, there's no point in
doing any host write.
This fixes a secondary issue at once: We obviously shouldn't make any
host write attempt when already the host read failed.
This is XSA-128.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Petr Matousek [Wed, 6 May 2015 07:48:59 +0000 (09:48 +0200)]
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
glib-compat: fix problems with not-quite glib 2.22
Commit 89b516d8b9444ece8ccabb322a9389587c7a7b83 ("glib: add
compatibility interface for g_get_monotonic_time()") aimed
at making qemu build with old glib versions. At least SLES11SP3,
however, contains a backport of g_get_monotonic_time() while
keeping the reported glib version at 2.22.
Let's work around this by a strategically placed #define.
Jan Beulich [Tue, 31 Mar 2015 13:58:04 +0000 (13:58 +0000)]
xen: limit guest control of PCI command register
Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses (by disabling memory and/or I/O decoding
and subsequently causing [CPU side] accesses to the respective address
ranges), which (depending on system configuration) may be fatal to the
host.
This is CVE-2015-2756 / XSA-126.
Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
Kevin Wolf [Wed, 11 Feb 2015 16:19:57 +0000 (17:19 +0100)]
vpc: Fix size in fixed image creation
If total_sectors is rounded to match the geometry, total_size needs to
be changed as well. Otherwise we end up with an image whose geometry
describes a disk larger than the image file, which doesn't end well.
Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com>
(cherry picked from commit c7dd631d482912fd615a9ef18a0e0691e7a84836) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Kevin Wolf [Tue, 10 Feb 2015 10:17:53 +0000 (11:17 +0100)]
coroutine: Fix use after free with qemu_coroutine_yield()
Instead of using the same function for entering and exiting coroutines,
and hoping that it doesn't add any functionality that hurts with the
parameters used for exiting, we can just directly call into the real
task switch in qemu_coroutine_switch().
This fixes a use-after-free scenario where reentering a coroutine that
has yielded still accesses the old parent coroutine (which may have
meanwhile terminated) in the part of coroutine_swap() that follows
qemu_coroutine_switch().
Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 80687b4dd6f43b3fef61fef8fbcb358457350562) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Igor Mammedov [Fri, 19 Dec 2014 11:46:57 +0000 (11:46 +0000)]
pc: acpi: fix WindowsXP BSOD when memory hotplug is enabled
ACPI parser in XP considers PNP0A06 devices of CPU and
memory hotplug as duplicates. Adding unique _UID
to CPU hotplug device fixes BSOD.
Cc: qemu-stable@nongnu.org Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6d4e4cb9985e24557abcf3932a0e7f8f6ab3c1d2) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
xen-hvm: increase maxmem before calling xc_domain_populate_physmap
Increase maxmem before calling xc_domain_populate_physmap_exact to
avoid the risk of running out of guest memory. This way we can also
avoid complex memory calculations in libxl at domain construction
time.
This patch fixes an abort() when assigning more than 4 NICs to a VM.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Don Slutz <dslutz@verizon.com>
(cherry picked from commit c1d322e6048796296555dd36fdd102d7fa2f50bf) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Jun Li [Wed, 5 Nov 2014 07:03:03 +0000 (15:03 +0800)]
qdev: Avoid type assertion in qdev_build_hotpluggable_device_list()
Currently when *obj is not a TYPE_DEVICE, QEMU will abort. This patch
fixes it. When *obj is not a TYPE_DEVICE, just do not add it to hotpluggable
device list.
This patch also fixes the following issue:
1. boot QEMU using cli:
$ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
-device virtio-scsi-pci,id=scsi0
2. device_del scsi0 via hmp using tab key(first input device_del, then press
"Tab" key).
(qemu) device_del
After step 2, QEMU will abort.
(qemu) device_del hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
Object 0x5555563a2460 is not an instance of type device
Signed-off-by: Jun Li <junmuzi@gmail.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 09d560177101d2ef1e333754a25cfa49b70583b3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Wed, 10 Dec 2014 15:56:46 +0000 (16:56 +0100)]
kvm/apic: fix 2.2->2.1 migration
The wait_for_sipi field is set back to 1 after an INIT, so it was not
effective to reset it in kvm_apic_realize. Introduce a reset callback
and reset wait_for_sipi there.
Reported-by: Igor Mammedov <imammedo@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 575a6f4082c45778b93032ef1e7fbea4467b3a2a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Leon Alrae [Mon, 26 Jan 2015 16:49:42 +0000 (16:49 +0000)]
target-mips: fix broken snapshotting
Recently added CP0.BadInstr and CP0.BadInstrP registers ended up in cpu_load()
under different offset than in cpu_save(). These and all registers between were
incorrectly restored.
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
(cherry picked from commit b40a1530f294b5fa4479dc3ca9bf46c269d08d87) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Anton D. Kachalov (1):
[intel] Add 8086:1557 card (Intel 82599 10G ethernet mezz)
Christian Hesse (1):
[build] Merge util/geniso and util/genliso
Curtis Larsen (3):
[efi] Use EFI_CONSOLE_CONTROL_PROTOCOL to set text mode if available
[efi] Report errors from attempting to disconnect existing drivers
[efi] Try various possible SNP receive filters
Dale Hamel (1):
[smbios] Expose board serial number as ${board-serial}
Florian Schmaus (1):
[build] Set GITVERSION only if there is a git repository
Hannes Reinecke (3):
[ethernet] Provide eth_random_addr() to generate random Ethernet addresses
[igbvf] Assign random MAC address if none is set
[igbvf] Allow changing of MAC address
Jan Kiszka (1):
[intel] Add I217-LM PCI ID
Marin Hannache (4):
[nfs] Fix an invalid free() when loading a symlink
[nfs] Fix an invalid free() when loading a regular (non-symlink) file
[nfs] Rewrite NFS URI handling
[readline] Add CTRL-W shortcut to remove a word
Michael Brown (144):
[profile] Allow interrupts to be excluded from profiling results
[intel] Exclude time spent in hypervisor from profiling
[build] Fix version.o dependency upon git index
[tcp] Defer sending ACKs until all received packets have been processed
[lkrnprefix] Function as a bzImage kernel
[build] Avoid errors when build directory is mounted via NFS
[undi] Apply quota only to number of complete received packets
[lkrnprefix] Make real-mode setup code relocatable
[intel] Increase receive ring fill level
[syslog] Strip invalid characters from hostname
[test] Add self-tests for strdup()
[libc] Prevent strndup() from reading beyond the end of the string
[efi] Allow for optional protocols
[efi] Make EFI_DEVICE_PATH_TO_TEXT_PROTOCOL optional
[efi] Make EFI_HII_DATABASE_PROTOCOL optional
[efi] Do not try to fetch loaded image device path protocol
[ipv6] Fix definition of IN6_IS_ADDR_LINKLOCAL()
[dhcpv6] Do not set sin6_scope_id on the unspecified client socket address
[ipv6] Do not set sin6_scope_id on source address
[ipv6] Include network device when transcribing multicast addresses
[ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()
[librm] Allow for the PIC interrupt vector offset to be changed
[ifmgmt] Do not sleep CPU while configuring network devices
[scsi] Improve sense code parsing
[iscsi] Read IPv4 settings only from the relevant network device
[iscsi] Include IP address origin in iBFT
[debug] Allow debug message colours to be customised via DBGCOL=...
[build] Expose build timestamp, build name, and product names
[efi] Allow device paths to be easily included in debug messages
[efi] Provide a meaningful EFI SNP device name
[efi] Restructure EFI driver model
[build] Fix erroneous object name in version object
[build] Add yet another potential location for isolinux.bin
[efi] Allow network devices to be created on top of arbitrary SNP devices
[autoboot] Allow autoboot device to be identified by link-layer address
[efi] Identify autoboot device by MAC address when chainloading
[efi] Attempt to start only drivers claiming support for a device
[efi] Rewrite SNP NIC driver
[efi] Include SNP NIC driver within the all-drivers target
[crypto] Add support for iPAddress subject alternative names
[crypto] Fix debug message
[netdevice] Reset network device index when last device is unregistered
[efi] Update EDK2 headers
[efi] Install our own disk I/O protocol and claim exclusive use of it
[efi] Allow for interception of boot services calls by loaded image
[efi] Print well-known GUIDs by name in debug messages
[efi] Include EFI_CONSOLE_CONTROL_PROTOCOL header
[ioapi] Fail ioremap() when attempting to map a zero bus address
[intel] Check for ioremap() failures
[realtek] Check for ioremap() failures
[vmxnet3] Check for ioremap() failures
[skel] Check for ioremap() failures
[myson] Check for ioremap() failures
[natsemi] Check for ioremap() failures
[i386] Add functions to read and write model-specific registers
[x86_64] Add functions to read and write model-specific registers
[efi] Show more diagnostic information when building with DEBUG=efi_wrap
[ioapi] Centralise notion of PAGE_SIZE
[lotest] Discard packets arriving on the incorrect network device
[xen] Import selected public headers
[xen] Add basic support for PV-HVM domains
[xen] Add support for Xen netfront virtual NICs
[efi] Default to releasing network devices for use via SNP
[efi] Unload started images only on failure
[efi] Fill in loaded image's DeviceHandle if firmware fails to do so
[efi] Fix incorrect debug message level when device has no device path
[efi] Report exact failure when unable to open the device path
[netdevice] Avoid registering duplicate network devices
[efi] Ignore failures when attempting to install SNP HII protocol
[efi] Expand the range of well-known EFI GUIDs in debug messages
[efi] Provide efi_handle_name() for debugging
[efi] Add ability to dump all openers of a given protocol on a handle
[efi] Use efi_handle_name() instead of efi_handle_devpath_text()
[efi] Use efi_handle_name() instead of efi_devpath_text() where applicable
[efi] Allow compiler to perform type checks on EFI_HANDLE
[efi] Avoid unnecessarily passing pointers to EFI_HANDLEs
[efi] Dump existing openers when we are unable to open a protocol
[efi] Dump handle information around connect/disconnect attempts
[efi] Improve debugging of the debugging facilities
[efi] Add excessive sanity checks into efi_debug functions
[efi] Also try original ComponentName protocol for retrieving driver names
[efi] Print raw device path when we have no DevicePathToTextProtocol
[efi] Add ability to dump SNP device mode information
[efi] Reset multicast filter list when setting SNP receive filters
[efi] Provide centralised definitions of commonly-used GUIDs
[efi] Open device path protocol only at point of use
[efi] Move abstract device path and handle functions to efi_utils.c
[efi] Generalise snpnet_pci_info() to efi_locate_device()
[bios] Support displaying and hiding cursor
[efi] Support displaying and hiding cursor
[readline] Ensure cursor is visible when prompting for input
[xen] Accept alternative Xen platform PCI device ID 5853:0002
[xen] Use version 1 grant tables by default
[xen] Cope with unexpected initial backend states
[smc9000] Avoid using CONFIG as a preprocessor macro
[build] Allow for named configurations at build time
[intel] Display PBS value when applying ICH errata workaround
[intel] Display before and after values for both PBS and PBA
[intel] Apply PBS/PBA errata workaround only to ICH8 PCI device IDs
[efi] Add definitions of GUIDs observed during Windows boot
[efi] Dump details of any calls to our dummy block and disk I/O protocols
[romprefix] Do not preserve unused register %di
[build] Remove obsolete references to .zrom build targets
[build] Allow ISA ROMs to be built
[build] Avoid deleting config header files if build is interrupted
[prefix] Halt system without burning CPU if we cannot access the payload
[prefix] Report both %esi and %ecx when opening payload fails
[util] Use PCI length field to obtain length of individual images
[mromprefix] Use PCI length field to obtain length of individual images
[mromprefix] Allow for .mrom images larger than 128kB
[efi] Show details of intercepted LoadImage() calls
[efi] Make our virtual file system case insensitive
[efi] Wrap any images loaded by our wrapped image
[efi] Use the SNP protocol instance to match the SNP chainloading device
[efi] Avoid returning uninitialised data from PCI configuration space reads
[efi] Make EFI_PCI_ROOT_BRIDGE_IO_PROTOCOL optional
[efi] Allow for non-PCI snpnet devices
[build] Clean up all binary directories on "make [very]clean"
[efi] Add efifatbin utility
[efi] Provide dummy device path in efi_image_probe()
[dhcp] Check for matching chaddr in received DHCP packets
[dhcp] Remove obsolete dhcp_chaddr() function
[build] Use -malign-double to build 32-bit UEFI binaries
[efi] Centralise definitions of more protocol GUIDs
[efi] Add definitions of GUIDs observed when chainloading from Intel driver
[efi] Free transmit ring entry before calling netdev_tx_complete()
[efi] Generalise snpnet_dev_info() to efi_device_info()
[efi] Update to current EDK2 headers
[efi] Add NII / UNDI driver
[efi] Check for presence of UNDI in NII protocol
[efi] Include NII driver within "snp" and "snponly" build targets
[ping] Report timed-out pings via the callback function
[ping] Allow termination after a specified number of packets
[ping] Allow "ping" command output to be inhibited
[intel] Use autoloaded MAC address instead of EEPROM MAC address
[crypto] Fix parsing of OCSP responder ID key hash
[vmxnet3] Add profiling code to exclude time spent in the hypervisor
[netdevice] Fix erroneous use of free(iobuf) instead of free_iob(iobuf)
[libc] Add ASSERTED macro to test if any assertion has triggered
[list] Add sanity checks after list-adding functions
[malloc] Tidy up debug output
[malloc] Sanity check parameters to alloc_memblock() and free_memblock()
[malloc] Check integrity of free list
[malloc] Report caller address as soon as memory corruption is detected
Peter Lemenkov (1):
[build] Check if git index actually exists
Robin Smidsrød (2):
[build] Add named configuration for VirtualBox
[build] Avoid using embedded script in VirtualBox named configuration
Sven Ulland (1):
[lacp] Set "aggregatable" flag in response LACPDU
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c246cee4eedb17ae3932d699e009a8b63240235f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Fri, 19 Dec 2014 11:53:14 +0000 (12:53 +0100)]
exec: change default exception_index value for migration to -1
In QEMU 2.2 the exception_index value was added to the migration stream
through a subsection. The default was set to 0, which is wrong and
should have been -1.
However, 2.2 does not have commit e511b4d (cpu-exec: reset exception_index
correctly, 2014-11-26), hence in 2.2 the exception_index is never used
and is set to -1 on the next call to cpu_exec. So we can change the
migration stream to make the default -1. The effects are:
- 2.2.1 -> 2.2.0: cpu->exception_index set incorrectly to 0 if it
were -1 on the source; then reset to -1 in cpu_exec. This is TCG
only; KVM does not use exception_index.
- 2.2.0 -> 2.2.1: cpu->exception_index set incorrectly to -1 if it
were 0 on the source; but it would be reset to -1 in cpu_exec anyway.
This is TCG only; KVM does not use exception_index.
- 2.2.1 -> 2.1: two bugs fixed: 1) can migrate backwards if
cpu->exception_index is set to -1; 2) should not migrate backwards
(but 2.2.0 allows it) if cpu->exception_index is set to 0
- 2.2.0 -> 2.3.0: 2.2.0 will send the subsection unnecessarily if
exception_index is -1, but that is not a problem. 2.3.0 will set
cpu->exception_index to -1 if it is 0 on the source, but this would
be anyway a problem for 2.2.0 -> 2.2.x migration (due to lack of
commit e511b4d in 2.2.x) so we can ignore it
- 2.2.1 -> 2.3.0: everything works.
In addition, play it safe and never send the subsection unless TCG
is in use. KVM does not use exception_index (PPC KVM stores values
in it for use in the subsequent call to ppc_cpu_do_interrupt, but
does not need it as soon as kvm_handle_debug returns). Xen and
qtest do not run any code for the CPU at all.
Reported-by: Igor Mammedov <imammedo@redhat.com> Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com> Tested-by: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1418989994-17244-3-git-send-email-pbonzini@redhat.com Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit adee64249ee37e822d578e65a765750e7f2081f6) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Fam Zheng [Mon, 19 Jan 2015 09:51:43 +0000 (17:51 +0800)]
qtest: Fix deadloop by running main loop AIO context's timers
qemu_clock_run_timers() only takes care of main_loop_tlg, we shouldn't
forget aio timer list groups.
Currently, the qemu_clock_deadline_ns_all (a few lines above) counts all
the timergroups of this clock type, including aio tlg, but we don't fire
them, so they are never cleared, which makes a dead loop.
For example, this function hangs when trying to drive throttled block
request queue with qtest clock_step.
Signed-off-by: Fam Zheng <famz@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1421661103-29153-1-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit efef88b3d9ad4325172ed288032807fa88d683cc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Wu [Tue, 23 Dec 2014 15:30:41 +0000 (16:30 +0100)]
block/iscsi: fix uninitialized variable
'ret' was never initialized in the success path.
Signed-off-by: Peter Wu <peter@lekensteyn.nl> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit debfb917a4f9c0784772c86f110f2bcd22e5a14f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Cc: <qemu-stable@nongnu.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b41112c46b93f781669c0eb89e51d3a87af6bb49) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 158ef8cbb7e0fe8bb430310924b8bebe5f186e6e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Alex Williamson [Wed, 4 Feb 2015 18:45:32 +0000 (11:45 -0700)]
vfio-pci: Fix missing unparent of dynamically allocated MemoryRegion
Commit d8d95814609e added explicit object_unparent() calls for
dynamically allocated MemoryRegions. The VFIOMSIXInfo structure also
contains such a MemoryRegion, covering the mmap'd region of a PCI BAR
above the MSI-X table. This structure is freed as part of the class
exit function and therefore also needs an explicit object_unparent().
Failing to do this results in random segfaults due to fields within
the structure, often the class pointer, being reclaimed and corrupted
by the time object_finalize_child_property() is called for the object.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: qemu-stable@nongnu.org # 2.2
(cherry picked from commit 3a4dbe6aa934370a92372528c1255ee1504965ee) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Peter Maydell [Thu, 5 Feb 2015 13:37:23 +0000 (13:37 +0000)]
target-arm/translate-a64: Fix wrong mmu_idx usage for LDT/STT
The LDT/STT (load/store unprivileged) instruction decode was using
the wrong MMU index value. This meant that instead of these insns
being "always access as if user-mode regardless of current privilege"
they were "always access as if kernel-mode regardless of current
privilege". This went unnoticed because AArch64 Linux doesn't use
these instructions.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Greg Bellows <greg.bellows@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
I'm not counting this as a security issue because I'm assuming
nobody treats TCG guests as a security boundary (certainly I
would not recommend doing so...)
Dinar Valeev [Wed, 21 Jan 2015 22:48:41 +0000 (23:48 +0100)]
hw/input/hid.c Fix capslock hid code
When ever USB keyboard is used, e.g. '-usbdevice keyboard' pressing
caps lock key send 0x32 hid code, which is treated as backslash.
Instead it should be 0x39 code. This affects sending uppercase keys,
as they typed whith caps lock active.
While on x86 this can be workarounded by using ps/2 protocol. On
Power it is crusial as we don't have anything else than USB.
This is fixes guest automation tasts over vnc.
Signed-off-by: Dinar Valeev <dvaleev@suse.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ee4de5840ccc1072459ec68062bfb63c888a94d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Paolo Bonzini [Tue, 20 Jan 2015 16:23:48 +0000 (17:23 +0100)]
sb16: fix interrupt acknowledgement
SoundBlaster 16 emulation is very broken and consumes a lot of CPU, but a
small fix was suggested offlist and it is enough to fix some games. I
got Epic Pinball to work with the "SoundBlaster Clone" option.
The processing of the interrupt register is wrong due to two missing
"not"s. This causes the interrupt flag to remain set even after the
Acknowledge ports have been read (0x0e and 0x0f).
The line was introduced by commit 85571bc (audio merge (malc), 2004-11-07),
but the code might have been broken before because I did not look closely
at the huge patches from 10 years ago.
Reported-by: Joshua Bair <j_bair@bellsouth.net> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 9939375c282a0f97afa69dc6799d3c77aaf7d544) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
projects / qemu-upstream-4.6-testing.git / log