diff --git a/0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch b/0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch new file mode 100644 index 0000000..a4b8fa8 --- /dev/null +++ b/0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch @@ -0,0 +1,99 @@ +From: Peter Lieven +Date: Thu, 30 Jun 2016 12:00:46 +0200 +Subject: [PATCH] vnc-enc-tight: use thread local storage for palette + +currently the color counting palette is allocated from heap, used and destroyed +for each single subrect. Use a static palette per thread for this purpose and +avoid the malloc and free for each update. + +Signed-off-by: Peter Lieven +Reviewed-by: Paolo Bonzini +Message-id: 1467280846-9674-1-git-send-email-pl@kamp.de +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 095497ffc66b7f031ff2a17f1e50f5cb105ce588) +--- + ui/vnc-enc-tight.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c +index 678c5df..877c093 100644 +--- a/ui/vnc-enc-tight.c ++++ b/ui/vnc-enc-tight.c +@@ -349,7 +349,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h) + tight_fill_palette##bpp(VncState *vs, int x, int y, \ + int max, size_t count, \ + uint32_t *bg, uint32_t *fg, \ +- VncPalette **palette) { \ ++ VncPalette *palette) { \ + uint##bpp##_t *data; \ + uint##bpp##_t c0, c1, ci; \ + int i, n0, n1; \ +@@ -396,23 +396,23 @@ tight_detect_smooth_image(VncState *vs, int w, int h) + return 0; \ + } \ + \ +- *palette = palette_new(max, bpp); \ +- palette_put(*palette, c0); \ +- palette_put(*palette, c1); \ +- palette_put(*palette, ci); \ ++ palette_init(palette, max, bpp); \ ++ palette_put(palette, c0); \ ++ palette_put(palette, c1); \ ++ palette_put(palette, ci); \ + \ + for (i++; i < count; i++) { \ + if (data[i] == ci) { \ + continue; \ + } else { \ + ci = data[i]; \ +- if (!palette_put(*palette, (uint32_t)ci)) { \ ++ if (!palette_put(palette, (uint32_t)ci)) { \ + return 0; \ + } \ + } \ + } \ + \ +- return palette_size(*palette); \ ++ return palette_size(palette); \ + } + + DEFINE_FILL_PALETTE_FUNCTION(8) +@@ -421,7 +421,7 @@ DEFINE_FILL_PALETTE_FUNCTION(32) + + static int tight_fill_palette(VncState *vs, int x, int y, + size_t count, uint32_t *bg, uint32_t *fg, +- VncPalette **palette) ++ VncPalette *palette) + { + int max; + +@@ -1458,9 +1458,11 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, + } + #endif + ++static __thread VncPalette color_count_palette; ++ + static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + { +- VncPalette *palette = NULL; ++ VncPalette *palette = &color_count_palette; + uint32_t bg = 0, fg = 0; + int colors; + int ret = 0; +@@ -1489,7 +1491,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + } + #endif + +- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, &palette); ++ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette); + + #ifdef CONFIG_VNC_JPEG + if (allow_jpeg && vs->tight.quality != (uint8_t)-1) { +@@ -1502,7 +1504,6 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette); + #endif + +- palette_destroy(palette); + return ret; + } + diff --git a/0066-vnc-tight-fix-regression-with-libxenstore.patch b/0066-vnc-tight-fix-regression-with-libxenstore.patch new file mode 100644 index 0000000..3341fbe --- /dev/null +++ b/0066-vnc-tight-fix-regression-with-libxenstore.patch @@ -0,0 +1,84 @@ +From: Peter Lieven +Date: Fri, 15 Jul 2016 11:45:11 +0200 +Subject: [PATCH] vnc-tight: fix regression with libxenstore + +commit 095497ff added thread local storage for the color counting +palette. Unfortunately, a VncPalette is about 7kB on a x86_64 system. +This memory is reserved from the stack of every thread and it +exhausted the stack space of a libxenstore thread. + +Fix this by allocating memory only for the VNC encoding thread. + +Fixes: 095497ffc66b7f031ff2a17f1e50f5cb105ce588 +Reported-by: Juergen Gross +Tested-by: Juergen Gross +Signed-off-by: Peter Lieven +Message-id: 1468575911-20656-1-git-send-email-pl@kamp.de +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 66668d197fa40747e835e15617eda2f1bc80982f) +--- + ui/vnc-enc-tight.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c +index 877c093..49df85e 100644 +--- a/ui/vnc-enc-tight.c ++++ b/ui/vnc-enc-tight.c +@@ -1458,11 +1458,17 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, + } + #endif + +-static __thread VncPalette color_count_palette; ++static __thread VncPalette *color_count_palette; ++static __thread Notifier vnc_tight_cleanup_notifier; ++ ++static void vnc_tight_cleanup(Notifier *n, void *value) ++{ ++ g_free(color_count_palette); ++ color_count_palette = NULL; ++} + + static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + { +- VncPalette *palette = &color_count_palette; + uint32_t bg = 0, fg = 0; + int colors; + int ret = 0; +@@ -1471,6 +1477,12 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + bool allow_jpeg = true; + #endif + ++ if (!color_count_palette) { ++ color_count_palette = g_malloc(sizeof(VncPalette)); ++ vnc_tight_cleanup_notifier.notify = vnc_tight_cleanup; ++ qemu_thread_atexit_add(&vnc_tight_cleanup_notifier); ++ } ++ + vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type); + + vnc_tight_start(vs); +@@ -1491,17 +1503,19 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + } + #endif + +- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette); ++ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette); + + #ifdef CONFIG_VNC_JPEG + if (allow_jpeg && vs->tight.quality != (uint8_t)-1) { +- ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, palette, +- force_jpeg); ++ ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, ++ color_count_palette, force_jpeg); + } else { +- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette); ++ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, ++ color_count_palette); + } + #else +- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette); ++ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, ++ color_count_palette); + #endif + + return ret; diff --git a/0067-dma-rc4030-limit-interval-timer-reload-value.patch b/0067-dma-rc4030-limit-interval-timer-reload-value.patch new file mode 100644 index 0000000..ceed65a --- /dev/null +++ b/0067-dma-rc4030-limit-interval-timer-reload-value.patch @@ -0,0 +1,35 @@ +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 18:07:41 +0530 +Subject: [PATCH] dma: rc4030: limit interval timer reload value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The JAZZ RC4030 chipset emulator has a periodic timer and +associated interval reload register. The reload value is used +as divider when computing timer's next tick value. If reload +value is large, it could lead to divide by zero error. Limit +the interval reload value to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Tested-by: Hervé Poussineau +Signed-off-by: Yongbok Kim +(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c) +--- + hw/dma/rc4030.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c +index a06c235..1814ca6 100644 +--- a/hw/dma/rc4030.c ++++ b/hw/dma/rc4030.c +@@ -459,7 +459,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, + break; + /* Interval timer reload */ + case 0x0228: +- s->itr = val; ++ s->itr = val & 0x01FF; + qemu_irq_lower(s->timer_irq); + set_next_tick(s); + break; diff --git a/0068-serial-fix-memory-leak-in-serial-exit.patch b/0068-serial-fix-memory-leak-in-serial-exit.patch new file mode 100644 index 0000000..0d89fec --- /dev/null +++ b/0068-serial-fix-memory-leak-in-serial-exit.patch @@ -0,0 +1,37 @@ +From: Li Qiang +Date: Wed, 4 Jan 2017 00:43:16 -0800 +Subject: [PATCH] serial: fix memory leak in serial exit + +The serial_exit_core function doesn't free some resources. +This can lead memory leak when hotplug and unplug. This +patch avoid this. + +Signed-off-by: Li Qiang +Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b) +--- + hw/char/serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index 3998131..ebf507b 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -869,6 +869,16 @@ void serial_realize_core(SerialState *s, Error **errp) + void serial_exit_core(SerialState *s) + { + qemu_chr_add_handlers(s->chr, NULL, NULL, NULL, NULL); ++ ++ timer_del(s->modem_status_poll); ++ timer_free(s->modem_status_poll); ++ ++ timer_del(s->fifo_timeout_timer); ++ timer_free(s->fifo_timeout_timer); ++ ++ fifo8_destroy(&s->recv_fifo); ++ fifo8_destroy(&s->xmit_fifo); ++ + qemu_unregister_reset(serial_reset, s); + } + diff --git a/qemu.spec b/qemu.spec index f0a94e2..fb82daa 100644 --- a/qemu.spec +++ b/qemu.spec @@ -65,7 +65,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.6.2 -Release: 7%{?rcrel}%{?dist} +Release: 8%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -237,6 +237,13 @@ Patch0061: 0061-cirrus-fix-oob-access-issue-CVE-2017-2615.patch Patch0062: 0062-cirrus-fix-patterncopy-checks.patch Patch0063: 0063-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch Patch0064: 0064-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +# Fix xen pv graphical display failure (bz #1350264) +Patch0065: 0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch +Patch0066: 0066-vnc-tight-fix-regression-with-libxenstore.patch +# CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876) +Patch0067: 0067-dma-rc4030-limit-interval-timer-reload-value.patch +# CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161) +Patch0068: 0068-serial-fix-memory-leak-in-serial-exit.patch # documentation deps @@ -1698,6 +1705,11 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Apr 13 2017 Cole Robinson - 2:2.6.2-8 +- Fix xen pv graphical display failure (bz #1350264) +- CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876) +- CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161) + * Wed Mar 15 2017 Cole Robinson - 2:2.6.2-7 - CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) - CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)