From f8e0147e554a33596d5f0fbb444d4f78022241c3 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Dec 07 2016 21:23:31 +0000 Subject: update to xen-4.8.0 add armv7hl and aarch64 builds (experimental in Fedora) qemu: Divide by zero vulnerability in cirrus_do_copy Qemu: 9pfs: memory leakage via proxy/handle callbacks --- diff --git a/.gitignore b/.gitignore index 118644d..d2447ce 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz polarssl-1.1.4-gpl.tgz -/xen-4.7.1.tar.gz +/xen-4.8.0.tar.gz diff --git a/qemu.CVE-2016-1922.patch b/qemu.CVE-2016-1922.patch deleted file mode 100644 index b4940f3..0000000 --- a/qemu.CVE-2016-1922.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Prasad J Pandit - -When I/O port write operation is called from hmp interface, -'current_cpu' remains null, as it is not called from cpu_exec() -loop. This leads to a null pointer dereference in vapic_write -routine. Add check to avoid it. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini ---- - hw/i386/kvmvapic.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c6d34b2..f0922da 100644 ---- a/tools/qemu-xen/hw/i386/kvmvapic.c -+++ b/tools/qemu-xen/hw/i386/kvmvapic.c -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) - static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - unsigned int size) - { -- CPUState *cs = current_cpu; -- X86CPU *cpu = X86_CPU(cs); -- CPUX86State *env = &cpu->env; -- hwaddr rom_paddr; - VAPICROMState *s = opaque; -+ X86CPU *cpu; -+ CPUX86State *env; -+ hwaddr rom_paddr; - -- cpu_synchronize_state(cs); -+ if (!current_cpu) { -+ return; -+ } -+ -+ cpu_synchronize_state(current_cpu); -+ cpu = X86_CPU(current_cpu); -+ env = &cpu->env; - - /* - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. --- -1.8.3.1 diff --git a/qemu.CVE-2016-2198.patch b/qemu.CVE-2016-2198.patch deleted file mode 100644 index 7fd10dc..0000000 --- a/qemu.CVE-2016-2198.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Prasad J Pandit - -USB Ehci emulation supports host controller capability registers. -But its mmio '.write' function was missing, which lead to a null -pointer dereference issue. Add a do nothing 'ehci_caps_write' -definition to avoid it; Do nothing because capability registers -are Read Only(RO). - -Reported-by: Zuozhi Fzz -Signed-off-by: Prasad J Pandit ---- - hw/usb/hcd-ehci.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index c40013e..b08ff62 100644 ---- a/tools/qemu-xen/hw/usb/hcd-ehci.c -+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c -@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr, - return s->caps[addr]; - } - -+static void ehci_caps_write(void *ptr, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, - unsigned size) - { -@@ -2313,6 +2318,7 @@ static void ehci_frame_timer(void *opaque) - - static const MemoryRegionOps ehci_mmio_caps_ops = { - .read = ehci_caps_read, -+ .write = ehci_caps_write, - .valid.min_access_size = 1, - .valid.max_access_size = 4, - .impl.min_access_size = 1, --- -2.5.0 diff --git a/qemu.CVE-2016-2391.patch b/qemu.CVE-2016-2391.patch deleted file mode 100644 index 9ec9ab9..0000000 --- a/qemu.CVE-2016-2391.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 16 Feb 2016 15:15:04 +0100 -Subject: [PATCH] ohci timer fix - -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ohci.c | 31 +++++-------------------------- - 1 file changed, 5 insertions(+), 26 deletions(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index bed55dd..3d1270d 100644 ---- a/tools/qemu-xen/hw/usb/hcd-ohci.c -+++ b/tools/qemu-xen/hw/usb/hcd-ohci.c -@@ -1347,16 +1347,6 @@ static void ohci_frame_boundary(void *opaque) - */ - static int ohci_bus_start(OHCIState *ohci) - { -- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, -- ohci_frame_boundary, -- ohci); -- -- if (ohci->eof_timer == NULL) { -- trace_usb_ohci_bus_eof_timer_failed(ohci->name); -- ohci_die(ohci); -- return 0; -- } -- - trace_usb_ohci_start(ohci->name); - - ohci_sof(ohci); -@@ -1373,11 +1363,7 @@ static int ohci_bus_start(OHCIState *ohci) - static void ohci_bus_stop(OHCIState *ohci) - { - trace_usb_ohci_stop(ohci->name); -- if (ohci->eof_timer) { -- timer_del(ohci->eof_timer); -- timer_free(ohci->eof_timer); -- } -- ohci->eof_timer = NULL; -+ timer_del(ohci->eof_timer); - } - - /* Sets a flag in a port status register but only set it if the port is -@@ -1907,6 +1893,9 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev, - usb_packet_init(&ohci->usb_packet); - - ohci->async_td = 0; -+ -+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, -+ ohci_frame_boundary, ohci); - } - - #define TYPE_PCI_OHCI "pci-ohci" -@@ -2041,23 +2030,13 @@ static bool ohci_eof_timer_needed(void *opaque) - { - OHCIState *ohci = opaque; - -- return ohci->eof_timer != NULL; --} -- --static int ohci_eof_timer_pre_load(void *opaque) --{ -- OHCIState *ohci = opaque; -- -- ohci_bus_start(ohci); -- -- return 0; -+ return timer_pending(ohci->eof_timer); - } - - static const VMStateDescription vmstate_ohci_eof_timer = { - .name = "ohci-core/eof-timer", - .version_id = 1, - .minimum_version_id = 1, -- .pre_load = ohci_eof_timer_pre_load, - .needed = ohci_eof_timer_needed, - .fields = (VMStateField[]) { - VMSTATE_TIMER_PTR(eof_timer, OHCIState), --- -1.8.3.1 - diff --git a/qemu.CVE-2016-2392.patch b/qemu.CVE-2016-2392.patch deleted file mode 100644 index ef71bea..0000000 --- a/qemu.CVE-2016-2392.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Prasad J Pandit - -When processing remote NDIS control message packets, the USB Net -device emulator checks to see if the USB configuration descriptor -object is of RNDIS type(2). But it does not check if it is null, -which leads to a null dereference error. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/usb/dev-network.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index ba3c7a7..180adce 100644 ---- a/tools/qemu-xen/hw/usb/dev-network.c -+++ b/tools/qemu-xen/hw/usb/dev-network.c -@@ -653,7 +653,8 @@ typedef struct USBNetState { - - static int is_rndis(USBNetState *s) - { -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; -+ return s->dev.config ? -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; - } - - static int ndis_query(USBNetState *s, uint32_t oid, --- -2.5.0 diff --git a/qemu.CVE-2016-2538.patch b/qemu.CVE-2016-2538.patch deleted file mode 100644 index 07e8089..0000000 --- a/qemu.CVE-2016-2538.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Prasad J Pandit - -When processing remote NDIS control message packets, -the USB Net device emulator uses a fixed length(4096) data buffer. -The incoming informationBufferOffset & Length combination could -overflow and cross that range. Check control message buffer -offsets and length to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/usb/dev-network.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -Update as per review - -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03475.html - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 8a4ff49..180adce 100644 ---- a/tools/qemu-xen/hw/usb/dev-network.c -+++ b/tools/qemu-xen/hw/usb/dev-network.c -@@ -915,8 +915,9 @@ static int rndis_query_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf, -@@ -961,8 +962,9 @@ static int rndis_set_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - ret = ndis_set(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen); -@@ -1212,8 +1214,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); - uint32_t size = le32_to_cpu(msg->DataLength); -- if (offs + size <= len) -+ if (offs < len && size < len && offs + size <= len) { - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); -+ } - } - s->out_ptr -= len; - memmove(s->out_buf, &s->out_buf[len], s->out_ptr); --- -2.5.0 diff --git a/qemu.CVE-2016-2841.patch b/qemu.CVE-2016-2841.patch deleted file mode 100644 index a49d10e..0000000 --- a/qemu.CVE-2016-2841.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Prasad J Pandit - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. Registers PSTART & PSTOP -define ring buffer size & location. Setting these registers -to invalid values could lead to infinite loop or OOB r/w -access issues. Add check to avoid it. - -Reported-by: Yang Hongke -Signed-off-by: Prasad J Pandit ---- - hw/net/ne2000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -Update per review: - -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index b032212..ced4666 100644 ---- a/tools/qemu-xen/hw/net/ne2000.c -+++ b/tools/qemu-xen/hw/net/ne2000.c -@@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) - { - int avail, index, boundary; - -+ if (s->stop <= s->start) { -+ return 1; -+ } -+ - index = s->curpag << 8; - boundary = s->boundary << 8; - if (index < boundary) --- -2.5.0 diff --git a/qemu.CVE-2016-2857.patch b/qemu.CVE-2016-2857.patch deleted file mode 100644 index d6c108c..0000000 --- a/qemu.CVE-2016-2857.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Prasad J Pandit - -While computing IP checksum, 'net_checksum_calculate' reads -payload length from the packet. It could exceed the given 'data' -buffer size. Add a check to avoid it. - -Reported-by: Liu Ling -Signed-off-by: Prasad J Pandit ---- - net/checksum.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -Update as per review: - -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg06121.html - -diff --git a/net/checksum.c b/net/checksum.c -index 14c0855..0942437 100644 ---- a/tools/qemu-xen/net/checksum.c -+++ b/tools/qemu-xen/net/checksum.c -@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) - int hlen, plen, proto, csum_offset; - uint16_t csum; - -+ /* Ensure data has complete L2 & L3 headers. */ -+ if (length < 14 + 20) { -+ return; -+ } -+ - if ((data[14] & 0xf0) != 0x40) - return; /* not IPv4 */ - hlen = (data[14] & 0x0f) * 4; -@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) - return; - } - -- if (plen < csum_offset+2) -- return; -+ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { -+ return; -+ } - - data[14+hlen+csum_offset] = 0; - data[14+hlen+csum_offset+1] = 0; --- -2.5.0 diff --git a/qemu.CVE-2016-4002.patch b/qemu.CVE-2016-4002.patch deleted file mode 100644 index 129bae9..0000000 --- a/qemu.CVE-2016-4002.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Prasad J Pandit - -When receiving packets over MIPSnet network device, it uses - receive buffer of size 1514 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported by: Oleksandr Bazhaniuk - -Signed-off-by: Prasad J Pandit ---- - tools/qemu-xen/hw/net/mipsnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tools/qemu-xen/hw/net/mipsnet.c b/tools/qemu-xen/hw/net/mipsnet.c -index f261011..e134b31 100644 ---- a/tools/qemu-xen/hw/net/mipsnet.c -+++ b/tools/qemu-xen/hw/net/mipsnet.c -@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si - if (!mipsnet_can_receive(nc)) - return 0; - -+ if (size >= sizeof(s->rx_buffer)) { -+ return 0; -+ } - s->busy = 1; - - /* Just accept everything. */ --- -2.5.5 - diff --git a/qemu.CVE-2016-4037.patch b/qemu.CVE-2016-4037.patch deleted file mode 100644 index b19df5f..0000000 --- a/qemu.CVE-2016-4037.patch +++ /dev/null @@ -1,63 +0,0 @@ ------------------------------------------------------------------------- -*From*: Gerd Hoffmann -*Subject*: [Qemu-devel] [PATCH 1/2] ehci: apply limit to itd/sidt -descriptors -*Date*: Mon, 18 Apr 2016 11:27:22 +0200 - ------------------------------------------------------------------------- - -Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a -DoS by the guest (create a circular itd queue and let qemu ehci -emulation run in circles forever). Unfortunaly this has two problems: -First it misses the case of sitds, and second it reportly breaks -freebsd. - -So lets go for a different approach: just count the number of itds and -sitds we have seen per frame and apply a limit. That should really -catch all cases now. - -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c -index 159f58d..923f110 100644 ---- a/tools/qemu-xen/hw/usb/hcd-ehci.c -+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c -@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) - static void ehci_advance_state(EHCIState *ehci, int async) - { - EHCIQueue *q = NULL; -+ int idt_count = 0; - int again; - - do { -@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) - - case EST_FETCHITD: - again = ehci_state_fetchitd(ehci, async); -+ idt_count++; - break; - - case EST_FETCHSITD: - again = ehci_state_fetchsitd(ehci, async); -+ idt_count++; - break; - - case EST_ADVANCEQUEUE: -@@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async) - ehci_reset(ehci); - again = 0; - } -+ -+ /* limit the amout of idts we are willing to process each frame */ -+ if (idt_count > 16) { -+ again = 0; -+ } - } - while (again); - } --- -1.8.3.1 - diff --git a/qemu.CVE-2016-4439.patch b/qemu.CVE-2016-4439.patch deleted file mode 100644 index 61060d4..0000000 --- a/qemu.CVE-2016-4439.patch +++ /dev/null @@ -1,44 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length -before write(CVE-2016-4439) -*Date*: Thu, 19 May 2016 16:09:30 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. While -writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check -was missing to validate input length. Add check to avoid OOB write -access. - -Fixes CVE-2016-4439 -Reported-by: Li Qiang - -Signed-off-by: Prasad J Pandit ---- - hw/scsi/esp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c -index 8961be2..01497e6 100644 ---- a/tools/qemu-xen/hw/scsi/esp.c -+++ b/tools/qemu-xen/hw/scsi/esp.c -@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- s->cmdbuf[s->cmdlen++] = val & 0xff; -+ if (s->cmdlen < TI_BUFSZ) { -+ s->cmdbuf[s->cmdlen++] = val & 0xff; -+ } else { -+ trace_esp_error_fifo_overrun(); -+ } - } else if (s->ti_size == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { --- -2.5.5 - diff --git a/qemu.CVE-2016-4441.patch b/qemu.CVE-2016-4441.patch deleted file mode 100644 index 7f8c1fa..0000000 --- a/qemu.CVE-2016-4441.patch +++ /dev/null @@ -1,77 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH 2/2] scsi: check dma length before -reading scsi command(CVE-2016-4441) -*Date*: Thu, 19 May 2016 16:09:31 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() uses DMA to read scsi commands into this buffer. -Add check to validate DMA length against buffer size to avoid any -overrun. - -Fixes CVE-2016-4441 -Reported-by: Li Qiang - -Signed-off-by: Prasad J Pandit ---- - hw/scsi/esp.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c -index 01497e6..591c817 100644 ---- a/tools/qemu-xen/hw/scsi/esp.c -+++ b/tools/qemu-xen/hw/scsi/esp.c -@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) - } - } - --static uint32_t get_cmd(ESPState *s, uint8_t *buf) -+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - { - uint32_t dmalen; - int target; -@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) - dmalen = s->rregs[ESP_TCLO]; - dmalen |= s->rregs[ESP_TCMID] << 8; - dmalen |= s->rregs[ESP_TCHI] << 16; -+ if (dmalen > buflen) { -+ return 0; -+ } - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) - s->dma_cb = handle_satn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) - do_cmd(s, buf); - } -@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) - s->dma_cb = handle_s_without_atn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) { - do_busid_cmd(s, buf, 0); - } -@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) - s->dma_cb = handle_satn_stop; - return; - } -- s->cmdlen = get_cmd(s, s->cmdbuf); -+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); - if (s->cmdlen) { - trace_esp_handle_satn_stop(s->cmdlen); - s->do_cmd = 1; --- -2.5.5 - diff --git a/qemu.CVE-2016-4453.patch b/qemu.CVE-2016-4453.patch deleted file mode 100644 index 4638c6c..0000000 --- a/qemu.CVE-2016-4453.patch +++ /dev/null @@ -1,43 +0,0 @@ ------------------------------------------------------------------------- -*From*: Gerd Hoffmann -*Subject*: [Qemu-devel] [PATCH 4/4] vmsvga: don't process more than -1024 fifo commands at once -*Date*: Mon, 30 May 2016 09:09:21 +0200 - ------------------------------------------------------------------------- - -vmsvga_fifo_run is called in regular intervals (on each display update) -and will resume where it left off. So we can simply exit the loop, -without having to worry about how processing will continue. - -Fixes: CVE-2016-4453 -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann ---- - hw/display/vmware_vga.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tools/qemu-xen/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index de2567b..e51a05e 100644 ---- a/tools/qemu-xen/hw/display/vmware_vga.c -+++ b/tools/qemu-xen/hw/display/vmware_vga.c -@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) - static void vmsvga_fifo_run(struct vmsvga_state_s *s) - { - uint32_t cmd, colour; -- int args, len; -+ int args, len, maxloop = 1024; - int x, y, dx, dy, width, height; - struct vmsvga_cursor_definition_s cursor; - uint32_t cmd_start; - - len = vmsvga_fifo_length(s); -- while (len > 0) { -+ while (len > 0 && --maxloop > 0) { - /* May need to go back to the start of the command if incomplete */ - cmd_start = s->fifo_stop; - --- -1.8.3.1 - diff --git a/qemu.CVE-2016-4454.1.patch b/qemu.CVE-2016-4454.1.patch deleted file mode 100644 index a024465..0000000 --- a/qemu.CVE-2016-4454.1.patch +++ /dev/null @@ -1,71 +0,0 @@ ------------------------------------------------------------------------- -*From*: Gerd Hoffmann -*Subject*: [Qemu-devel] [PATCH 1/4] vmsvga: move fifo sanity checks to -vmsvga_fifo_length -*Date*: Mon, 30 May 2016 09:09:18 +0200 - ------------------------------------------------------------------------- - -Sanity checks are applied when the fifo is enabled by the guest -(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest -changes the fifo registers afterwards. Move the checks to -vmsvga_fifo_length so they are done each time qemu is about to read -from the fifo. - -Fixes: CVE-2016-4454 -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann ---- - hw/display/vmware_vga.c | 28 +++++++++++++++------------- - 1 file changed, 15 insertions(+), 13 deletions(-) - -diff --git a/tools/qemu-xen/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 0c63fa8..63a7c05 100644 ---- a/tools/qemu-xen/hw/display/vmware_vga.c -+++ b/tools/qemu-xen/hw/display/vmware_vga.c -@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - if (!s->config || !s->enable) { - return 0; - } -+ -+ /* Check range and alignment. */ -+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -+ return 0; -+ } -+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -+ return 0; -+ } -+ if (CMD(max) > SVGA_FIFO_SIZE) { -+ return 0; -+ } -+ if (CMD(max) < CMD(min) + 10 * 1024) { -+ return 0; -+ } -+ - num = CMD(next_cmd) - CMD(stop); - if (num < 0) { - num += CMD(max) - CMD(min); -@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) - case SVGA_REG_CONFIG_DONE: - if (value) { - s->fifo = (uint32_t *) s->fifo_ptr; -- /* Check range and alignment. */ -- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -- break; -- } -- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -- break; -- } -- if (CMD(max) > SVGA_FIFO_SIZE) { -- break; -- } -- if (CMD(max) < CMD(min) + 10 * 1024) { -- break; -- } - vga_dirty_log_stop(&s->vga); - } - s->config = !!value; --- -1.8.3.1 - diff --git a/qemu.CVE-2016-4454.2.patch b/qemu.CVE-2016-4454.2.patch deleted file mode 100644 index 3676106..0000000 --- a/qemu.CVE-2016-4454.2.patch +++ /dev/null @@ -1,36 +0,0 @@ ------------------------------------------------------------------------- -*From*: Gerd Hoffmann -*Subject*: [Qemu-devel] [PATCH 2/4] vmsvga: add more fifo checks -*Date*: Mon, 30 May 2016 09:09:19 +0200 - ------------------------------------------------------------------------- - -Make sure all fifo ptrs are within range. - -Fixes: CVE-2016-4454 -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann ---- - hw/display/vmware_vga.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/tools/qemu-xen/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 63a7c05..a26e62e 100644 ---- a/tools/qemu-xen/hw/display/vmware_vga.c -+++ b/tools/qemu-xen/hw/display/vmware_vga.c -@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { - return 0; - } -- if (CMD(max) > SVGA_FIFO_SIZE) { -+ if (CMD(max) > SVGA_FIFO_SIZE || -+ CMD(min) >= SVGA_FIFO_SIZE || -+ CMD(stop) >= SVGA_FIFO_SIZE || -+ CMD(next_cmd) >= SVGA_FIFO_SIZE) { - return 0; - } - if (CMD(max) < CMD(min) + 10 * 1024) { --- -1.8.3.1 - diff --git a/qemu.CVE-2016-4454.3.patch b/qemu.CVE-2016-4454.3.patch deleted file mode 100644 index 7236db7..0000000 --- a/qemu.CVE-2016-4454.3.patch +++ /dev/null @@ -1,146 +0,0 @@ ------------------------------------------------------------------------- -*From*: Gerd Hoffmann -*Subject*: [Qemu-devel] [PATCH 3/4] vmsvga: shadow fifo registers -*Date*: Mon, 30 May 2016 09:09:20 +0200 - ------------------------------------------------------------------------- - -The fifo is normal ram. So kvm vcpu threads and qemu iothread can -access the fifo in parallel without syncronization. Which in turn -implies we can't use the fifo pointers in-place because the guest -can try changing them underneath us. So add shadows for them, to -make sure the guest can't modify them after we've applied sanity -checks. - -Fixes: CVE-2016-4454 -Cc: P J P -Signed-off-by: Gerd Hoffmann ---- - hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++------------------------- - 1 file changed, 28 insertions(+), 29 deletions(-) - -diff --git a/tools/qemu-xen/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index a26e62e..de2567b 100644 ---- a/tools/qemu-xen/hw/display/vmware_vga.c -+++ b/tools/qemu-xen/hw/display/vmware_vga.c -@@ -66,17 +66,11 @@ struct vmsvga_state_s { - uint8_t *fifo_ptr; - unsigned int fifo_size; - -- union { -- uint32_t *fifo; -- struct QEMU_PACKED { -- uint32_t min; -- uint32_t max; -- uint32_t next_cmd; -- uint32_t stop; -- /* Add registers here when adding capabilities. */ -- uint32_t fifo[0]; -- } *cmd; -- }; -+ uint32_t *fifo; -+ uint32_t fifo_min; -+ uint32_t fifo_max; -+ uint32_t fifo_next; -+ uint32_t fifo_stop; - - #define REDRAW_FIFO_LEN 512 - struct vmsvga_rect_s { -@@ -198,7 +192,7 @@ enum { - */ - SVGA_FIFO_MIN = 0, - SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ -- SVGA_FIFO_NEXT_CMD, -+ SVGA_FIFO_NEXT, - SVGA_FIFO_STOP, - - /* -@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, - } - #endif - --#define CMD(f) le32_to_cpu(s->cmd->f) -- - static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - { - int num; -@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - return 0; - } - -+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); -+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); -+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); -+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); -+ - /* Check range and alignment. */ -- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { - return 0; - } -- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -+ if (s->fifo_min < sizeof(uint32_t) * 4) { - return 0; - } -- if (CMD(max) > SVGA_FIFO_SIZE || -- CMD(min) >= SVGA_FIFO_SIZE || -- CMD(stop) >= SVGA_FIFO_SIZE || -- CMD(next_cmd) >= SVGA_FIFO_SIZE) { -+ if (s->fifo_max > SVGA_FIFO_SIZE || -+ s->fifo_min >= SVGA_FIFO_SIZE || -+ s->fifo_stop >= SVGA_FIFO_SIZE || -+ s->fifo_next >= SVGA_FIFO_SIZE) { - return 0; - } -- if (CMD(max) < CMD(min) + 10 * 1024) { -+ if (s->fifo_max < s->fifo_min + 10 * 1024) { - return 0; - } - -- num = CMD(next_cmd) - CMD(stop); -+ num = s->fifo_next - s->fifo_stop; - if (num < 0) { -- num += CMD(max) - CMD(min); -+ num += s->fifo_max - s->fifo_min; - } - return num >> 2; - } - - static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) - { -- uint32_t cmd = s->fifo[CMD(stop) >> 2]; -+ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; - -- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); -- if (CMD(stop) >= CMD(max)) { -- s->cmd->stop = s->cmd->min; -+ s->fifo_stop += 4; -+ if (s->fifo_stop >= s->fifo_max) { -+ s->fifo_stop = s->fifo_min; - } -+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); - return cmd; - } - -@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - len = vmsvga_fifo_length(s); - while (len > 0) { - /* May need to go back to the start of the command if incomplete */ -- cmd_start = s->cmd->stop; -+ cmd_start = s->fifo_stop; - - switch (cmd = vmsvga_fifo_read(s)) { - case SVGA_CMD_UPDATE: -@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - break; - - rewind: -- s->cmd->stop = cmd_start; -+ s->fifo_stop = cmd_start; -+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); - break; - } - } --- -1.8.3.1 - diff --git a/qemu.CVE-2016-5105.patch b/qemu.CVE-2016-5105.patch deleted file mode 100644 index 47f0d16..0000000 --- a/qemu.CVE-2016-5105.patch +++ /dev/null @@ -1,40 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH v2] scsi: megasas: initialise local -configuration data buffer -*Date*: Wed, 25 May 2016 17:41:44 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -When reading MegaRAID SAS controller configuration via MegaRAID -Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read -uses an uninitialised local data buffer. Initialise this buffer -to avoid stack information leakage. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Update as per - -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04402.html - -diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c -index dcbd3e1..bf642d4 100644 ---- a/tools/qemu-xen/hw/scsi/megasas.c -+++ b/tools/qemu-xen/hw/scsi/megasas.c -@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) - - static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) - { -- uint8_t data[4096]; -+ uint8_t data[4096] = { 0 }; - struct mfi_config_data *info; - int num_pd_disks = 0, array_offset, ld_offset; - BusChild *kid; --- -2.5.5 - diff --git a/qemu.CVE-2016-5106.patch b/qemu.CVE-2016-5106.patch deleted file mode 100644 index baca1f1..0000000 --- a/qemu.CVE-2016-5106.patch +++ /dev/null @@ -1,37 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH 1/3] scsi: megasas: use appropriate -property buffer size -*Date*: Wed, 25 May 2016 16:01:29 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -When setting MegaRAID SAS controller properties via MegaRAID -Firmware Interface(MFI) commands, a user supplied size parameter -is used to set property value. Use appropriate size value to avoid -OOB access issues. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c -index a63a581..dcbd3e1 100644 ---- a/tools/qemu-xen/hw/scsi/megasas.c -+++ b/tools/qemu-xen/hw/scsi/megasas.c -@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) - dcmd_size); - return MFI_STAT_INVALID_PARAMETER; - } -- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); -+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); - trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); - return MFI_STAT_OK; - } --- -2.5.5 - diff --git a/qemu.CVE-2016-5238.patch b/qemu.CVE-2016-5238.patch deleted file mode 100644 index 010cd54..0000000 --- a/qemu.CVE-2016-5238.patch +++ /dev/null @@ -1,65 +0,0 @@ ------------------------------------------------------------------------- -*From*: Paolo Bonzini -*Subject*: Re: [Qemu-devel] [PATCH] scsi: check buffer length before -reading scsi command -*Date*: Wed, 1 Jun 2016 15:10:16 +0200 -*User-agent*: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 -Thunderbird/45.1.0 - ------------------------------------------------------------------------- - - -On 31/05/2016 19:53, P J P wrote: ->/ From: Prasad J Pandit / ->/ / ->/ The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte/ ->/ FIFO buffer. It is used to handle command and data transfer./ ->/ Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi/ ->/ command into a buffer. Add check to validate command length against/ ->/ buffer size to avoid any overrun./ ->/ / ->/ Reported-by: Li Qiang / ->/ Signed-off-by: Prasad J Pandit / ->/ ---/ ->/ hw/scsi/esp.c | 3 +++/ ->/ 1 file changed, 3 insertions(+)/ ->/ / ->/ diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c/ ->/ index 60c1b28..953027a 100644/ ->/ --- a/tools/qemu-xen/hw/scsi/esp.c/ ->/ +++ b/tools/qemu-xen/hw/scsi/esp.c/ ->/ @@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t / ->/ buflen)/ ->/ s->dma_memory_read(s->dma_opaque, buf, dmalen);/ ->/ } else {/ ->/ dmalen = s->ti_size;/ ->/ + if (dmalen > TI_BUFSZ) {/ ->/ + return 0;/ ->/ + }/ ->/ memcpy(buf, s->ti_buf, dmalen);/ ->/ buf[0] = buf[2] >> 5;/ ->/ }/ ->/ / - -In theory this shouldn't happen, but I agree that it is better to be -defensive. I'm queuing this patch. - -At least the following patch is needed to ensure that ti_size always -matches ti_rptr/ti_wptr (Hervé, what do you think about it? should I -resubmit it formally?). Also, things are more complicated than -necessary due to ti_size being used for both DMA and FIFO transfers. - -diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c -index c2f6f8f..6407844 100644 ---- a/tools/qemu-xen/hw/scsi/esp.c -+++ b/tools/qemu-xen/hw/scsi/esp.c -@@ -222,7 +222,7 @@ static void write_response(ESPState *s) - } else { - s->ti_size = 2; - s->ti_rptr = 0; -- s->ti_wptr = 0; -+ s->ti_wptr = 2; - s->rregs[ESP_RFLAGS] = 2; - } - esp_raise_irq(s); - diff --git a/qemu.CVE-2016-5337.patch b/qemu.CVE-2016-5337.patch deleted file mode 100644 index 0c67aeb..0000000 --- a/qemu.CVE-2016-5337.patch +++ /dev/null @@ -1,37 +0,0 @@ ------------------------------------------------------------------------- -*From*: Paolo Bonzini -*Subject*: [Qemu-devel] [PULL 06/13] scsi: megasas: null terminate bios -version buffer -*Date*: Tue, 7 Jun 2016 19:08:34 +0200 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -While reading information via 'megasas_ctrl_get_info' routine, -a local bios version buffer isn't null terminated. Add the -terminating null byte to avoid any OOB access. - -Reported-by: Li Qiang -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini ---- - hw/scsi/megasas.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tools/qemu-xen/hw/scsi/megasas.c b/tools/qemu-xen/hw/scsi/megasas.c -index cc66d36..a9ffc32 100644 ---- a/tools/qemu-xen/hw/scsi/megasas.c -+++ b/tools/qemu-xen/hw/scsi/megasas.c -@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - - ptr = memory_region_get_ram_ptr(&pci_dev->rom); - memcpy(biosver, ptr + 0x41, 31); -+ biosver[31] = 0; - memcpy(info.image_component[1].name, "BIOS", 4); - memcpy(info.image_component[1].version, biosver, - strlen((const char *)biosver)); --- -1.8.3.1 - diff --git a/qemu.CVE-2016-5338.patch b/qemu.CVE-2016-5338.patch deleted file mode 100644 index 636f593..0000000 --- a/qemu.CVE-2016-5338.patch +++ /dev/null @@ -1,77 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH v3] scsi: esp: check TI buffer index -before read/write -*Date*: Mon, 6 Jun 2016 22:04:43 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte -FIFO buffers. One is used to handle commands and other is for -information transfer. Three control variables 'ti_rptr', -'ti_wptr' and 'ti_size' are used to control r/w access to the -information transfer buffer ti_buf[TI_BUFSZ=16]. In that, - -'ti_rptr' is used as read index, where read occurs. -'ti_wptr' is a write index, where write would occur. -'ti_size' indicates total bytes to be read from the buffer. - -While reading/writing to this buffer, index could exceed its -size. Add check to avoid OOB r/w access. - -Reported-by: Huawei PSIRT -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/esp.c | 20 +++++++++----------- - 1 file changed, 9 insertions(+), 11 deletions(-) - -Update as per: - -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html - -diff --git a/tools/qemu-xen/hw/scsi/esp.c b/tools/qemu-xen/hw/scsi/esp.c -index c2f6f8f..4b94bbc 100644 ---- a/tools/qemu-xen/hw/scsi/esp.c -+++ b/tools/qemu-xen/hw/scsi/esp.c -@@ -403,19 +403,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) - trace_esp_mem_readb(saddr, s->rregs[saddr]); - switch (saddr) { - case ESP_FIFO: -- if (s->ti_size > 0) { -+ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { -+ /* Data out. */ -+ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n"); -+ s->rregs[ESP_FIFO] = 0; -+ esp_raise_irq(s); -+ } else if (s->ti_rptr < s->ti_wptr) { - s->ti_size--; -- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { -- /* Data out. */ -- qemu_log_mask(LOG_UNIMP, -- "esp: PIO data read not implemented\n"); -- s->rregs[ESP_FIFO] = 0; -- } else { -- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; -- } -+ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; - esp_raise_irq(s); - } -- if (s->ti_size == 0) { -+ if (s->ti_rptr == s->ti_wptr) { - s->ti_rptr = 0; - s->ti_wptr = 0; - } -@@ -459,7 +457,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - } else { - trace_esp_error_fifo_overrun(); - } -- } else if (s->ti_size == TI_BUFSZ - 1) { -+ } else if (s->ti_wptr == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { - s->ti_size++; --- -2.5.5 - diff --git a/qemu.bug1330513.patch b/qemu.bug1330513.patch deleted file mode 100644 index 8155720..0000000 --- a/qemu.bug1330513.patch +++ /dev/null @@ -1,37 +0,0 @@ ------------------------------------------------------------------------- -*From*: P J P -*Subject*: [Qemu-devel] [PATCH] display: vga: add check to limit -display width -*Date*: Tue, 26 Apr 2016 13:37:38 +0530 - ------------------------------------------------------------------------- - -From: Prasad J Pandit - -In vga_draw_graphic, display width could exceed the maximum -range of VBE_DISPI_MAX_XRES(16000). This could lead to possible -integer overflows. Add check to avoid it. - -Reported-by: Zuozhi Fzz -Signed-off-by: Prasad J Pandit ---- - tools/qemu-xen/hw/display/vga.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tools/qemu-xen/hw/display/vga.c b/tools/qemu-xen/hw/display/vga.c -index 9f68394..1a66291 100644 ---- a/tools/qemu-xen/hw/display/vga.c -+++ b/tools/qemu-xen/hw/display/vga.c -@@ -1478,6 +1478,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - disp_width <<= 1; - } - } -+ if (disp_width > VBE_DISPI_MAX_XRES) { -+ disp_width = VBE_DISPI_MAX_XRES; -+ } - - depth = s->get_bpp(s); - --- -2.5.5 - diff --git a/qemu.bug1389686.patch b/qemu.bug1389686.patch deleted file mode 100644 index 86bc5ec..0000000 --- a/qemu.bug1389686.patch +++ /dev/null @@ -1,89 +0,0 @@ -From: Li Qiang - -The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest -originated offset: they must ensure this offset does not go beyond -the size of the extended attribute that was set in v9fs_xattrcreate(). -Unfortunately, the current code implement these checks with unsafe -calculations on 32 and 64 bit values, which may allow a malicious -guest to cause OOB access anyway. - -Fix this by comparing the offset and the xattr size, which are -both uint64_t, before trying to compute the effective number of bytes -to read or write. - -Suggested-by: Greg Kurz -Signed-off-by: Li Qiang ---- - -Changes since v2: --make the solution of 'copied_len/len' in V9fsXattr type issue to a separate patch. --add detailed changelog. - -Changes since v1: --delete 'xattr_len'. - - hw/9pfs/9p.c | 32 ++++++++++++-------------------- - 1 file changed, 12 insertions(+), 20 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index e902eed..6df85b8 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -1642,18 +1642,15 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - ssize_t err; - size_t offset = 7; -- int read_count; -- int64_t xattr_len; -+ uint64_t read_count; - -- xattr_len = fidp->fs.xattr.len; -- read_count = xattr_len - off; -+ if (fidp->fs.xattr.len < off) { -+ read_count = 0; -+ } else { -+ read_count = fidp->fs.xattr.len - off; -+ } - if (read_count > max_count) { - read_count = max_count; -- } else if (read_count < 0) { -- /* -- * read beyond XATTR value -- */ -- read_count = 0; - } - err = pdu_marshal(pdu, offset, "d", read_count); - if (err < 0) { -@@ -1982,23 +1979,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - int i, to_copy; - ssize_t err = 0; -- int write_count; -- int64_t xattr_len; -+ uint64_t write_count; - size_t offset = 7; - - -- xattr_len = fidp->fs.xattr.len; -- write_count = xattr_len - off; -- if (write_count > count) { -- write_count = count; -- } else if (write_count < 0) { -- /* -- * write beyond XATTR value len specified in -- * xattrcreate -- */ -+ if (fidp->fs.xattr.len < off) { - err = -ENOSPC; - goto out; - } -+ write_count = fidp->fs.xattr.len - off; -+ if (write_count > count) { -+ write_count = count; -+ } - err = pdu_marshal(pdu, offset, "d", write_count); - if (err < 0) { - return err; --- -1.8.3.1 - diff --git a/qemu.git-00837731d254908a841d69298a4f9f077babaf24.patch b/qemu.git-00837731d254908a841d69298a4f9f077babaf24.patch deleted file mode 100644 index c376873..0000000 --- a/qemu.git-00837731d254908a841d69298a4f9f077babaf24.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 -From: Stefan Weil -Date: Fri, 20 Nov 2015 08:42:33 +0100 -Subject: [PATCH] eepro100: Prevent two endless loops - -http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html -shows an example how an endless loop in function action_command can -be achieved. - -During my code review, I noticed a 2nd case which can result in an -endless loop. - -Reported-by: Qinghao Tang -Signed-off-by: Stefan Weil -Signed-off-by: Jason Wang ---- - tools/qemu-xen/hw/net/eepro100.c | 16 ++++++++++++++++ - 1 files changed, 16 insertions(+), 0 deletions(-) - -diff --git a/tools/qemu-xen/hw/net/eepro100.c b/tools/qemu-xen/hw/net/eepro100.c -index 60333b7..685a478 100644 ---- a/tools/qemu-xen/hw/net/eepro100.c -+++ b/tools/qemu-xen/hw/net/eepro100.c -@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) - #if 0 - uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); - #endif -+ if (tx_buffer_size == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } - tbd_address += 8; - TRACE(RXTX, logout - ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", -@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) - - static void action_command(EEPRO100State *s) - { -+ /* The loop below won't stop if it gets special handcrafted data. -+ Therefore we limit the number of iterations. */ -+ unsigned max_loop_count = 16; -+ - for (;;) { - bool bit_el; - bool bit_s; -@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) - #if 0 - bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); - #endif -+ -+ if (max_loop_count-- == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } -+ - s->cu_offset = s->tx.link; - TRACE(OTHER, - logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", --- -1.7.0.4 - diff --git a/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch b/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch deleted file mode 100644 index 0373190..0000000 --- a/qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 8 Apr 2016 11:33:48 +0530 -Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer - -When receiving packets over Stellaris ethernet controller, it -uses receive buffer of size 2048 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported-by: Oleksandr Bazhaniuk -Signed-off-by: Prasad J Pandit -Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com -Reviewed-by: Peter Maydell -Signed-off-by: Peter Maydell ---- - tools/qemu-xen/hw/net/stellaris_enet.c | 12 +++++++++++- - 1 files changed, 11 insertions(+), 1 deletions(-) - -diff --git a/tools/qemu-xen/hw/net/stellaris_enet.c b/tools/qemu-xen/hw/net/stellaris_enet.c -index 84cf60b..6880894 100644 ---- a/tools/qemu-xen/hw/net/stellaris_enet.c -+++ b/tools/qemu-xen/hw/net/stellaris_enet.c -@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si - n = s->next_packet + s->np; - if (n >= 31) - n -= 31; -- s->np++; - -+ if (size >= sizeof(s->rx[n].data) - 6) { -+ /* If the packet won't fit into the -+ * emulated 2K RAM, this is reported -+ * as a FIFO overrun error. -+ */ -+ s->ris |= SE_INT_FOV; -+ stellaris_enet_update(s); -+ return -1; -+ } -+ -+ s->np++; - s->rx[n].len = size + 6; - p = s->rx[n].data; - *(p++) = (size + 6); --- -1.7.0.4 - diff --git a/qemu.git-3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750.patch b/qemu.git-3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750.patch deleted file mode 100644 index ca21bfa..0000000 --- a/qemu.git-3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:15 +0100 -Subject: [PATCH] rng: remove the unused request cancellation code - -rng_backend_cancel_requests had no callers and none of the code -deleted in this commit ever ran. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 12 ------------ - backends/rng.c | 9 --------- - include/sysemu/rng.h | 11 ----------- - 3 files changed, 0 insertions(+), 32 deletions(-) - -diff --git a/tools/qemu-xen/backends/rng-egd.c b/tools/qemu-xen/backends/rng-egd.c -index 2de5cd5..0b2976a 100644 ---- a/tools/qemu-xen/backends/rng-egd.c -+++ b/tools/qemu-xen/backends/rng-egd.c -@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s) - s->requests = NULL; - } - --static void rng_egd_cancel_requests(RngBackend *b) --{ -- RngEgd *s = RNG_EGD(b); -- -- /* We simply delete the list of pending requests. If there is data in the -- * queue waiting to be read, this is okay, because there will always be -- * more data than we requested originally -- */ -- rng_egd_free_requests(s); --} -- - static void rng_egd_opened(RngBackend *b, Error **errp) - { - RngEgd *s = RNG_EGD(b); -@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data) - RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); - - rbc->request_entropy = rng_egd_request_entropy; -- rbc->cancel_requests = rng_egd_cancel_requests; - rbc->opened = rng_egd_opened; - } - -diff --git a/tools/qemu-xen/backends/rng.c b/tools/qemu-xen/backends/rng.c -index b7820ef..2f2f3ee 100644 ---- a/tools/qemu-xen/backends/rng.c -+++ b/tools/qemu-xen/backends/rng.c -@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, - } - } - --void rng_backend_cancel_requests(RngBackend *s) --{ -- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); -- -- if (k->cancel_requests) { -- k->cancel_requests(s); -- } --} -- - static bool rng_backend_prop_get_opened(Object *obj, Error **errp) - { - RngBackend *s = RNG_BACKEND(obj); -diff --git a/tools/qemu-xen/include/sysemu/rng.h b/tools/qemu-xen/include/sysemu/rng.h -index 858be8c..87b3ebe 100644 ---- a/tools/qemu-xen/include/sysemu/rng.h -+++ b/tools/qemu-xen/include/sysemu/rng.h -@@ -37,7 +37,6 @@ struct RngBackendClass - - void (*request_entropy)(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, void *opaque); -- void (*cancel_requests)(RngBackend *s); - - void (*opened)(RngBackend *s, Error **errp); - }; -@@ -68,14 +67,4 @@ struct RngBackend - void rng_backend_request_entropy(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque); -- --/** -- * rng_backend_cancel_requests: -- * @s: the backend to cancel all pending requests in -- * -- * Cancels all pending requests submitted by @rng_backend_request_entropy. This -- * should be used by a device during reset or in preparation for live migration -- * to stop tracking any request. -- */ --void rng_backend_cancel_requests(RngBackend *s); - #endif --- -1.7.0.4 - diff --git a/qemu.git-4299b90e9ba9ce5ca9024572804ba751aa1a7e70.patch b/qemu.git-4299b90e9ba9ce5ca9024572804ba751aa1a7e70.patch new file mode 100644 index 0000000..e5c4f3e --- /dev/null +++ b/qemu.git-4299b90e9ba9ce5ca9024572804ba751aa1a7e70.patch @@ -0,0 +1,76 @@ +From 4299b90e9ba9ce5ca9024572804ba751aa1a7e70 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 18 Oct 2016 13:15:17 +0530 +Subject: [PATCH] display: cirrus: check vga bits per pixel(bpp) value + +In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, +'cirrus_get_bpp' returns zero(0), which could lead to a divide +by zero error in while copying pixel data. The same could occur +via blit pitch values. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 14 ++++++++++---- + 1 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 3d712d5..bdb092e 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); + static bool blit_region_is_unsafe(struct CirrusVGAState *s, + int32_t pitch, int32_t addr) + { ++ if (!pitch) { ++ return true; ++ } + if (pitch < 0) { + int64_t min = addr + + ((int64_t)s->cirrus_blt_height-1) * pitch; +@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) + s->cirrus_addr_mask)); + } + +-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) ++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + { + int sx = 0, sy = 0; + int dx = 0, dy = 0; +@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + int width, height; + + depth = s->vga.get_bpp(&s->vga) / 8; ++ if (!depth) { ++ return 0; ++ } + s->vga.get_resolution(&s->vga, &width, &height); + + /* extra x, y */ +@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_width, + s->cirrus_blt_height); ++ ++ return 1; + } + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) +@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + if (blit_is_unsafe(s)) + return 0; + +- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, ++ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, + s->cirrus_blt_srcaddr - s->vga.start_addr, + s->cirrus_blt_width, s->cirrus_blt_height); +- +- return 1; + } + + /*************************************** +-- +1.7.0.4 + diff --git a/qemu.git-43b11a91dd861a946b231b89b754285.patch b/qemu.git-43b11a91dd861a946b231b89b754285.patch deleted file mode 100644 index 6c9edaa..0000000 --- a/qemu.git-43b11a91dd861a946b231b89b754285.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 43b11a91dd861a946b231b89b7542856ade23d1b Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 26 Jun 2015 14:25:29 +0200 -Subject: [PATCH] msix: implement pba write (but read-only) -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -qpci_msix_pending() writes on pba region, causing qemu to SEGV: - - Program received signal SIGSEGV, Segmentation fault. - [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)] - 0x0000000000000000 in ?? () - (gdb) bt - #0 0x0000000000000000 in () - #1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434 - #2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e , mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506 - #3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176 - #4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 , addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439 - #5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534 - #6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80 - #7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378 - #8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569 - #9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581 - #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306 - #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876 - #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122 - -(without this patch, this can be reproduced with the ivshmem qtest) - -Implement an empty mmio write to avoid the crash. - -Signed-off-by: Marc-André Lureau -Reviewed-by: Paolo Bonzini ---- - hw/pci/msix.c | 6 ++++++ - 1 files changed, 6 insertions(+), 0 deletions(-) - -diff --git a/tools/qemu-xen/hw/pci/msix.c b/tools/qemu-xen/hw/pci/msix.c -index 2fdada4..64c93d8 100644 ---- a/tools/qemu-xen/hw/pci/msix.c -+++ b/tools/qemu-xen/hw/pci/msix.c -@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr, - return pci_get_long(dev->msix_pba + addr); - } - -+static void msix_pba_mmio_write(void *opaque, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static const MemoryRegionOps msix_pba_mmio_ops = { - .read = msix_pba_mmio_read, -+ .write = msix_pba_mmio_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .valid = { - .min_access_size = 4, --- -1.7.0.4 - diff --git a/qemu.git-4774718e5c194026ba5ee7a28d9be49be3080e42.patch b/qemu.git-4774718e5c194026ba5ee7a28d9be49be3080e42.patch new file mode 100644 index 0000000..d15d96d --- /dev/null +++ b/qemu.git-4774718e5c194026ba5ee7a28d9be49be3080e42.patch @@ -0,0 +1,42 @@ +From 4774718e5c194026ba5ee7a28d9be49be3080e42 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH] 9pfs: adjust the order of resource cleanup in device unrealize + +Unrealize should undo things that were set during realize in +reverse order. So should do in the error path in realize. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index aea7e9d..087b5c9 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3521,8 +3521,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) + rc = 0; + out: + if (rc) { +- g_free(s->ctx.fs_root); + g_free(s->tag); ++ g_free(s->ctx.fs_root); + v9fs_path_free(&path); + } + return rc; +@@ -3530,8 +3530,8 @@ out: + + void v9fs_device_unrealize_common(V9fsState *s, Error **errp) + { +- g_free(s->ctx.fs_root); + g_free(s->tag); ++ g_free(s->ctx.fs_root); + } + + static void __attribute__((__constructor__)) v9fs_set_fd_limit(void) +-- +1.7.0.4 + diff --git a/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch index d06c597..5400ecd 100644 --- a/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch +++ b/qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch @@ -15,10 +15,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 66135cf..d43a552 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -2413,6 +2413,7 @@ static void coroutine_fn v9fs_link(void *opaque) if (!err) { err = offset; diff --git a/qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch b/qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch deleted file mode 100644 index c628307..0000000 --- a/qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 56f101ecce0eafd09e2daf1c4eeb1377d6959261 Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Tue, 30 Aug 2016 17:02:27 +0200 -Subject: [PATCH] 9pfs: handle walk of ".." in the root directory - -The 9P spec at http://man.cat-v.org/plan_9/5/intro says: - -All directories must support walks to the directory .. (dot-dot) meaning -parent directory, although by convention directories contain no explicit -entry for .. or . (dot). The parent of the root directory of a server's -tree is itself. - -This means that a client cannot walk further than the root directory -exported by the server. In other words, if the client wants to walk -"/.." or "/foo/../..", the server should answer like the request was -to walk "/". - -This patch just does that: -- we cache the QID of the root directory at attach time -- during the walk we compare the QID of each path component with the root - QID to detect if we're in a "/.." situation -- if so, we skip the current component and go to the next one - -Signed-off-by: Greg Kurz -Reviewed-by: Eric Blake -Signed-off-by: Peter Maydell ---- - hw/9pfs/virtio-9p.c | 40 +++++++++++++++++++++++++++++++--------- - hw/9pfs/virtio-9p.h | 1 + - 2 files changed, 32 insertions(+), 9 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index 51c6f98..dfe293d 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -1010,6 +1010,7 @@ static void v9fs_attach(void *opaque) - goto out; - } - err += offset; -+ memcpy(&s->root_qid, &qid, sizeof(qid)); - trace_v9fs_attach_return(pdu->tag, pdu->id, - qid.type, qid.version, qid.path); - /* -@@ -1261,6 +1262,14 @@ static bool name_is_illegal(const char *name) - return !*name || strchr(name, '/') != NULL; - } - -+static bool not_same_qid(const V9fsQID *qid1, const V9fsQID *qid2) -+{ -+ return -+ qid1->type != qid2->type || -+ qid1->version != qid2->version || -+ qid1->path != qid2->path; -+} -+ - static void v9fs_walk(void *opaque) - { - int name_idx; -@@ -1276,6 +1285,7 @@ static void v9fs_walk(void *opaque) - V9fsFidState *newfidp = NULL; - V9fsPDU *pdu = opaque; - V9fsState *s = pdu->s; -+ V9fsQID qid; - - err = pdu_unmarshal(pdu, offset, "ddw", &fid, &newfid, &nwnames); - if (err < 0) { -@@ -1309,6 +1319,12 @@ static void v9fs_walk(void *opaque) - err = -ENOENT; - goto out_nofid; - } -+ -+ err = fid_to_qid(pdu, fidp, &qid); -+ if (err < 0) { -+ goto out; -+ } -+ - v9fs_path_init(&dpath); - v9fs_path_init(&path); - /* -@@ -1318,16 +1334,22 @@ static void v9fs_walk(void *opaque) - v9fs_path_copy(&dpath, &fidp->path); - v9fs_path_copy(&path, &fidp->path); - for (name_idx = 0; name_idx < nwnames; name_idx++) { -- err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, &path); -- if (err < 0) { -- goto out; -- } -- err = v9fs_co_lstat(pdu, &path, &stbuf); -- if (err < 0) { -- goto out; -+ if (not_same_qid(&pdu->s->root_qid, &qid) || -+ strcmp("..", wnames[name_idx].data)) { -+ err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, -+ &path); -+ if (err < 0) { -+ goto out; -+ } -+ -+ err = v9fs_co_lstat(pdu, &path, &stbuf); -+ if (err < 0) { -+ goto out; -+ } -+ stat_to_qid(&stbuf, &qid); -+ v9fs_path_copy(&dpath, &path); - } -- stat_to_qid(&stbuf, &qids[name_idx]); -- v9fs_path_copy(&dpath, &path); -+ memcpy(&qids[name_idx], &qid, sizeof(qid)); - } - if (fid == newfid) { - BUG_ON(fidp->fid_type != P9_FID_NONE); -diff --git a/hw/9pfs/virtio-9p.h b/hw/9pfs/virtio-9p.h -index b4f757a..a386033 100644 ---- a/hw/9pfs/virtio-9p.h -+++ b/hw/9pfs/virtio-9p.h -@@ -236,6 +236,7 @@ typedef struct V9fsState - int32_t root_fid; - Error *migration_blocker; - V9fsConf fsconf; -+ V9fsQID root_qid; - } V9fsState; - - typedef struct V9fsStatState { --- -1.7.0.4 - diff --git a/qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475dce9956.patch b/qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475dce9956.patch deleted file mode 100644 index e7a30d5..0000000 --- a/qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475dce9956.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:18 +0100 -Subject: [PATCH] rng: add request queue support to rng-random - -Requests are now created in the RngBackend parent class and the -code path is shared by both rng-egd and rng-random. - -This commit fixes the rng-random implementation which processed -only one request at a time and simply discarded all but the most -recent one. In the guest this manifested as delayed completion -of reads from virtio-rng, i.e. a read was completed only after -another read was issued. - -By switching rng-random to use the same request queue as rng-egd, -the unsafe stack-based allocation of the entropy buffer is -eliminated and replaced with g_malloc. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 16 ++-------------- - backends/rng-random.c | 43 +++++++++++++++++++------------------------ - backends/rng.c | 13 ++++++++++++- - include/sysemu/rng.h | 3 +-- - 4 files changed, 34 insertions(+), 41 deletions(-) - -diff --git a/tools/qemu-xen/backends/rng-egd.c b/tools/qemu-xen/backends/rng-egd.c -index 8f2bd16..30332ed 100644 ---- a/tools/qemu-xen/backends/rng-egd.c -+++ b/tools/qemu-xen/backends/rng-egd.c -@@ -27,20 +27,10 @@ typedef struct RngEgd - char *chr_name; - } RngEgd; - --static void rng_egd_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) - { - RngEgd *s = RNG_EGD(b); -- RngRequest *req; -- -- req = g_malloc(sizeof(*req)); -- -- req->offset = 0; -- req->size = size; -- req->receive_entropy = receive_entropy; -- req->opaque = opaque; -- req->data = g_malloc(req->size); -+ size_t size = req->size; - - while (size > 0) { - uint8_t header[2]; -@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - - size -= len; - } -- -- s->parent.requests = g_slist_append(s->parent.requests, req); - } - - static int rng_egd_chr_can_read(void *opaque) -diff --git a/tools/qemu-xen/backends/rng-random.c b/tools/qemu-xen/backends/rng-random.c -index 8cdad6a..a6cb385 100644 ---- a/tools/qemu-xen/backends/rng-random.c -+++ b/tools/qemu-xen/backends/rng-random.c -@@ -22,10 +22,6 @@ struct RndRandom - - int fd; - char *filename; -- -- EntropyReceiveFunc *receive_func; -- void *opaque; -- size_t size; - }; - - /** -@@ -38,36 +34,35 @@ struct RndRandom - static void entropy_available(void *opaque) - { - RndRandom *s = RNG_RANDOM(opaque); -- uint8_t buffer[s->size]; -- ssize_t len; - -- len = read(s->fd, buffer, s->size); -- if (len < 0 && errno == EAGAIN) { -- return; -- } -- g_assert(len != -1); -+ while (s->parent.requests != NULL) { -+ RngRequest *req = s->parent.requests->data; -+ ssize_t len; -+ -+ len = read(s->fd, req->data, req->size); -+ if (len < 0 && errno == EAGAIN) { -+ return; -+ } -+ g_assert(len != -1); - -- s->receive_func(s->opaque, buffer, len); -- s->receive_func = NULL; -+ req->receive_entropy(req->opaque, req->data, len); - -+ rng_backend_finalize_request(&s->parent, req); -+ } -+ -+ /* We've drained all requests, the fd handler can be reset. */ - qemu_set_fd_handler(s->fd, NULL, NULL, NULL); - } - --static void rng_random_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_random_request_entropy(RngBackend *b, RngRequest *req) - { - RndRandom *s = RNG_RANDOM(b); - -- if (s->receive_func) { -- s->receive_func(s->opaque, NULL, 0); -+ if (s->parent.requests == NULL) { -+ /* If there are no pending requests yet, we need to -+ * install our fd handler. */ -+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } -- -- s->receive_func = receive_entropy; -- s->opaque = opaque; -- s->size = size; -- -- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } - - static void rng_random_opened(RngBackend *b, Error **errp) -diff --git a/tools/qemu-xen/backends/rng.c b/tools/qemu-xen/backends/rng.c -index 014cb9d..277a41b 100644 ---- a/tools/qemu-xen/backends/rng.c -+++ b/tools/qemu-xen/backends/rng.c -@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, - void *opaque) - { - RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); -+ RngRequest *req; - - if (k->request_entropy) { -- k->request_entropy(s, size, receive_entropy, opaque); -+ req = g_malloc(sizeof(*req)); -+ -+ req->offset = 0; -+ req->size = size; -+ req->receive_entropy = receive_entropy; -+ req->opaque = opaque; -+ req->data = g_malloc(req->size); -+ -+ k->request_entropy(s, req); -+ -+ s->requests = g_slist_append(s->requests, req); - } - } - -diff --git a/tools/qemu-xen/include/sysemu/rng.h b/tools/qemu-xen/include/sysemu/rng.h -index 08a2eda..4fffd68 100644 ---- a/tools/qemu-xen/include/sysemu/rng.h -+++ b/tools/qemu-xen/include/sysemu/rng.h -@@ -45,8 +45,7 @@ struct RngBackendClass - { - ObjectClass parent_class; - -- void (*request_entropy)(RngBackend *s, size_t size, -- EntropyReceiveFunc *receive_entropy, void *opaque); -+ void (*request_entropy)(RngBackend *s, RngRequest *req); - - void (*opened)(RngBackend *s, Error **errp); - }; --- -1.7.0.4 - diff --git a/qemu.git-702dbcc274e2ca43be20ba64c758c0ca57dab91d.patch b/qemu.git-702dbcc274e2ca43be20ba64c758c0ca57dab91d.patch new file mode 100644 index 0000000..259439b --- /dev/null +++ b/qemu.git-702dbcc274e2ca43be20ba64c758c0ca57dab91d.patch @@ -0,0 +1,56 @@ +From 702dbcc274e2ca43be20ba64c758c0ca57dab91d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH] 9pfs: add cleanup operation in FileOperations + +Currently, the backend of VirtFS doesn't have a cleanup +function. This will lead resource leak issues if the backed +driver allocates resources. This patch addresses this issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + fsdev/file-op-9p.h | 1 + + hw/9pfs/9p.c | 6 ++++++ + 2 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h +index 6db9fea..a56dc84 100644 +--- a/fsdev/file-op-9p.h ++++ b/fsdev/file-op-9p.h +@@ -100,6 +100,7 @@ struct FileOperations + { + int (*parse_opts)(QemuOpts *, struct FsDriverEntry *); + int (*init)(struct FsContext *); ++ void (*cleanup)(struct FsContext *); + int (*lstat)(FsContext *, V9fsPath *, struct stat *); + ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t); + int (*chmod)(FsContext *, V9fsPath *, FsCred *); +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 087b5c9..faebd91 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3521,6 +3521,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp) + rc = 0; + out: + if (rc) { ++ if (s->ops->cleanup && s->ctx.private) { ++ s->ops->cleanup(&s->ctx); ++ } + g_free(s->tag); + g_free(s->ctx.fs_root); + v9fs_path_free(&path); +@@ -3530,6 +3533,9 @@ out: + + void v9fs_device_unrealize_common(V9fsState *s, Error **errp) + { ++ if (s->ops->cleanup) { ++ s->ops->cleanup(&s->ctx); ++ } + g_free(s->tag); + g_free(s->ctx.fs_root); + } +-- +1.7.0.4 + diff --git a/qemu.git-74074e8a7c60592cf1cc6469dbc2550d24aeded3.patch b/qemu.git-74074e8a7c60592cf1cc6469dbc2550d24aeded3.patch deleted file mode 100644 index 7ee2371..0000000 --- a/qemu.git-74074e8a7c60592cf1cc6469dbc2550d24aeded3.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:16 +0100 -Subject: [PATCH] rng: move request queue from RngEgd to RngBackend - -The 'requests' field now lives in the RngBackend parent class. -There are no functional changes in this commit. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 28 +++++++++------------------- - include/sysemu/rng.h | 11 +++++++++++ - 2 files changed, 20 insertions(+), 19 deletions(-) - -diff --git a/tools/qemu-xen/backends/rng-egd.c b/tools/qemu-xen/backends/rng-egd.c -index 0b2976a..b061362 100644 ---- a/tools/qemu-xen/backends/rng-egd.c -+++ b/tools/qemu-xen/backends/rng-egd.c -@@ -25,19 +25,8 @@ typedef struct RngEgd - - CharDriverState *chr; - char *chr_name; -- -- GSList *requests; - } RngEgd; - --typedef struct RngRequest --{ -- EntropyReceiveFunc *receive_entropy; -- uint8_t *data; -- void *opaque; -- size_t offset; -- size_t size; --} RngRequest; -- - static void rng_egd_request_entropy(RngBackend *b, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque) -@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - size -= len; - } - -- s->requests = g_slist_append(s->requests, req); -+ s->parent.requests = g_slist_append(s->parent.requests, req); - } - - static void rng_egd_free_request(RngRequest *req) -@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque) - GSList *i; - int size = 0; - -- for (i = s->requests; i; i = i->next) { -+ for (i = s->parent.requests; i; i = i->next) { - RngRequest *req = i->data; - size += req->size - req->offset; - } -@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - RngEgd *s = RNG_EGD(opaque); - size_t buf_offset = 0; - -- while (size > 0 && s->requests) { -- RngRequest *req = s->requests->data; -+ while (size > 0 && s->parent.requests) { -+ RngRequest *req = s->parent.requests->data; - int len = MIN(size, req->size - req->offset); - - memcpy(req->data + req->offset, buf + buf_offset, len); -@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - size -= len; - - if (req->offset == req->size) { -- s->requests = g_slist_remove_link(s->requests, s->requests); -+ s->parent.requests = g_slist_remove_link(s->parent.requests, -+ s->parent.requests); - - req->receive_entropy(req->opaque, req->data, req->size); - -@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s) - { - GSList *i; - -- for (i = s->requests; i; i = i->next) { -+ for (i = s->parent.requests; i; i = i->next) { - rng_egd_free_request(i->data); - } - -- g_slist_free(s->requests); -- s->requests = NULL; -+ g_slist_free(s->parent.requests); -+ s->parent.requests = NULL; - } - - static void rng_egd_opened(RngBackend *b, Error **errp) -diff --git a/tools/qemu-xen/include/sysemu/rng.h b/tools/qemu-xen/include/sysemu/rng.h -index 87b3ebe..c744d82 100644 ---- a/tools/qemu-xen/include/sysemu/rng.h -+++ b/tools/qemu-xen/include/sysemu/rng.h -@@ -24,6 +24,7 @@ - #define RNG_BACKEND_CLASS(klass) \ - OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) - -+typedef struct RngRequest RngRequest; - typedef struct RngBackendClass RngBackendClass; - typedef struct RngBackend RngBackend; - -@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque, - const void *data, - size_t size); - -+struct RngRequest -+{ -+ EntropyReceiveFunc *receive_entropy; -+ uint8_t *data; -+ void *opaque; -+ size_t offset; -+ size_t size; -+}; -+ - struct RngBackendClass - { - ObjectClass parent_class; -@@ -47,6 +57,7 @@ struct RngBackend - - /*< protected >*/ - bool opened; -+ GSList *requests; - }; - - /** --- -1.7.0.4 - diff --git a/qemu.git-7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6.patch b/qemu.git-7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6.patch new file mode 100644 index 0000000..543dc5d --- /dev/null +++ b/qemu.git-7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6.patch @@ -0,0 +1,92 @@ +From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 12:00:40 +0100 +Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Reviewed-By: Guido Günther +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 files changed, 12 insertions(+), 20 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index ab18ef2..7705ead 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); + VirtQueueElement *elem = v->elems[pdu->idx]; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; +-- +1.7.0.4 + diff --git a/qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch b/qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch deleted file mode 100644 index 694e819..0000000 --- a/qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 805b5d98c649d26fc44d2d7755a97f18e62b438a Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Tue, 30 Aug 2016 19:13:11 +0200 -Subject: [PATCH] 9pfs: forbid . and .. in file names - -According to the 9P spec http://man.cat-v.org/plan_9/5/open about the -create request: - -The names . and .. are special; it is illegal to create files with these -names. - -This patch causes the create and lcreate requests to fail with EINVAL if -the file name is either "." or "..". - -Even if it isn't explicitly written in the spec, this patch extends the -checking to all requests that may cause a directory entry to be created: - - - mknod - - rename - - renameat - - mkdir - - link - - symlink - -The unlinkat request also gets patched for consistency (even if -rmdir("foo/..") is expected to fail according to POSIX.1-2001). - -The various error values come from the linux manual pages. - -Suggested-by: Peter Maydell -Signed-off-by: Greg Kurz -Reviewed-by: Eric Blake -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Peter Maydell ---- - hw/9pfs/virtio-9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 51 insertions(+), 0 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index 385269e..51c6f98 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -1497,6 +1497,11 @@ static void v9fs_lcreate(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, dfid); - if (fidp == NULL) { - err = -ENOENT; -@@ -2096,6 +2101,11 @@ static void v9fs_create(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -EINVAL; -@@ -2266,6 +2276,11 @@ static void v9fs_symlink(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -EINVAL; -@@ -2345,6 +2360,11 @@ static void v9fs_link(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -ENOENT; -@@ -2433,6 +2453,16 @@ static void v9fs_unlinkat(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data)) { -+ err = -EINVAL; -+ goto out_nofid; -+ } -+ -+ if (!strcmp("..", name.data)) { -+ err = -ENOTEMPTY; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -EINVAL; -@@ -2545,6 +2575,11 @@ static void v9fs_rename(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EISDIR; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; -@@ -2662,6 +2697,12 @@ static void v9fs_renameat(void *opaque) - goto out_err; - } - -+ if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) || -+ !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) { -+ err = -EISDIR; -+ goto out_err; -+ } -+ - v9fs_path_write_lock(s); - err = v9fs_complete_renameat(pdu, olddirfid, - &old_name, newdirfid, &new_name); -@@ -2877,6 +2918,11 @@ static void v9fs_mknod(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; -@@ -3033,6 +3079,11 @@ static void v9fs_mkdir(void *opaque) - goto out_nofid; - } - -+ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { -+ err = -EEXIST; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; --- -1.7.0.4 - diff --git a/qemu.git-898ae90a44551d25b8e956fd87372d303c82fe68.patch b/qemu.git-898ae90a44551d25b8e956fd87372d303c82fe68.patch new file mode 100644 index 0000000..3a61bd8 --- /dev/null +++ b/qemu.git-898ae90a44551d25b8e956fd87372d303c82fe68.patch @@ -0,0 +1,47 @@ +From 898ae90a44551d25b8e956fd87372d303c82fe68 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH] 9pfs: add cleanup operation for proxy backend driver + +In the init operation of proxy backend dirver, it allocates a +V9fsProxy struct and some other resources. We should free these +resources when the 9pfs device is unrealized. This is what this +patch does. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p-proxy.c | 13 +++++++++++++ + 1 files changed, 13 insertions(+), 0 deletions(-) + +diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c +index f2417b7..f4aa7a9 100644 +--- a/hw/9pfs/9p-proxy.c ++++ b/hw/9pfs/9p-proxy.c +@@ -1168,9 +1168,22 @@ static int proxy_init(FsContext *ctx) + return 0; + } + ++static void proxy_cleanup(FsContext *ctx) ++{ ++ V9fsProxy *proxy = ctx->private; ++ ++ g_free(proxy->out_iovec.iov_base); ++ g_free(proxy->in_iovec.iov_base); ++ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) { ++ close(proxy->sockfd); ++ } ++ g_free(proxy); ++} ++ + FileOperations proxy_ops = { + .parse_opts = proxy_parse_opts, + .init = proxy_init, ++ .cleanup = proxy_cleanup, + .lstat = proxy_lstat, + .readlink = proxy_readlink, + .close = proxy_close, +-- +1.7.0.4 + diff --git a/qemu.git-926cde5f3e4d2504ed161ed0.patch b/qemu.git-926cde5f3e4d2504ed161ed0.patch deleted file mode 100644 index c532237..0000000 --- a/qemu.git-926cde5f3e4d2504ed161ed0.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 16 Jun 2016 00:22:35 +0200 -Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size - -While doing DMA read into ESP command buffer 's->cmdbuf', it could -write past the 's->cmdbuf' area, if it was transferring more than 16 -bytes. Increase the command buffer size to 32, which is maximum when -'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini ---- - hw/scsi/esp.c | 6 ++++-- - include/hw/scsi/esp.h | 3 ++- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 64680b3..baa0a2c 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s) - len = s->dma_left; - if (s->do_cmd) { - trace_esp_do_dma(s->cmdlen, len); -+ assert (s->cmdlen <= sizeof(s->cmdbuf) && -+ len <= sizeof(s->cmdbuf) - s->cmdlen); - s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); - s->ti_size = 0; - s->cmdlen = 0; -@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s) - s->dma_counter = dmalen; - - if (s->do_cmd) -- minlen = (dmalen < 32) ? dmalen : 32; -+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; - else if (s->ti_size < 0) - minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; - else -@@ -449,7 +451,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- if (s->cmdlen < TI_BUFSZ) { -+ if (s->cmdlen < ESP_CMDBUF_SZ) { - s->cmdbuf[s->cmdlen++] = val & 0xff; - } else { - trace_esp_error_fifo_overrun(); -diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h -index 6c79527..d2c4886 100644 ---- a/include/hw/scsi/esp.h -+++ b/include/hw/scsi/esp.h -@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, - - #define ESP_REGS 16 - #define TI_BUFSZ 16 -+#define ESP_CMDBUF_SZ 32 - - typedef struct ESPState ESPState; - -@@ -31,7 +32,7 @@ struct ESPState { - SCSIBus bus; - SCSIDevice *current_dev; - SCSIRequest *current_req; -- uint8_t cmdbuf[TI_BUFSZ]; -+ uint8_t cmdbuf[ESP_CMDBUF_SZ]; - uint32_t cmdlen; - uint32_t do_cmd; - --- -1.7.0.4 - diff --git a/qemu.git-971f406b77a6eb84e0ad27dcc416b663765aee30.patch b/qemu.git-971f406b77a6eb84e0ad27dcc416b663765aee30.patch new file mode 100644 index 0000000..812a053 --- /dev/null +++ b/qemu.git-971f406b77a6eb84e0ad27dcc416b663765aee30.patch @@ -0,0 +1,47 @@ +From 971f406b77a6eb84e0ad27dcc416b663765aee30 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 23 Nov 2016 13:53:34 +0100 +Subject: [PATCH] 9pfs: add cleanup operation for handle backend driver + +In the init operation of handle backend dirver, it allocates a +handle_data struct and opens a mount file. We should free these +resources when the 9pfs device is unrealized. This is what this +patch does. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p-handle.c | 9 +++++++++ + 1 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c +index 3d77594..1687661 100644 +--- a/hw/9pfs/9p-handle.c ++++ b/hw/9pfs/9p-handle.c +@@ -649,6 +649,14 @@ out: + return ret; + } + ++static void handle_cleanup(FsContext *ctx) ++{ ++ struct handle_data *data = ctx->private; ++ ++ close(data->mountfd); ++ g_free(data); ++} ++ + static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) + { + const char *sec_model = qemu_opt_get(opts, "security_model"); +@@ -671,6 +679,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse) + FileOperations handle_ops = { + .parse_opts = handle_parse_opts, + .init = handle_init, ++ .cleanup = handle_cleanup, + .lstat = handle_lstat, + .readlink = handle_readlink, + .close = handle_close, +-- +1.7.0.4 + diff --git a/qemu.git-9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9.patch b/qemu.git-9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9.patch deleted file mode 100644 index 826e68e..0000000 --- a/qemu.git-9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:17 +0100 -Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend - -RngBackend is now in charge of cleaning up the linked list on -instance finalization. It also exposes a function to finalize -individual RngRequest instances, called by its child classes. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 25 +------------------------ - backends/rng.c | 32 ++++++++++++++++++++++++++++++++ - include/sysemu/rng.h | 12 ++++++++++++ - 3 files changed, 45 insertions(+), 24 deletions(-) - -diff --git a/tools/qemu-xen/backends/rng-egd.c b/tools/qemu-xen/backends/rng-egd.c -index b061362..8f2bd16 100644 ---- a/tools/qemu-xen/backends/rng-egd.c -+++ b/tools/qemu-xen/backends/rng-egd.c -@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - s->parent.requests = g_slist_append(s->parent.requests, req); - } - --static void rng_egd_free_request(RngRequest *req) --{ -- g_free(req->data); -- g_free(req); --} -- - static int rng_egd_chr_can_read(void *opaque) - { - RngEgd *s = RNG_EGD(opaque); -@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - size -= len; - - if (req->offset == req->size) { -- s->parent.requests = g_slist_remove_link(s->parent.requests, -- s->parent.requests); -- - req->receive_entropy(req->opaque, req->data, req->size); - -- rng_egd_free_request(req); -+ rng_backend_finalize_request(&s->parent, req); - } - } - } - --static void rng_egd_free_requests(RngEgd *s) --{ -- GSList *i; -- -- for (i = s->parent.requests; i; i = i->next) { -- rng_egd_free_request(i->data); -- } -- -- g_slist_free(s->parent.requests); -- s->parent.requests = NULL; --} -- - static void rng_egd_opened(RngBackend *b, Error **errp) - { - RngEgd *s = RNG_EGD(b); -@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj) - } - - g_free(s->chr_name); -- -- rng_egd_free_requests(s); - } - - static void rng_egd_class_init(ObjectClass *klass, void *data) -diff --git a/tools/qemu-xen/backends/rng.c b/tools/qemu-xen/backends/rng.c -index 2f2f3ee..014cb9d 100644 ---- a/tools/qemu-xen/backends/rng.c -+++ b/tools/qemu-xen/backends/rng.c -@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp) - s->opened = true; - } - -+static void rng_backend_free_request(RngRequest *req) -+{ -+ g_free(req->data); -+ g_free(req); -+} -+ -+static void rng_backend_free_requests(RngBackend *s) -+{ -+ GSList *i; -+ -+ for (i = s->requests; i; i = i->next) { -+ rng_backend_free_request(i->data); -+ } -+ -+ g_slist_free(s->requests); -+ s->requests = NULL; -+} -+ -+void rng_backend_finalize_request(RngBackend *s, RngRequest *req) -+{ -+ s->requests = g_slist_remove(s->requests, req); -+ rng_backend_free_request(req); -+} -+ - static void rng_backend_init(Object *obj) - { - object_property_add_bool(obj, "opened", -@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj) - NULL); - } - -+static void rng_backend_finalize(Object *obj) -+{ -+ RngBackend *s = RNG_BACKEND(obj); -+ -+ rng_backend_free_requests(s); -+} -+ - static void rng_backend_class_init(ObjectClass *oc, void *data) - { - UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); -@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = { - .parent = TYPE_OBJECT, - .instance_size = sizeof(RngBackend), - .instance_init = rng_backend_init, -+ .instance_finalize = rng_backend_finalize, - .class_size = sizeof(RngBackendClass), - .class_init = rng_backend_class_init, - .abstract = true, -diff --git a/tools/qemu-xen/include/sysemu/rng.h b/tools/qemu-xen/include/sysemu/rng.h -index c744d82..08a2eda 100644 ---- a/tools/qemu-xen/include/sysemu/rng.h -+++ b/tools/qemu-xen/include/sysemu/rng.h -@@ -60,6 +60,7 @@ struct RngBackend - GSList *requests; - }; - -+ - /** - * rng_backend_request_entropy: - * @s: the backend to request entropy from -@@ -78,4 +79,15 @@ struct RngBackend - void rng_backend_request_entropy(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque); -+ -+/** -+ * rng_backend_free_request: -+ * @s: the backend that created the request -+ * @req: the request to finalize -+ * -+ * Used by child rng backend classes to finalize requests once they've been -+ * processed. The request is removed from the list of active requests and -+ * deleted. -+ */ -+void rng_backend_finalize_request(RngBackend *s, RngRequest *req); - #endif --- -1.7.0.4 - diff --git a/qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch b/qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch deleted file mode 100644 index 96a10b3..0000000 --- a/qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a0d1cbdacff5df4ded16b753b38fdd9da6092968 Mon Sep 17 00:00:00 2001 -From: chaojianhu -Date: Tue, 9 Aug 2016 11:52:54 +0800 -Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite - -The .receive callback of xlnx.xps-ethernetlite doesn't check the length -of data before calling memcpy. As a result, the NetClientState object in -heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite -will be affected. - -Reported-by: chaojianhu -Signed-off-by: chaojianhu -Signed-off-by: Jason Wang ---- - hw/net/xilinx_ethlite.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c -index 54db2b8..35de353 100644 ---- a/hw/net/xilinx_ethlite.c -+++ b/hw/net/xilinx_ethlite.c -@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) - } - - D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); -+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { -+ D(qemu_log("ethlite packet is too big, size=%x\n", size)); -+ return -1; -+ } - memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); - - s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; --- -1.7.0.4 - diff --git a/qemu.git-a7278b36fcab9af469563bd7b.patch b/qemu.git-a7278b36fcab9af469563bd7b.patch deleted file mode 100644 index 29f72ff..0000000 --- a/qemu.git-a7278b36fcab9af469563bd7b.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a7278b36fcab9af469563bd7b9dadebe2ae25e48 Mon Sep 17 00:00:00 2001 -From: Dana Rubin -Date: Tue, 18 Aug 2015 12:45:55 +0300 -Subject: [PATCH] net/vmxnet3: Refine l2 header validation - -Validation of l2 header length assumed minimal packet size as -eth_header + 2 * vlan_header regardless of the actual protocol. - -This caused crash for valid non-IP packets shorter than 22 bytes, as -'tx_pkt->packet_type' hasn't been assigned for such packets, and -'vmxnet3_on_tx_done_update_stats()' expects it to be properly set. - -Refine header length validation in 'vmxnet_tx_pkt_parse_headers'. -Check its return value during packet processing flow. - -As a side effect, in case IPv4 and IPv6 header validation failure, -corrupt packets will be dropped. - -Signed-off-by: Dana Rubin -Signed-off-by: Shmulik Ladkani -Signed-off-by: Jason Wang ---- - hw/net/vmxnet3.c | 4 +--- - hw/net/vmxnet_tx_pkt.c | 19 ++++++++++++++++--- - 2 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/tools/qemu-xen/hw/net/vmxnet3.c b/tools/qemu-xen/hw/net/vmxnet3.c -index 04159c8..48ced71 100644 ---- a/tools/qemu-xen/hw/net/vmxnet3.c -+++ b/tools/qemu-xen/hw/net/vmxnet3.c -@@ -729,9 +729,7 @@ static void vmxnet3_process_tx_queue(VMXNET3State *s, int qidx) - } - - if (txd.eop) { -- if (!s->skip_current_tx_pkt) { -- vmxnet_tx_pkt_parse(s->tx_pkt); -- -+ if (!s->skip_current_tx_pkt && vmxnet_tx_pkt_parse(s->tx_pkt)) { - if (s->needs_vlan) { - vmxnet_tx_pkt_setup_vlan_header(s->tx_pkt, s->tci); - } -diff --git a/tools/qemu-xen/hw/net/vmxnet_tx_pkt.c b/tools/qemu-xen/hw/net/vmxnet_tx_pkt.c -index f7344c4..eb88ddf 100644 ---- a/tools/qemu-xen/hw/net/vmxnet_tx_pkt.c -+++ b/tools/qemu-xen/hw/net/vmxnet_tx_pkt.c -@@ -142,11 +142,24 @@ static bool vmxnet_tx_pkt_parse_headers(struct VmxnetTxPkt *pkt) - - bytes_read = iov_to_buf(pkt->raw, pkt->raw_frags, 0, l2_hdr->iov_base, - ETH_MAX_L2_HDR_LEN); -- if (bytes_read < ETH_MAX_L2_HDR_LEN) { -+ if (bytes_read < sizeof(struct eth_header)) { -+ l2_hdr->iov_len = 0; -+ return false; -+ } -+ -+ l2_hdr->iov_len = sizeof(struct eth_header); -+ switch (be16_to_cpu(PKT_GET_ETH_HDR(l2_hdr->iov_base)->h_proto)) { -+ case ETH_P_VLAN: -+ l2_hdr->iov_len += sizeof(struct vlan_header); -+ break; -+ case ETH_P_DVLAN: -+ l2_hdr->iov_len += 2 * sizeof(struct vlan_header); -+ break; -+ } -+ -+ if (bytes_read < l2_hdr->iov_len) { - l2_hdr->iov_len = 0; - return false; -- } else { -- l2_hdr->iov_len = eth_get_l2_hdr_length(l2_hdr->iov_base); - } - - l3_proto = eth_get_l3_proto(l2_hdr->iov_base, l2_hdr->iov_len); --- -1.7.0.4 - diff --git a/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch index f217376..0ae8636 100644 --- a/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch +++ b/qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch @@ -27,10 +27,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -diff --git a/fsdev/virtio-9p-marshal.c b/fsdev/9p-iov-marshal.c +diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c index 663cad5..1d16f8d 100644 ---- a/fsdev/virtio-9p-marshal.c -+++ b/fsdev/virtio-9p-marshal.c +--- a/fsdev/9p-iov-marshal.c ++++ b/fsdev/9p-iov-marshal.c @@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, str->data = g_malloc(str->size + 1); copied = v9fs_unpack(str->data, out_sg, out_num, offset, @@ -40,10 +40,10 @@ index 663cad5..1d16f8d 100644 str->data[str->size] = 0; } else { v9fs_string_free(str); -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 119ee58..39a7e1d 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque) goto out; } diff --git a/qemu.git-c6048f849c7e3f009786df76206e895.patch b/qemu.git-c6048f849c7e3f009786df76206e895.patch deleted file mode 100644 index 1aa70a7..0000000 --- a/qemu.git-c6048f849c7e3f009786df76206e895.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c6048f849c7e3f009786df76206e895a69de032c Mon Sep 17 00:00:00 2001 -From: Shmulik Ladkani -Date: Mon, 21 Sep 2015 17:09:02 +0300 -Subject: [PATCH] vmxnet3: Support reading IMR registers on bar0 - -Instead of asserting, return the actual IMR register value. -This is aligned with what's returned on ESXi. - -Signed-off-by: Shmulik Ladkani -Tested-by: Dana Rubin -Signed-off-by: Jason Wang ---- - hw/net/vmxnet3.c | 6 +++++- - 1 files changed, 5 insertions(+), 1 deletions(-) - -diff --git a/tools/qemu-xen/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 48ced71..057f0dc 100644 ---- a/tools/qemu-xen/hw/net/vmxnet3.c -+++ b/tools/qemu-xen/hw/net/vmxnet3.c -@@ -1163,9 +1163,13 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr, - static uint64_t - vmxnet3_io_bar0_read(void *opaque, hwaddr addr, unsigned size) - { -+ VMXNET3State *s = opaque; -+ - if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_IMR, - VMXNET3_MAX_INTRS, VMXNET3_REG_ALIGN)) { -- g_assert_not_reached(); -+ int l = VMW_MULTIREG_IDX_BY_ADDR(addr, VMXNET3_REG_IMR, -+ VMXNET3_REG_ALIGN); -+ return s->interrupt_states[l].is_masked; - } - - VMW_CBPRN("BAR0 unknown read [%" PRIx64 "], size %d", addr, size); --- -1.7.0.4 - diff --git a/qemu.git-cc96677469388bad3d664793.patch b/qemu.git-cc96677469388bad3d664793.patch deleted file mode 100644 index c36a01f..0000000 --- a/qemu.git-cc96677469388bad3d664793.patch +++ /dev/null @@ -1,58 +0,0 @@ -From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Mon, 20 Jun 2016 16:32:39 +0200 -Subject: [PATCH] scsi: esp: fix migration - -Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size", -2016-06-16) changed the size of a migrated field. Split it in two -parts, and only migrate the second part in a new vmstate version. - -Signed-off-by: Paolo Bonzini ---- - hw/scsi/esp.c | 5 +++-- - include/migration/vmstate.h | 5 ++++- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index baa0a2c..1f2f2d3 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr, - - const VMStateDescription vmstate_esp = { - .name ="esp", -- .version_id = 3, -+ .version_id = 4, - .minimum_version_id = 3, - .fields = (VMStateField[]) { - VMSTATE_BUFFER(rregs, ESPState), -@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = { - VMSTATE_BUFFER(ti_buf, ESPState), - VMSTATE_UINT32(status, ESPState), - VMSTATE_UINT32(dma, ESPState), -- VMSTATE_BUFFER(cmdbuf, ESPState), -+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), -+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), - VMSTATE_UINT32(cmdlen, ESPState), - VMSTATE_UINT32(do_cmd, ESPState), - VMSTATE_UINT32(dma_left, ESPState), -diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h -index 25ea58a..15ea767 100644 ---- a/include/migration/vmstate.h -+++ b/include/migration/vmstate.h -@@ -904,8 +904,11 @@ extern const VMStateInfo vmstate_info_bitmap; - #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ - VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) - -+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ -+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) -+ - #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ -- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) -+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) - - #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ - VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) --- -1.7.0.4 - diff --git a/qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch b/qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch deleted file mode 100644 index d76dc49..0000000 --- a/qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d9a3b33d2c9f996537b7f1d0246dee2d0120cefb Mon Sep 17 00:00:00 2001 -From: Michael S. Tsirkin -Date: Thu, 19 Nov 2015 15:14:07 +0200 -Subject: [PATCH] acpi: fix buffer overrun on migration - -ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so -ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full -ICH9_PMIO_GPE0_LEN bytes are migrated. - -As a quick work-around, allocate twice the memory. -We'll probably want to tweak code to avoid -migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes, -but that is a bit trickier to do without breaking -migration compatibility. - -Tested-by: "Dr. David Alan Gilbert" -Reported-by: "Dr. David Alan Gilbert" -Cc: qemu-stable@nongnu.org -Signed-off-by: Michael S. Tsirkin ---- - hw/acpi/core.c | 8 ++++++-- - 1 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/tools/qemu-xen/hw/acpi/core.c b/tools/qemu-xen/hw/acpi/core.c -index fe6215a..21e113d 100644 ---- a/tools/qemu-xen/hw/acpi/core.c -+++ b/tools/qemu-xen/hw/acpi/core.c -@@ -625,8 +625,12 @@ void acpi_pm1_cnt_reset(ACPIREGS *ar) - void acpi_gpe_init(ACPIREGS *ar, uint8_t len) - { - ar->gpe.len = len; -- ar->gpe.sts = g_malloc0(len / 2); -- ar->gpe.en = g_malloc0(len / 2); -+ /* Only first len / 2 bytes are ever used, -+ * but the caller in ich9.c migrates full len bytes. -+ * TODO: fix ich9.c and drop the extra allocation. -+ */ -+ ar->gpe.sts = g_malloc0(len); -+ ar->gpe.en = g_malloc0(len); - } - - void acpi_gpe_reset(ACPIREGS *ar) --- -1.7.0.4 - diff --git a/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch index 2e17683..230992c 100644 --- a/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch +++ b/qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch @@ -12,10 +12,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 39a7e1d..ff94a62 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) if (len < 0) { /* IO error return the error */ diff --git a/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch index 5518aae..0d69644 100644 --- a/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch +++ b/qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch @@ -14,10 +14,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index 26aa7d5..bf23b01 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -3282,7 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) xattr_fidp->fs.xattr.flags = flags; v9fs_string_init(&xattr_fidp->fs.xattr.name); diff --git a/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch index f231197..0c99289 100644 --- a/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch +++ b/qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch @@ -15,10 +15,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index d43a552..e88cf25 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque) offset = 7; err = pdu_marshal(pdu, offset, "d", total); diff --git a/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch index 48b3d5a..1a99374 100644 --- a/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch +++ b/qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch @@ -17,10 +17,10 @@ Signed-off-by: Greg Kurz hw/9pfs/9p.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c index bf23b01..66135cf 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c @@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) xattr_fidp->fs.xattr.flags = flags; v9fs_string_init(&xattr_fidp->fs.xattr.name); diff --git a/qemu.git-fff39a7ad09da07ef490de05c92c91f22f8002f2.patch b/qemu.git-fff39a7ad09da07ef490de05c92c91f22f8002f2.patch deleted file mode 100644 index d71afa7..0000000 --- a/qemu.git-fff39a7ad09da07ef490de05c92c91f22f8002f2.patch +++ /dev/null @@ -1,178 +0,0 @@ -From fff39a7ad09da07ef490de05c92c91f22f8002f2 Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Tue, 30 Aug 2016 19:11:05 +0200 -Subject: [PATCH] 9pfs: forbid illegal path names - -Empty path components don't make sense for most commands and may cause -undefined behavior, depending on the backend. - -Also, the walk request described in the 9P spec [1] clearly shows that -the client is supposed to send individual path components: the official -linux client never sends portions of path containing the / character for -example. - -Moreover, the 9P spec [2] also states that a system can decide to restrict -the set of supported characters used in path components, with an explicit -mention "to remove slashes from name components". - -This patch introduces a new name_is_illegal() helper that checks the -names sent by the client are not empty and don't contain unwanted chars. -Since 9pfs is only supported on linux hosts, only the / character is -checked at the moment. When support for other hosts (AKA. win32) is added, -other chars may need to be blacklisted as well. - -If a client sends an illegal path component, the request will fail and -ENOENT is returned to the client. - -[1] http://man.cat-v.org/plan_9/5/walk -[2] http://man.cat-v.org/plan_9/5/intro - -Suggested-by: Peter Maydell -Signed-off-by: Greg Kurz -Reviewed-by: Eric Blake -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Peter Maydell ---- - hw/9pfs/virtio-9p.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 56 insertions(+), 0 deletions(-) - -diff --git a/hw/9pfs/virtio-9p.c b/hw/9pfs/virtio-9p.c -index b6b02b4..385269e 100644 ---- a/hw/9pfs/virtio-9p.c -+++ b/hw/9pfs/virtio-9p.c -@@ -1256,6 +1256,11 @@ static int v9fs_walk_marshal(V9fsPDU *pdu, uint16_t nwnames, V9fsQID *qids) - return offset; - } - -+static bool name_is_illegal(const char *name) -+{ -+ return !*name || strchr(name, '/') != NULL; -+} -+ - static void v9fs_walk(void *opaque) - { - int name_idx; -@@ -1289,6 +1294,10 @@ static void v9fs_walk(void *opaque) - if (err < 0) { - goto out_nofid; - } -+ if (name_is_illegal(wnames[i].data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } - offset += err; - } - } else if (nwnames > P9_MAXWELEM) { -@@ -1483,6 +1492,11 @@ static void v9fs_lcreate(void *opaque) - } - trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, dfid); - if (fidp == NULL) { - err = -ENOENT; -@@ -2077,6 +2091,11 @@ static void v9fs_create(void *opaque) - } - trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -EINVAL; -@@ -2242,6 +2261,11 @@ static void v9fs_symlink(void *opaque) - } - trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -EINVAL; -@@ -2316,6 +2340,11 @@ static void v9fs_link(void *opaque) - } - trace_v9fs_link(pdu->tag, pdu->id, dfid, oldfid, name.data); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -ENOENT; -@@ -2398,6 +2427,12 @@ static void v9fs_unlinkat(void *opaque) - if (err < 0) { - goto out_nofid; - } -+ -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - dfidp = get_fid(pdu, dfid); - if (dfidp == NULL) { - err = -EINVAL; -@@ -2504,6 +2539,12 @@ static void v9fs_rename(void *opaque) - if (err < 0) { - goto out_nofid; - } -+ -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; -@@ -2616,6 +2657,11 @@ static void v9fs_renameat(void *opaque) - goto out_err; - } - -+ if (name_is_illegal(old_name.data) || name_is_illegal(new_name.data)) { -+ err = -ENOENT; -+ goto out_err; -+ } -+ - v9fs_path_write_lock(s); - err = v9fs_complete_renameat(pdu, olddirfid, - &old_name, newdirfid, &new_name); -@@ -2826,6 +2872,11 @@ static void v9fs_mknod(void *opaque) - } - trace_v9fs_mknod(pdu->tag, pdu->id, fid, mode, major, minor); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; -@@ -2977,6 +3028,11 @@ static void v9fs_mkdir(void *opaque) - } - trace_v9fs_mkdir(pdu->tag, pdu->id, fid, name.data, mode, gid); - -+ if (name_is_illegal(name.data)) { -+ err = -ENOENT; -+ goto out_nofid; -+ } -+ - fidp = get_fid(pdu, fid); - if (fidp == NULL) { - err = -ENOENT; --- -1.7.0.4 - diff --git a/qemu.trad.bug1399055.patch b/qemu.trad.bug1399055.patch new file mode 100644 index 0000000..ca1e595 --- /dev/null +++ b/qemu.trad.bug1399055.patch @@ -0,0 +1,76 @@ +From 4299b90e9ba9ce5ca9024572804ba751aa1a7e70 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 18 Oct 2016 13:15:17 +0530 +Subject: [PATCH] display: cirrus: check vga bits per pixel(bpp) value + +In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA, +'cirrus_get_bpp' returns zero(0), which could lead to a divide +by zero error in while copying pixel data. The same could occur +via blit pitch values. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/cirrus_vga.c | 14 ++++++++++---- + 1 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index 3d712d5..bdb092e 100644 +--- a/hw/cirrus_vga.c ++++ b/hw/cirrus_vga.c +@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s); + static bool blit_region_is_unsafe(struct CirrusVGAState *s, + int32_t pitch, int32_t addr) + { ++ if (!pitch) { ++ return true; ++ } + if (pitch < 0) { + int64_t min = addr + + ((int64_t)s->cirrus_blt_height-1) * pitch; +@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) + s->cirrus_addr_mask)); + } + +-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) ++static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + { + int sx = 0, sy = 0; + int dx = 0, dy = 0; +@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + int width, height; + + depth = s->get_bpp((VGAState *)s) / 8; ++ if (!depth) { ++ return 0; ++ } + s->get_resolution((VGAState *)s, &width, &height); + + /* extra x, y */ +@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_width, + s->cirrus_blt_height); ++ ++ return 1; + } + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) +@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + if (blit_is_unsafe(s)) + return 0; + +- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr, ++ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr, + s->cirrus_blt_srcaddr - s->start_addr, + s->cirrus_blt_width, s->cirrus_blt_height); +- +- return 1; + } + + /*************************************** +-- +1.7.0.4 + diff --git a/sources b/sources index d3aaf31..869f9e1 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ bf8f1f9e3ca83d732c00a79a6ef29bc4 newlib-1.16.0.tar.gz cec05e7785497c5e19da2f114b934ffd pciutils-2.2.9.tar.bz2 debc62758716a169df9f62e6ab2bc634 zlib-1.2.3.tar.gz 7b72caf22b01464ee7d6165f2fd85f44 polarssl-1.1.4-gpl.tgz -8e258d87a1008a3200eec6989e164fa4 xen-4.7.1.tar.gz +d738f7c741110342621cb8a4d10b0191 xen-4.8.0.tar.gz diff --git a/xen.fedora.efi.build.patch b/xen.fedora.efi.build.patch index 7326f15..290065a 100644 --- a/xen.fedora.efi.build.patch +++ b/xen.fedora.efi.build.patch @@ -2,11 +2,11 @@ +++ xen-4.7.0/xen/arch/x86/Makefile 2015-12-02 20:37:06.659988893 +0000 @@ -132,20 +132,20 @@ - $(TARGET).efi: prelink-efi.o efi.lds efi/relocs-dummy.o $(BASEDIR)/common/symbols-dummy.o efi/mkreloc + $(TARGET).efi: prelink-efi.o $(note_file) efi.lds efi/relocs-dummy.o $(BASEDIR)/common/symbols-dummy.o efi/mkreloc $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ - $(guard) $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ + $(guard) $(LD_EFI) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \ - $(BASEDIR)/common/symbols-dummy.o -o $(@D)/.$(@F).$(base).0 &&) : + $(BASEDIR)/common/symbols-dummy.o $(note_file) -o $(@D)/.$(@F).$(base).0 &&) : $(guard) efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).0) >$(@D)/.$(@F).0r.S $(guard) $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).0 \ | $(guard) $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).0s.S @@ -14,7 +14,7 @@ $(foreach base, $(VIRT_BASE) $(ALT_BASE), \ - $(guard) $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ + $(guard) $(LD_EFI) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \ - $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o -o $(@D)/.$(@F).$(base).1 &&) : + $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(note_file) -o $(@D)/.$(@F).$(base).1 &&) : $(guard) efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).1) >$(@D)/.$(@F).1r.S $(guard) $(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).1 \ | $(guard) $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).1s.S @@ -22,8 +22,8 @@ - $(guard) $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ + $(guard) $(LD_EFI) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \ $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(note_file) -o $@ - if $(guard) false; then rm -f $@; echo 'EFI support disabled'; fi - rm -f $(@D)/.$(@F).[0-9]* + if $(guard) false; then rm -f $@; echo 'EFI support disabled'; \ + else $(NM) -pa --format=sysv $(@D)/$(@F) \ --- xen-4.7.0/xen/arch/x86/efi/Makefile.orig 2016-01-17 15:19:00.906417625 +0000 +++ xen-4.7.0/xen/arch/x86/efi/Makefile 2016-01-17 15:21:21.135489438 +0000 @@ -6,7 +6,7 @@ @@ -34,7 +34,7 @@ +efi := $(if $(efi),$(shell $(LD_EFI) -mi386pep --subsystem=10 -o check.efi check.o 2>disabled && echo y)) efi := $(if $(efi),$(shell rm disabled)y,$(shell $(call create,boot.init.o); $(call create,runtime.o))) - extra-$(efi) += boot.init.o relocs-dummy.o runtime.o compat.o + extra-$(efi) += boot.init.o relocs-dummy.o runtime.o compat.o buildid.o --- xen-4.7.0/xen/Makefile.orig 2016-01-17 15:19:00.907417661 +0000 +++ xen-4.7.0/xen/Makefile 2016-01-17 15:25:22.916243997 +0000 @@ -19,6 +19,8 @@ diff --git a/xen.fedora.systemd.patch b/xen.fedora.systemd.patch index 49f867c..3b75ed0 100644 --- a/xen.fedora.systemd.patch +++ b/xen.fedora.systemd.patch @@ -8,39 +8,9 @@ diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/Makefile xen-4.5.0/tools/hot -XEN_SYSTEMD_SERVICE += xen-init-dom0.service +#XEN_SYSTEMD_SERVICE += xen-init-dom0.service +XEN_SYSTEMD_SERVICE += oxenstored.service + XEN_SYSTEMD_SERVICE += xendriverdomain.service ALL_XEN_SYSTEMD = $(XEN_SYSTEMD_MODULES) \ - $(XEN_SYSTEMD_MOUNT) \ -diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/oxenstored.service.in xen-4.5.0/tools/hotplug/Linux/systemd/oxenstored.service.in ---- xen-4.5.0/tools/hotplug/Linux/systemd.orig/oxenstored.service.in 1970-01-01 01:00:00.000000000 +0100 -+++ xen-4.5.0/tools/hotplug/Linux/systemd/oxenstored.service.in 2015-01-25 22:37:15.000000000 +0000 -@@ -0,0 +1,26 @@ -+[Unit] -+Description=The ocaml version of Xen xenstore -+Requires=xenstored_ro.socket xenstored.socket proc-xen.mount var-lib-xenstored.mount -+After=proc-xen.mount var-lib-xenstored.mount -+Before=libvirtd.service libvirt-guests.service -+Conflicts=xenstored.service -+RefuseManualStop=true -+ConditionPathExists=/proc/xen/capabilities -+ -+[Service] -+Type=notify -+KillMode=none -+Sockets=xenstored.socket xenstored_ro.socket -+Environment=XENSTORED_ARGS= -+EnvironmentFile=-@CONFIG_DIR@/@CONFIG_LEAF_DIR@/xencommons -+ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities -+ExecStartPre=-/bin/rm -f @XEN_LIB_STORED@/tdb* -+ExecStartPre=/bin/mkdir -p @XEN_RUN_DIR@ -+ExecStart=@sbindir@/oxenstored --no-fork $XENSTORED_ARGS -+ExecStartPost=-@LIBEXEC_BIN@/xen-init-dom0 -+ -+[Install] -+WantedBy=multi-user.target -+Also=xenstored_ro.socket xenstored.socket -+Also=proc-xen.mount -+Also=var-lib-xenstored.mount diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/var-lib-xenstored.mount.in xen-4.5.0/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in --- xen-4.5.0/tools/hotplug/Linux/systemd.orig/var-lib-xenstored.mount.in 2015-01-12 16:53:24.000000000 +0000 +++ xen-4.5.0/tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in 2015-01-25 22:28:59.000000000 +0000 @@ -89,26 +59,6 @@ diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/xen-qemu-dom0-disk-backend.s Before=xendomains.service libvirtd.service libvirt-guests.service RefuseManualStop=true ConditionPathExists=/proc/xen/capabilities -diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/xenstored.service.in xen-4.5.0/tools/hotplug/Linux/systemd/xenstored.service.in ---- xen-4.5.0/tools/hotplug/Linux/systemd.orig/xenstored.service.in 2015-01-12 16:53:24.000000000 +0000 -+++ xen-4.5.0/tools/hotplug/Linux/systemd/xenstored.service.in 2015-01-25 22:37:27.000000000 +0000 -@@ -8,13 +8,14 @@ - [Service] - Type=notify - KillMode=none -+Sockets=xenstored.socket xenstored_ro.socket - Environment=XENSTORED_ARGS= --Environment=XENSTORED=@XENSTORED@ - EnvironmentFile=-@CONFIG_DIR@/@CONFIG_LEAF_DIR@/xencommons - ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities - ExecStartPre=-/bin/rm -f @XEN_LIB_STORED@/tdb* - ExecStartPre=/bin/mkdir -p @XEN_RUN_DIR@ --ExecStart=/bin/sh -c "exec $XENSTORED --no-fork $XENSTORED_ARGS" -+ExecStart=@sbindir@/xenstored --no-fork $XENSTORED_ARGS -+ExecStartPost=-@LIBEXEC_BIN@/xen-init-dom0 - - [Install] - WantedBy=multi-user.target --- xen-4.6.0/tools/configure.ac.orig 2015-02-15 16:47:22.000000000 +0000 +++ xen-4.6.0/tools/configure.ac 2015-03-01 16:18:30.493647587 +0000 @@ -382,9 +382,9 @@ @@ -128,8 +78,57 @@ diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/xenstored.service.in xen-4.5 if test "x$systemd" = "xy"; then : -- ac_config_files="$ac_config_files hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/var-lib-xenstored.mount hotplug/Linux/systemd/xen-init-dom0.service hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xenstored.service hotplug/Linux/systemd/xenstored.socket hotplug/Linux/systemd/xenstored_ro.socket" -+ ac_config_files="$ac_config_files hotplug/Linux/systemd/oxenstored.service hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/var-lib-xenstored.mount hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xenstored.service hotplug/Linux/systemd/xenstored.socket hotplug/Linux/systemd/xenstored_ro.socket" +- ac_config_files="$ac_config_files hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/var-lib-xenstored.mount hotplug/Linux/systemd/xen-init-dom0.service hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xendriverdomain.service hotplug/Linux/systemd/xenstored.service" ++ ac_config_files="$ac_config_files hotplug/Linux/systemd/oxenstored.service hotplug/Linux/systemd/proc-xen.mount hotplug/Linux/systemd/var-lib-xenstored.mount hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service hotplug/Linux/systemd/xen-watchdog.service hotplug/Linux/systemd/xenconsoled.service hotplug/Linux/systemd/xendomains.service hotplug/Linux/systemd/xendriverdomain.service hotplug/Linux/systemd/xenstored.service" fi +--- xen-4.8.0-rc2/tools/hotplug/Linux/launch-xenstore.in.orig 2016-10-10 19:10:56.000000000 +0100 ++++ xen-4.8.0-rc2/tools/hotplug/Linux/launch-xenstore.in 2016-10-17 10:08:05.264638560 +0100 +@@ -15,7 +15,9 @@ + # License along with this library; If not, see . + # + ++if [ "$XENSTORED" == "" ]; then + XENSTORED=@XENSTORED@ ++fi + + . @XEN_SCRIPT_DIR@/hotplugpath.sh + +--- xen-4.8.0-rc2/tools/hotplug/Linux/systemd/xenstored.service.in.orig 2016-10-10 19:10:56.000000000 +0100 ++++ xen-4.8.0-rc2/tools/hotplug/Linux/systemd/xenstored.service.in 2016-10-17 16:08:22.247227302 +0100 +@@ -10,8 +10,10 @@ + Type=notify + NotifyAccess=all + RemainAfterExit=true ++Environment=XENSTORED=/usr/sbin/xenstored + ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities + ExecStart=@XEN_SCRIPT_DIR@/launch-xenstore ++ExecStartPost=-@LIBEXEC_BIN@/xen-init-dom0 + + [Install] + WantedBy=multi-user.target +--- xen-4.8.0-rc2/tools/hotplug/Linux/systemd/oxenstored.service.in.orig 2016-10-17 16:08:57.643505629 +0100 ++++ xen-4.8.0-rc2/tools/hotplug/Linux/systemd/oxenstored.service.in 2016-10-17 16:10:02.499847897 +0100 +@@ -0,0 +1,21 @@ ++[Unit] ++Description=The ocaml version of Xen xenstore ++Requires=proc-xen.mount var-lib-xenstored.mount ++After=proc-xen.mount var-lib-xenstored.mount ++Before=libvirtd.service libvirt-guests.service ++RefuseManualStop=true ++ConditionPathExists=/proc/xen/capabilities ++ ++[Service] ++Type=notify ++NotifyAccess=all ++RemainAfterExit=true ++Environment=XENSTORED=/usr/sbin/oxenstored ++ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities ++ExecStart=@XEN_SCRIPT_DIR@/launch-xenstore ++ExecStartPost=-@LIBEXEC_BIN@/xen-init-dom0 ++ ++[Install] ++WantedBy=multi-user.target ++Also=proc-xen.mount ++Also=var-lib-xenstored.mount diff --git a/xen.hypervisor.config b/xen.hypervisor.config index 847e88a..6da827a 100644 --- a/xen.hypervisor.config +++ b/xen.hypervisor.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Xen/x86 4.7.0 Configuration +# Xen/x86 4.8.0 Configuration # CONFIG_X86_64=y CONFIG_X86=y @@ -12,12 +12,16 @@ CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" CONFIG_NR_CPUS=256 CONFIG_SHADOW_PAGING=y # CONFIG_BIGMEM is not set +# CONFIG_HVM_FEP is not set +CONFIG_TBOOT=y # # Common Features # CONFIG_COMPAT=y CONFIG_CORE_PARKING=y +CONFIG_HAS_ALTERNATIVE=y +CONFIG_HAS_EX_TABLE=y CONFIG_HAS_MEM_ACCESS=y CONFIG_HAS_MEM_PAGING=y CONFIG_HAS_MEM_SHARING=y @@ -34,6 +38,7 @@ CONFIG_SCHED_CREDIT2=y CONFIG_SCHED_RTDS=y CONFIG_SCHED_ARINC653=y CONFIG_SCHED_DEFAULT="credit" +CONFIG_CRYPTO=y CONFIG_LIVEPATCH=y CONFIG_FAST_SYMBOL_LOOKUP=y @@ -51,3 +56,17 @@ CONFIG_HAS_PCI=y CONFIG_VIDEO=y CONFIG_VGA=y CONFIG_DEFCONFIG_LIST="$ARCH_DEFCONFIG" + +# +# Debugging Options +# +# CONFIG_DEBUG is not set + +# ARM errata workaround via the alternative framework +# +CONFIG_ARM64_ERRATUM_827319=y +CONFIG_ARM64_ERRATUM_824069=y +CONFIG_ARM64_ERRATUM_819472=y +CONFIG_ARM64_ERRATUM_832075=y +CONFIG_ARM64_ERRATUM_834220=y + diff --git a/xen.spec b/xen.spec index 5a42835..4db1996 100644 --- a/xen.spec +++ b/xen.spec @@ -25,8 +25,8 @@ # build an efi boot image (where supported) unless rpmbuild was run with # --without efi %define build_efi %{?_without_efi: 0} %{?!_without_efi: 1} -# xen only supports efi boot images on x86_64 -%ifnarch x86_64 +# xen only supports efi boot images on x86_64 or aarch64 +%ifnarch x86_64 aarch64 %define build_efi 0 %endif %if "%dist" >= ".fc20" @@ -36,12 +36,12 @@ %endif # Hypervisor ABI -%define hv_abi 4.7 +%define hv_abi 4.8 Summary: Xen is a virtual machine monitor Name: xen -Version: 4.7.1 -Release: 3%{?dist} +Version: 4.8.0 +Release: 1%{?dist} Group: Development/Libraries License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ @@ -54,8 +54,6 @@ Source12: zlib-1.2.3.tar.gz Source13: pciutils-2.2.9.tar.bz2 Source14: grub-0.97.tar.gz Source15: polarssl-1.1.4-gpl.tgz -# systemd file for xen driver domain -Source20: xendriverdomain.service # .config file for xen hypervisor Source21: xen.hypervisor.config @@ -70,83 +68,42 @@ Patch8: qemu.trad.CVE-2015-6815.patch Patch9: qemu.trad.CVE-2015-5279.patch Patch10: qemu.trad.CVE-2015-5278.patch Patch11: qemu.trad.CVE-2015-7295.patch -Patch12: qemu.git-00837731d254908a841d69298a4f9f077babaf24.patch -Patch13: qemu.trad.CVE-2015-8345.patch -Patch14: qemu.trad.CVE-2015-7512.patch -Patch15: qemu.trad.CVE-2015-8504.patch -Patch16: qemu.git-43b11a91dd861a946b231b89b754285.patch -Patch17: qemu.git-d9a3b33d2c9f996537b7f1d0246dee2d0120cefb.patch -Patch18: qemu.git-a7278b36fcab9af469563bd7b.patch -Patch19: qemu.git-c6048f849c7e3f009786df76206e895.patch -Patch20: qemu.trad.CVE-2016-1714.patch -Patch21: qemu.CVE-2016-1922.patch -Patch22: qemu.trad.CVE-2016-1981.patch -Patch23: qemu.CVE-2016-2198.patch -Patch24: qemu.CVE-2016-2841.patch -Patch25: qemu.trad.CVE-2016-2841.patch -Patch26: qemu.CVE-2016-2538.patch -Patch27: qemu.trad.CVE-2016-2538.patch -Patch28: qemu.CVE-2016-2392.patch -Patch29: qemu.CVE-2016-2391.patch -Patch30: qemu.CVE-2016-2857.patch -Patch31: qemu.trad.CVE-2016-2857.patch -Patch32: qemu.git-3a15cc0e1ee7168db0782133d2607a6bfa422d66.patch -Patch33: qemu.trad.CVE-2016-4001.patch -Patch34: qemu.CVE-2016-4002.patch -Patch35: qemu.trad.CVE-2016-4002.patch -Patch36: qemu.CVE-2016-4037.patch -Patch37: qemu.bug1330513.patch -Patch38: qemu.CVE-2016-4439.patch -Patch39: qemu.trad.CVE-2016-4439.patch -Patch40: qemu.CVE-2016-4441.patch -Patch41: qemu.trad.CVE-2016-4441.patch -Patch42: qemu.CVE-2016-5106.patch -Patch43: qemu.CVE-2016-5105.patch -Patch44: qemu.git-3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750.patch -Patch45: qemu.git-74074e8a7c60592cf1cc6469dbc2550d24aeded3.patch -Patch46: qemu.git-9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9.patch -Patch47: qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475dce9956.patch -Patch48: qemu.CVE-2016-4454.1.patch -Patch49: qemu.CVE-2016-4454.2.patch -Patch50: qemu.CVE-2016-4454.3.patch -Patch51: qemu.CVE-2016-4453.patch -Patch52: qemu.CVE-2016-5238.patch -Patch53: qemu.trad.CVE-2016-5238.patch -Patch54: qemu.CVE-2016-5338.patch -Patch55: qemu.trad.CVE-2016-5338.patch -Patch56: qemu.CVE-2016-5337.patch -Patch57: xen.xs_watch.stacksize.patch -Patch62: qemu.git-926cde5f3e4d2504ed161ed0.patch -Patch63: qemu.git-cc96677469388bad3d664793.patch -Patch64: qemu.trad.CVE-2016-6351.patch -Patch65: xen.glibcfix.patch -Patch70: qemu.git-fff39a7ad09da07ef490de05c92c91f22f8002f2.patch -Patch71: qemu.git-805b5d98c649d26fc44d2d7755a97f18e62b438a.patch -Patch72: qemu.git-56f101ecce0eafd09e2daf1c4eeb1377d6959261.patch -Patch73: qemu.git-a0d1cbdacff5df4ded16b753b38fdd9da6092968.patch -Patch75: qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch -Patch76: qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch -Patch77: qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch -Patch78: qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch -Patch79: qemu.trad.CVE-2016-8669.patch -Patch80: qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch -Patch81: qemu.trad.CVE-2016-8910.patch -Patch82: qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch -Patch83: qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch -Patch84: qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch -Patch85: qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch -Patch86: qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch -Patch87: qemu.bug1389686.patch -Patch88: xsa191.patch -Patch89: xsa192.patch -Patch90: xsa193-4.7.patch -Patch91: xsa194.patch -Patch92: xsa195.patch -Patch93: xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch -Patch94: xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch -Patch95: xsa197-qemut.patch -Patch96: xsa197-qemuu.patch -Patch97: xsa198.patch +Patch12: qemu.trad.CVE-2015-8345.patch +Patch13: qemu.trad.CVE-2015-7512.patch +Patch14: qemu.trad.CVE-2015-8504.patch +Patch15: qemu.trad.CVE-2016-1714.patch +Patch16: qemu.trad.CVE-2016-1981.patch +Patch17: qemu.trad.CVE-2016-2841.patch +Patch18: qemu.trad.CVE-2016-2538.patch +Patch19: qemu.trad.CVE-2016-2857.patch +Patch20: qemu.trad.CVE-2016-4001.patch +Patch21: qemu.trad.CVE-2016-4002.patch +Patch22: qemu.trad.CVE-2016-4439.patch +Patch23: qemu.trad.CVE-2016-4441.patch +Patch24: qemu.trad.CVE-2016-5238.patch +Patch25: qemu.trad.CVE-2016-5338.patch +Patch26: xen.xs_watch.stacksize.patch +Patch27: qemu.trad.CVE-2016-6351.patch +Patch28: xen.glibcfix.patch +Patch29: qemu.git-05f43d44e4bc26611ce25fd7d726e483f73363ce.patch +Patch30: qemu.git-e95c9a493a5a8d6f969e86c9f19f80ffe6587e19.patch +Patch31: qemu.git-ba42ebb863ab7d40adc79298422ed9596df8f73a.patch +Patch32: qemu.git-3592fe0c919cf27a81d8e9f9b4f269553418bb01.patch +Patch33: qemu.trad.CVE-2016-8669.patch +Patch34: qemu.git-c7c35916692fe010fef25ac338443d3fe40be225.patch +Patch35: qemu.trad.CVE-2016-8910.patch +Patch36: qemu.git-6be8f5e2626e102433e569d9cece2120baf0c879.patch +Patch37: qemu.git-eb687602853b4ae656e9236ee4222609f3a6887d.patch +Patch38: qemu.git-ff55e94d23ae94c8628b0115320157c763eb3e06.patch +Patch39: qemu.git-4c1586787ff43c9acd18a56c12d720e3e6be9f7c.patch +Patch40: qemu.git-fdfcc9aeea1492f4b819a24c94dfb678145b1bf9.patch +Patch41: qemu.git-7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6.patch +Patch42: qemu.git-4299b90e9ba9ce5ca9024572804ba751aa1a7e70.patch +Patch43: qemu.trad.bug1399055.patch +Patch44: qemu.git-4774718e5c194026ba5ee7a28d9be49be3080e42.patch +Patch45: qemu.git-702dbcc274e2ca43be20ba64c758c0ca57dab91d.patch +Patch46: qemu.git-971f406b77a6eb84e0ad27dcc416b663765aee30.patch +Patch47: qemu.git-898ae90a44551d25b8e956fd87372d303c82fe68.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel @@ -201,15 +158,17 @@ Requires: xen-runtime = %{version}-%{release} # installs xen. Requires: kpartx Requires: chkconfig -ExclusiveArch: %{ix86} x86_64 +ExclusiveArch: %{ix86} x86_64 armv7hl aarch64 #ExclusiveArch: %#{ix86} x86_64 ia64 noarch %if %with_ocaml BuildRequires: ocaml, ocaml-findlib %endif # efi image needs an ld that has -mi386pep option %if %build_efi +%ifarch x86_64 BuildRequires: mingw64-binutils %endif +%endif %if %with_systemd_presets Requires(post): systemd Requires(preun): systemd @@ -217,6 +176,9 @@ Requires(postun): systemd BuildRequires: systemd %endif BuildRequires: systemd-devel +%ifarch armv7hl aarch64 +BuildRequires: libfdt-devel +%endif %description This package contains the XenD daemon and xm command line @@ -340,15 +302,23 @@ manage Xen virtual machines. %patch24 -p1 %patch25 -p1 %patch26 -p1 -%patch27 -p1 %patch28 -p1 + +# qemu-xen-traditional patches +pushd tools/qemu-xen-traditional +%patch27 -p1 +%patch33 -p1 +%patch35 -p1 +%patch43 -p1 +popd + +# qemu-xen patches +pushd tools/qemu-xen %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch32 -p1 -%patch33 -p1 %patch34 -p1 -%patch35 -p1 %patch36 -p1 %patch37 -p1 %patch38 -p1 @@ -356,59 +326,10 @@ manage Xen virtual machines. %patch40 -p1 %patch41 -p1 %patch42 -p1 -%patch43 -p1 %patch44 -p1 %patch45 -p1 %patch46 -p1 %patch47 -p1 -%patch48 -p1 -%patch49 -p1 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch65 -p1 -%patch88 -p1 -%patch89 -p1 -%patch90 -p1 -%patch91 -p1 -%patch92 -p1 -%patch93 -p1 -%patch94 -p1 -%patch97 -p1 - -# qemu-xen-traditional patches -pushd tools/qemu-xen-traditional -%patch64 -p1 -%patch79 -p1 -%patch81 -p1 -%patch95 -p1 -popd - -# qemu-xen patches -pushd tools/qemu-xen -%patch62 -p1 -%patch63 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch75 -p1 -%patch76 -p1 -%patch77 -p1 -%patch78 -p1 -%patch80 -p1 -%patch82 -p1 -%patch83 -p1 -%patch84 -p1 -%patch85 -p1 -%patch86 -p1 -%patch87 -p1 -%patch96 -p1 popd # stubdom sources @@ -422,7 +343,9 @@ cp -v %{SOURCE21} xen/.config %define ocaml_flags OCAML_TOOLS=n %endif %if %build_efi +%ifarch x86_64 %define efi_flags LD_EFI=/usr/x86_64-w64-mingw32/bin/ld +%endif mkdir -p dist/install/boot/efi/efi/fedora %endif %if %(test -f /usr/share/seabios/bios-256k.bin && echo 1|| echo 0) @@ -437,8 +360,12 @@ export EXTRA_CFLAGS_QEMU_XEN="$RPM_OPT_FLAGS" %if %build_crosshyp XEN_TARGET_ARCH=x86_64 make %{?_smp_mflags} %{?efi_flags} prefix=/usr xen CC="/usr/bin/x86_64-linux-gnu-gcc `echo $RPM_OPT_FLAGS | sed -e 's/-m32//g' -e 's/-march=i686//g' -e 's/-mtune=atom//g'`" %else +%ifarch armv7hl +make %{?_smp_mflags} %{?efi_flags} prefix=/usr xen CC="gcc `echo $RPM_OPT_FLAGS | sed -e 's/-mfloat-abi=hard//g' -e 's/-march=armv7-a//g'`" +%else make %{?_smp_mflags} %{?efi_flags} prefix=/usr xen CC="gcc $RPM_OPT_FLAGS" %endif +%endif ./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-system-seabios=%{seabiosloc} --with-system-qemu=/usr/bin/qemu-system-i386 --with-linux-backend-modules="xen-evtchn xen-gntdev xen-gntalloc xen-blkback xen-netback xen-pciback xen-scsiback xen-acpi-processor" make %{?_smp_mflags} %{?ocaml_flags} prefix=/usr tools make prefix=/usr docs @@ -446,8 +373,10 @@ export RPM_OPT_FLAGS_RED=`echo $RPM_OPT_FLAGS | sed -e 's/-m64//g' -e 's/--param %ifarch %{ix86} export EXTRA_CFLAGS_XEN_TOOLS="$RPM_OPT_FLAGS_RED" %endif +%ifnarch armv7hl aarch64 make mini-os-dir make -C stubdom build +%endif %ifarch x86_64 export EXTRA_CFLAGS_XEN_TOOLS="$RPM_OPT_FLAGS_RED" XEN_TARGET_ARCH=x86_32 make -C stubdom pv-grub @@ -469,7 +398,9 @@ make DESTDIR=%{buildroot} %{?efi_flags} prefix=/usr install-xen %endif make DESTDIR=%{buildroot} %{?ocaml_flags} prefix=/usr install-tools make DESTDIR=%{buildroot} prefix=/usr install-docs +%ifnarch armv7hl aarch64 make DESTDIR=%{buildroot} %{?ocaml_flags} prefix=/usr install-stubdom +%endif %if %build_efi mv %{buildroot}/boot/efi/efi %{buildroot}/boot/efi/EFI %endif @@ -542,8 +473,6 @@ rm %{buildroot}%{_sysconfdir}/rc.d/init.d/xencommons rm %{buildroot}%{_sysconfdir}/rc.d/init.d/xendomains rm %{buildroot}%{_sysconfdir}/rc.d/init.d/xendriverdomain -install -m 644 %{SOURCE20} %{buildroot}%{_unitdir}/xendriverdomain.service - ############ create dirs in /var ############ mkdir -p %{buildroot}%{_localstatedir}/lib/xen/images @@ -715,8 +644,6 @@ rm -rf %{buildroot} %{_unitdir}/xenconsoled.service %{_unitdir}/xen-watchdog.service %{_unitdir}/xen-qemu-dom0-disk-backend.service -%{_unitdir}/xenstored.socket -%{_unitdir}/xenstored_ro.socket %{_unitdir}/xendriverdomain.service /usr/lib/modules-load.d/xen.conf @@ -733,9 +660,11 @@ rm -rf %{buildroot} %dir /usr/lib/%{name}/bin %attr(0700,root,root) /usr/lib/%{name}/bin/* # QEMU runtime files +%ifnarch armv7hl aarch64 %dir %{_datadir}/%{name}/qemu %dir %{_datadir}/%{name}/qemu/keymaps %{_datadir}/%{name}/qemu/keymaps/* +%endif # man pages %{_mandir}/man1/xentop.1* @@ -754,14 +683,14 @@ rm -rf %{buildroot} # The firmware %ifarch %{ix86} x86_64 %dir /usr/lib/%{name}/boot -%if "%{_libdir}" != "/usr/lib" -%{_libdir}/%{name} -%endif /usr/lib/xen/boot/hvmloader /usr/lib/xen/boot/ioemu-stubdom.gz /usr/lib/xen/boot/xenstore-stubdom.gz /usr/lib/xen/boot/pv-grub*.gz %endif +%if "%{_libdir}" != "/usr/lib" +%{_libdir}/%{name} +%endif # General Xen state %dir %{_localstatedir}/lib/%{name} %dir %{_localstatedir}/lib/%{name}/dump @@ -789,19 +718,24 @@ rm -rf %{buildroot} %{_sbindir}/qcow2raw %{_sbindir}/img2qcow # Misc stuff +%ifnarch armv7hl aarch64 %{_bindir}/xen-detect +%endif %{_bindir}/xencov_split +%ifnarch armv7hl aarch64 %{_sbindir}/gdbsx -%{_sbindir}/gtrace* %{_sbindir}/kdd +%endif %{_sbindir}/lock-util %{_sbindir}/tap-ctl %{_sbindir}/td-util %{_sbindir}/vhd-* %{_sbindir}/xen-bugtool +%ifnarch armv7hl aarch64 %{_sbindir}/xen-hptool %{_sbindir}/xen-hvmcrash %{_sbindir}/xen-hvmctx +%endif %{_sbindir}/xen-tmem-list-parse %{_sbindir}/xenconsoled %{_sbindir}/xenlockprof @@ -815,15 +749,23 @@ rm -rf %{buildroot} %{_sbindir}/xenperf %{_sbindir}/xenwatchdogd %{_sbindir}/xl +%ifnarch armv7hl aarch64 %{_sbindir}/xen-lowmemd +%endif %{_sbindir}/xen-ringwatch %{_sbindir}/xencov +%ifnarch armv7hl aarch64 %{_sbindir}/xen-mfndump +%endif /usr/share/pkgconfig/* +%ifnarch armv7hl aarch64 %{_bindir}/xenalyze +%endif %{_sbindir}/xentrace %{_sbindir}/xentrace_setsize +%ifnarch armv7hl aarch64 %{_bindir}/xen-cpuid +%endif %{_sbindir}/xen-livepatch # Xen logfiles @@ -834,9 +776,13 @@ rm -rf %{buildroot} %files hypervisor %if %build_hyp %defattr(-,root,root) +%ifnarch armv7hl aarch64 /boot/xen-*.gz /boot/xen.gz /boot/xen*.config +%else +/boot/xen* +%endif %if %build_xsm %dir %attr(0755,root,root) /boot/flask /boot/flask/xenpolicy* @@ -885,6 +831,20 @@ rm -rf %{buildroot} %endif %changelog +* Wed Dec 07 2016 Michael Young - 4.8.0-1 +- update to xen-4.8.0 (#1401490) + includes fix for [XSA-201, CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, + CVE-2016-9818] (#1399747) + adjust xen.use.fedora.ipxe.patch, xen.fedora.efi.build.patch, + xen.fedora.systemd.patch and xen.hypervisor.config + use upstream xendriverdomain systemd script + remove upstream patches + xenstored.*socket and gtrace* are no longer built + renumber patches +- add armv7hl and aarch64 builds (experimental in Fedora) +- qemu: Divide by zero vulnerability in cirrus_do_copy (#1399055) +- Qemu: 9pfs: memory leakage via proxy/handle callbacks (#1402278) + * Tue Nov 22 2016 Michael Young - 4.7.1-3 - xen : various security flaws (#1397383) x86 null segments not always treated as unusable [XSA-191, CVE-2016-9386] diff --git a/xen.use.fedora.ipxe.patch b/xen.use.fedora.ipxe.patch index ec1b978..fef3a9c 100644 --- a/xen.use.fedora.ipxe.patch +++ b/xen.use.fedora.ipxe.patch @@ -12,18 +12,18 @@ --- xen-4.2.0/Config.mk.orig 2012-05-27 21:57:04.479812884 +0100 +++ xen-4.2.0/Config.mk 2012-06-02 18:55:14.087169469 +0100 @@ -206,7 +206,7 @@ - # Tue, 1 Mar 2016 15:06:45 +0100 (16:06 +0200) - # fw/pci: add Q35 S3 support + # Wed Jun 22 14:53:24 2016 +0800 + # fw/msr_feature_control: add support to set MSR_IA32_FEATURE_CONTROL -ETHERBOOT_NICS ?= rtl8139 8086100e +ETHERBOOT_NICS ?= 10ec8139 8086100e - QEMU_TRADITIONAL_REVISION ?= xen-4.7.1 + QEMU_TRADITIONAL_REVISION ?= xen-4.8.0 --- xen-4.2.0/tools/firmware/Makefile.orig 2012-05-27 21:57:04.480812871 +0100 +++ xen-4.2.0/tools/firmware/Makefile 2012-06-02 19:03:52.254691484 +0100 @@ -10,7 +10,7 @@ - endif + SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir SUBDIRS-$(CONFIG_ROMBIOS) += rombios SUBDIRS-$(CONFIG_ROMBIOS) += vgabios -SUBDIRS-$(CONFIG_ROMBIOS) += etherboot diff --git a/xendriverdomain.service b/xendriverdomain.service deleted file mode 100644 index 1e0c111..0000000 --- a/xendriverdomain.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Start services within a xen driver domain -Requires=proc-xen.mount -After=proc-xen.mount -ConditionPathExists=/proc/xen/capabilities - -[Service] -Type=forking -ExecStartPre=/bin/bash -c "! /bin/grep -q control_d /proc/xen/capabilities" -EnvironmentFile=/etc/xen/scripts/hotplugpath.sh -EnvironmentFile=-/etc/sysconfig/xendriverdomain -PIDFile=/run/xldevd.pid -ExecStart=/usr/sbin/xl devd --pidfile=/run/xldevd.pid ${XLDEVD_ARGS} diff --git a/xsa191.patch b/xsa191.patch deleted file mode 100644 index 956f1c9..0000000 --- a/xsa191.patch +++ /dev/null @@ -1,152 +0,0 @@ -From: Andrew Cooper -Subject: x86/hvm: Fix the handling of non-present segments - -In 32bit, the data segments may be NULL to indicate that the segment is -ineligible for use. In both 32bit and 64bit, the LDT selector may be NULL to -indicate that the entire LDT is ineligible for use. However, nothing in Xen -actually checks for this condition when performing other segmentation -checks. (Note however that limit and writeability checks are correctly -performed). - -Neither Intel nor AMD specify the exact behaviour of loading a NULL segment. -Experimentally, AMD zeroes all attributes but leaves the base and limit -unmodified. Intel zeroes the base, sets the limit to 0xfffffff and resets the -attributes to just .G and .D/B. - -The use of the segment information in the VMCB/VMCS is equivalent to a native -pipeline interacting with the segment cache. The present bit can therefore -have a subtly different meaning, and it is now cooked to uniformly indicate -whether the segment is usable or not. - -GDTR and IDTR don't have access rights like the other segments, but for -consistency, they are treated as being present so no special casing is needed -elsewhere in the segmentation logic. - -AMD hardware does not consider the present bit for %cs and %tr, and will -function as if they were present. They are therefore unconditionally set to -present when reading information from the VMCB, to maintain the new meaning of -usability. - -Intel hardware has a separate unusable bit in the VMCS segment attributes. -This bit is inverted and stored in the present field, so the hvm code can work -with architecturally-common state. - -This is XSA-191. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich ---- - xen/arch/x86/hvm/hvm.c | 8 ++++++++ - xen/arch/x86/hvm/svm/svm.c | 4 ++++ - xen/arch/x86/hvm/vmx/vmx.c | 20 +++++++++++--------- - xen/arch/x86/x86_emulate/x86_emulate.c | 4 ++++ - 4 files changed, 27 insertions(+), 9 deletions(-) - -diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c -index 704fd64..deb1783 100644 ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -2512,6 +2512,10 @@ bool_t hvm_virtual_to_linear_addr( - */ - addr = (uint32_t)(addr + reg->base); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !reg->attr.fields.p ) -+ goto out; -+ - switch ( access_type ) - { - case hvm_access_read: -@@ -2767,6 +2771,10 @@ static int hvm_load_segment_selector( - hvm_get_segment_register( - v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab); - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto fail; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto fail; -diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c -index 16427f6..4cba406 100644 ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -627,6 +627,7 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg, - { - case x86_seg_cs: - memcpy(reg, &vmcb->cs, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.g = reg->limit > 0xFFFFF; - break; - case x86_seg_ds: -@@ -660,13 +661,16 @@ static void svm_get_segment_register(struct vcpu *v, enum x86_segment seg, - case x86_seg_tr: - svm_sync_vmcb(v); - memcpy(reg, &vmcb->tr, sizeof(*reg)); -+ reg->attr.fields.p = 1; - reg->attr.fields.type |= 0x2; - break; - case x86_seg_gdtr: - memcpy(reg, &vmcb->gdtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_idtr: - memcpy(reg, &vmcb->idtr, sizeof(*reg)); -+ reg->attr.bytes = 0x80; - break; - case x86_seg_ldtr: - svm_sync_vmcb(v); -diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c -index 9a8f694..a652c52 100644 ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -1035,10 +1035,12 @@ void vmx_get_segment_register(struct vcpu *v, enum x86_segment seg, - reg->sel = sel; - reg->limit = limit; - -- reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00); -- /* Unusable flag is folded into Present flag. */ -- if ( attr & (1u<<16) ) -- reg->attr.fields.p = 0; -+ /* -+ * Fold VT-x representation into Xen's representation. The Present bit is -+ * unconditionally set to the inverse of unusable. -+ */ -+ reg->attr.bytes = -+ (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00); - - /* Adjust for virtual 8086 mode */ - if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr -@@ -1118,11 +1120,11 @@ static void vmx_set_segment_register(struct vcpu *v, enum x86_segment seg, - } - } - -- attr = ((attr & 0xf00) << 4) | (attr & 0xff); -- -- /* Not-present must mean unusable. */ -- if ( !reg->attr.fields.p ) -- attr |= (1u << 16); -+ /* -+ * Unfold Xen representation into VT-x representation. The unusable bit -+ * is unconditionally set to the inverse of present. -+ */ -+ attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff); - - /* VMX has strict consistency requirement for flag G. */ - attr |= !!(limit >> 20) << 15; -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 7a707dc..7cb6f98 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1367,6 +1367,10 @@ protmode_load_seg( - &desctab, ctxt)) ) - return rc; - -+ /* Segment not valid for use (cooked meaning of .p)? */ -+ if ( !desctab.attr.fields.p ) -+ goto raise_exn; -+ - /* Check against descriptor table limit. */ - if ( ((sel & 0xfff8) + 7) > desctab.limit ) - goto raise_exn; diff --git a/xsa192.patch b/xsa192.patch deleted file mode 100644 index b573a13..0000000 --- a/xsa192.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Jan Beulich -Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch - -Just like TR, LDTR is purely a protected mode facility and hence needs -to be loaded accordingly. Also move its loading to where it -architecurally belongs. - -This is XSA-192. - -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper -Tested-by: Andrew Cooper - ---- a/xen/arch/x86/hvm/hvm.c -+++ b/xen/arch/x86/hvm/hvm.c -@@ -2728,17 +2728,16 @@ static void hvm_unmap_entry(void *p) - } - - static int hvm_load_segment_selector( -- enum x86_segment seg, uint16_t sel) -+ enum x86_segment seg, uint16_t sel, unsigned int eflags) - { - struct segment_register desctab, cs, segr; - struct desc_struct *pdesc, desc; - u8 dpl, rpl, cpl; - bool_t writable; - int fault_type = TRAP_invalid_tss; -- struct cpu_user_regs *regs = guest_cpu_user_regs(); - struct vcpu *v = current; - -- if ( regs->eflags & X86_EFLAGS_VM ) -+ if ( eflags & X86_EFLAGS_VM ) - { - segr.sel = sel; - segr.base = (uint32_t)sel << 4; -@@ -2986,6 +2985,8 @@ void hvm_task_switch( - if ( rc != HVMCOPY_okay ) - goto out; - -+ if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) ) -+ goto out; - - if ( hvm_set_cr3(tss.cr3, 1) ) - goto out; -@@ -3008,13 +3009,12 @@ void hvm_task_switch( - } - - exn_raised = 0; -- if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) || -- hvm_load_segment_selector(x86_seg_es, tss.es) || -- hvm_load_segment_selector(x86_seg_cs, tss.cs) || -- hvm_load_segment_selector(x86_seg_ss, tss.ss) || -- hvm_load_segment_selector(x86_seg_ds, tss.ds) || -- hvm_load_segment_selector(x86_seg_fs, tss.fs) || -- hvm_load_segment_selector(x86_seg_gs, tss.gs) ) -+ if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) || -+ hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) ) - exn_raised = 1; - - rc = hvm_copy_to_guest_virt( diff --git a/xsa193-4.7.patch b/xsa193-4.7.patch deleted file mode 100644 index c5486ef..0000000 --- a/xsa193-4.7.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Jan Beulich -Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses - -Commit c42494acb2 ("x86: fix FS/GS base handling when using the -fsgsbase feature") replaced the use of wrmsr_safe() on these paths -without recognizing that wr{f,g}sbase() use just wrmsrl() and that the -WR{F,G}SBASE instructions also raise #GP for non-canonical input. - -Similarly arch_set_info_guest() needs to prevent non-canonical -addresses from getting stored into state later to be loaded by context -switch code. For consistency also check stack pointers and LDT base. -DR0..3, otoh, already get properly checked in set_debugreg() (albeit -we discard the error there). - -The SHADOW_GS_BASE check isn't strictly necessary, but I think we -better avoid trying the WRMSR if we know it's going to fail. - -This is XSA-193. - -Reported-by: Andrew Cooper -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/domain.c -+++ b/xen/arch/x86/domain.c -@@ -890,7 +890,13 @@ int arch_set_info_guest( - { - if ( !compat ) - { -- if ( !is_canonical_address(c.nat->user_regs.eip) || -+ if ( !is_canonical_address(c.nat->user_regs.rip) || -+ !is_canonical_address(c.nat->user_regs.rsp) || -+ !is_canonical_address(c.nat->kernel_sp) || -+ (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) || -+ !is_canonical_address(c.nat->fs_base) || -+ !is_canonical_address(c.nat->gs_base_kernel) || -+ !is_canonical_address(c.nat->gs_base_user) || - !is_canonical_address(c.nat->event_callback_eip) || - !is_canonical_address(c.nat->syscall_callback_eip) || - !is_canonical_address(c.nat->failsafe_callback_eip) ) ---- a/xen/arch/x86/traps.c -+++ b/xen/arch/x86/traps.c -@@ -2723,19 +2723,22 @@ static int emulate_privileged_op(struct - switch ( regs->_ecx ) - { - case MSR_FS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrfsbase(msr_content); - v->arch.pv_vcpu.fs_base = msr_content; - break; - case MSR_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - wrgsbase(msr_content); - v->arch.pv_vcpu.gs_base_kernel = msr_content; - break; - case MSR_SHADOW_GS_BASE: -- if ( is_pv_32bit_domain(currd) ) -+ if ( is_pv_32bit_domain(currd) || -+ !is_canonical_address(msr_content) ) - goto fail; - if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) ) - goto fail; diff --git a/xsa194.patch b/xsa194.patch deleted file mode 100644 index 946bd87..0000000 --- a/xsa194.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 71096b016f7fd54a72af73576948cb25cf42ebcb Mon Sep 17 00:00:00 2001 -From: Roger Pau Monné Date: Wed, 2 Nov 2016 15:02:00 +0000 -Subject: [PATCH] libelf: fix stack memory leak when loading 32 bit symbol - tables - -The 32 bit Elf structs are smaller than the 64 bit ones, which means that -when loading them there's some padding left uninitialized at the end of each -struct (because the size indicated in e_ehsize and e_shentsize is -smaller than the size of elf_ehdr and elf_shdr). - -Fix this by introducing a new helper that is used to set -[caller_]xdest_{base/size} and that takes care of performing the appropriate -memset of the region. This newly introduced helper is then used to set and -unset xdest_{base/size} in elf_load_bsdsyms. Now that the full struct -is zeroed, there's no need to specifically zero the undefined section. - -This is XSA-194. - -Suggested-by: Ian Jackson - -Also remove the open coded (and redundant with the earlier -elf_memset_unchecked()) use of caller_xdest_* from elf_init(). - -Signed-off-by: Roger Pau Monné -Signed-off-by: Jan Beulich -Signed-off-by: Ian Jackson ---- - xen/common/libelf/libelf-loader.c | 14 +++----------- - xen/common/libelf/libelf-tools.c | 11 +++++++++-- - xen/include/xen/libelf.h | 15 +++++++++------ - 3 files changed, 21 insertions(+), 19 deletions(-) - -diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c -index 4d3ae4d..bc1f87b 100644 ---- a/xen/common/libelf/libelf-loader.c -+++ b/xen/common/libelf/libelf-loader.c -@@ -43,8 +43,6 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t - elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input); - elf->class = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_CLASS]); - elf->data = elf_uval_3264(elf, elf->ehdr, e32.e_ident[EI_DATA]); -- elf->caller_xdest_base = NULL; -- elf->caller_xdest_size = 0; - - /* Sanity check phdr. */ - offset = elf_uval(elf, elf->ehdr, e_phoff) + -@@ -284,9 +282,8 @@ do { \ - #define SYMTAB_INDEX 1 - #define STRTAB_INDEX 2 - -- /* Allow elf_memcpy_safe to write to symbol_header. */ -- elf->caller_xdest_base = &header; -- elf->caller_xdest_size = sizeof(header); -+ /* Allow elf_memcpy_safe to write to header. */ -+ elf_set_xdest(elf, &header, sizeof(header)); - - /* - * Calculate the position of the various elements in GUEST MEMORY SPACE. -@@ -319,11 +316,7 @@ do { \ - elf_store_field_bitness(elf, header_handle, e_phentsize, 0); - elf_store_field_bitness(elf, header_handle, e_phnum, 0); - -- /* Zero the undefined section. */ -- section_handle = ELF_MAKE_HANDLE(elf_shdr, -- ELF_REALPTR2PTRVAL(&header.elf_header.section[SHN_UNDEF])); - shdr_size = elf_uval(elf, elf->ehdr, e_shentsize); -- elf_memset_safe(elf, ELF_HANDLE_PTRVAL(section_handle), 0, shdr_size); - - /* - * The symtab section header is going to reside in section[SYMTAB_INDEX], -@@ -404,8 +397,7 @@ do { \ - } - - /* Remove permissions from elf_memcpy_safe. */ -- elf->caller_xdest_base = NULL; -- elf->caller_xdest_size = 0; -+ elf_set_xdest(elf, NULL, 0); - - #undef SYMTAB_INDEX - #undef STRTAB_INDEX -diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c -index 5a4757b..e73e729 100644 ---- a/xen/common/libelf/libelf-tools.c -+++ b/xen/common/libelf/libelf-tools.c -@@ -59,8 +59,7 @@ bool elf_access_ok(struct elf_binary * elf, - return 1; - if ( elf_ptrval_in_range(ptrval, size, elf->dest_base, elf->dest_size) ) - return 1; -- if ( elf_ptrval_in_range(ptrval, size, -- elf->caller_xdest_base, elf->caller_xdest_size) ) -+ if ( elf_ptrval_in_range(ptrval, size, elf->xdest_base, elf->xdest_size) ) - return 1; - elf_mark_broken(elf, "out of range access"); - return 0; -@@ -373,6 +372,14 @@ bool elf_phdr_is_loadable(struct elf_binary *elf, ELF_HANDLE_DECL(elf_phdr) phdr - return ((p_type == PT_LOAD) && (p_flags & (PF_R | PF_W | PF_X)) != 0); - } - -+void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size) -+{ -+ elf->xdest_base = addr; -+ elf->xdest_size = size; -+ if ( addr != NULL ) -+ elf_memset_safe(elf, ELF_REALPTR2PTRVAL(addr), 0, size); -+} -+ - /* - * Local variables: - * mode: C -diff --git a/xen/include/xen/libelf.h b/xen/include/xen/libelf.h -index 95b5370..cf62bc7 100644 ---- a/xen/include/xen/libelf.h -+++ b/xen/include/xen/libelf.h -@@ -210,13 +210,11 @@ struct elf_binary { - uint64_t bsd_symtab_pend; - - /* -- * caller's other acceptable destination -- * -- * Again, these are trusted and must be valid (or 0) so long -- * as the struct elf_binary is in use. -+ * caller's other acceptable destination. -+ * Set by elf_set_xdest. Do not set these directly. - */ -- void *caller_xdest_base; -- uint64_t caller_xdest_size; -+ void *xdest_base; -+ uint64_t xdest_size; - - #ifndef __XEN__ - /* misc */ -@@ -494,5 +492,10 @@ static inline void ELF_ADVANCE_DEST(struct elf_binary *elf, uint64_t amount) - } - } - -+/* Specify a (single) additional destination, to which the image may -+ * cause writes. As with dest_base and dest_size, the values provided -+ * are trusted and must be valid so long as the struct elf_binary -+ * is in use or until elf_set_xdest(,0,0) is called. */ -+void elf_set_xdest(struct elf_binary *elf, void *addr, uint64_t size); - - #endif /* __XEN_LIBELF_H__ */ --- -2.1.4 - diff --git a/xsa195.patch b/xsa195.patch deleted file mode 100644 index a193a5c..0000000 --- a/xsa195.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Jan Beulich -Subject: x86emul: fix huge bit offset handling - -We must never chop off the high 32 bits. - -This is XSA-195. - -Reported-by: George Dunlap -Signed-off-by: Jan Beulich -Reviewed-by: Andrew Cooper - ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -2549,6 +2549,12 @@ x86_emulate( - else - { - /* -+ * Instructions such as bt can reference an arbitrary offset from -+ * their memory operand, but the instruction doing the actual -+ * emulation needs the appropriate op_bytes read from memory. -+ * Adjust both the source register and memory operand to make an -+ * equivalent instruction. -+ * - * EA += BitOffset DIV op_bytes*8 - * BitOffset = BitOffset MOD op_bytes*8 - * DIV truncates towards negative infinity. -@@ -2560,14 +2566,15 @@ x86_emulate( - src.val = (int32_t)src.val; - if ( (long)src.val < 0 ) - { -- unsigned long byte_offset; -- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1)); -+ unsigned long byte_offset = -+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L)); -+ - ea.mem.off -= byte_offset; - src.val = (byte_offset << 3) + src.val; - } - else - { -- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1); -+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L); - src.val &= (op_bytes << 3) - 1; - } - } diff --git a/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch b/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch deleted file mode 100644 index 7193e9a..0000000 --- a/xsa196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Andrew Cooper -Subject: x86/emul: Correct the IDT entry calculation in inject_swint() - -The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating -software event injection" is buggy. The size of an IDT entry depends on long -mode being active, not the width of the code segment currently in use. - -In particular, this means that a compatibility code segment which hits -emulation for software event injection will end up using an incorrect offset -in the IDT for DPL/Presence checking. In practice, this only occurs on old -AMD hardware lacking NRip support; all newer AMD hardware, and all Intel -hardware bypass this path in the emulator. - -While here, fix a minor issue with reading the IDT entry. The return value -from ops->read() wasn't checked, but in reality the only failure case is if a -pagefault occurs. This is not a realistic problem as the kernel will almost -certainly crash with a double fault if this setup actually occured. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich ---- - xen/arch/x86/x86_emulate/x86_emulate.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c -index 7a707dc..f74aa8f 100644 ---- a/xen/arch/x86/x86_emulate/x86_emulate.c -+++ b/xen/arch/x86/x86_emulate/x86_emulate.c -@@ -1630,10 +1630,16 @@ static int inject_swint(enum x86_swint_type type, - { - if ( !in_realmode(ctxt, ops) ) - { -- unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8; -- unsigned int idte_offset = vector * idte_size; -+ unsigned int idte_size, idte_offset; - struct segment_register idtr; - uint32_t idte_ctl; -+ int lm = in_longmode(ctxt, ops); -+ -+ if ( lm < 0 ) -+ return X86EMUL_UNHANDLEABLE; -+ -+ idte_size = lm ? 16 : 8; -+ idte_offset = vector * idte_size; - - /* icebp sets the External Event bit despite being an instruction. */ - error_code = (vector << 3) | ECODE_IDT | -@@ -1661,8 +1667,9 @@ static int inject_swint(enum x86_swint_type type, - * Should strictly speaking read all 8/16 bytes of an entry, - * but we currently only care about the dpl and present bits. - */ -- ops->read(x86_seg_none, idtr.base + idte_offset + 4, -- &idte_ctl, sizeof(idte_ctl), ctxt); -+ if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4, -+ &idte_ctl, sizeof(idte_ctl), ctxt)) ) -+ goto done; - - /* Is this entry present? */ - if ( !(idte_ctl & (1u << 15)) ) diff --git a/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch b/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch deleted file mode 100644 index 26580ff..0000000 --- a/xsa196-0002-x86-svm-Fix-injection-of-software-interrupts.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Andrew Cooper -Subject: x86/svm: Fix injection of software interrupts - -The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating -software event injection" was based on an older version of the AMD software -manual. The manual was later corrected, following findings from that series. - -I took the original wording of "not supported without NextRIP" to mean that -X86_EVENTTYPE_SW_INTERRUPT was not eligible for use. It turns out that this -is not the case, and the new wording is clearer on the matter. - -Despite testing the original patch series on non-NRip hardware, the -swint-emulation XTF test case focuses on the debug vectors; it never ended up -executing an `int $n` instruction for a vector which wasn't also an exception. - -During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector -check to ensure that it is only used with exception vectors. Xen's use of -X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD -hardware. - -Fix this by always using X86_EVENTTYPE_SW_INTERRUPT. - -Print and decode the eventinj information in svm_vmcb_dump(), as it has -several invalid combinations which cause vmentry failures. - -This is part of XSA-196. - -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich ---- - xen/arch/x86/hvm/svm/svm.c | 13 +++++-------- - xen/arch/x86/hvm/svm/svmdebug.c | 4 ++++ - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c -index 4391744..76efc3e 100644 ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -1231,17 +1231,14 @@ static void svm_inject_trap(const struct hvm_trap *trap) - { - case X86_EVENTTYPE_SW_INTERRUPT: /* int $n */ - /* -- * Injection type 4 (software interrupt) is only supported with -- * NextRIP support. Without NextRIP, the emulator will have performed -- * DPL and presence checks for us. -+ * Software interrupts (type 4) cannot be properly injected if the -+ * processor doesn't support NextRIP. Without NextRIP, the emulator -+ * will have performed DPL and presence checks for us, and will have -+ * moved eip forward if appropriate. - */ - if ( cpu_has_svm_nrips ) -- { - vmcb->nextrip = regs->eip + _trap.insn_len; -- event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; -- } -- else -- event.fields.type = X86_EVENTTYPE_HW_EXCEPTION; -+ event.fields.type = X86_EVENTTYPE_SW_INTERRUPT; - break; - - case X86_EVENTTYPE_PRI_SW_EXCEPTION: /* icebp */ -diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c -index ded5d19..f93dfed 100644 ---- a/xen/arch/x86/hvm/svm/svmdebug.c -+++ b/xen/arch/x86/hvm/svm/svmdebug.c -@@ -48,6 +48,10 @@ void svm_vmcb_dump(const char *from, struct vmcb_struct *vmcb) - vmcb->tlb_control, - (unsigned long long)vmcb->_vintr.bytes, - (unsigned long long)vmcb->interrupt_shadow); -+ printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n", -+ vmcb->eventinj.bytes, vmcb->eventinj.fields.v, -+ vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type, -+ vmcb->eventinj.fields.vector); - printk("exitcode = %#Lx exitintinfo = %#Lx\n", - (unsigned long long)vmcb->exitcode, - (unsigned long long)vmcb->exitintinfo.bytes); diff --git a/xsa197-qemut.patch b/xsa197-qemut.patch deleted file mode 100644 index 878f7d3..0000000 --- a/xsa197-qemut.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Jan Beulich -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke -Signed-off-by: Jan Beulich -Reviewed-by: Ian Jackson - ---- a/i386-dm/helper2.c -+++ b/i386-dm/helper2.c -@@ -375,6 +375,11 @@ static void cpu_ioreq_pio(CPUState *env, - { - uint32_t i; - -+ if (req->size > sizeof(unsigned long)) { -+ fprintf(stderr, "PIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(env, req->addr, req->size); -@@ -404,6 +409,11 @@ static void cpu_ioreq_move(CPUState *env - { - uint32_t i; - -+ if (req->size > sizeof(req->data)) { -+ fprintf(stderr, "MMIO: bad size (%u)\n", req->size); -+ exit(-1); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -516,11 +526,13 @@ static int __handle_buffered_iopage(CPUS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buffered_io_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - __handle_ioreq(env, &req); -@@ -552,7 +564,11 @@ static void cpu_handle_ioreq(void *opaqu - - __handle_buffered_iopage(env); - if (req) { -- __handle_ioreq(env, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ __handle_ioreq(env, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(logfile, "Badness in I/O request ... not in service?!: " diff --git a/xsa197-qemuu.patch b/xsa197-qemuu.patch deleted file mode 100644 index f7845cf..0000000 --- a/xsa197-qemuu.patch +++ /dev/null @@ -1,63 +0,0 @@ -From: Jan Beulich -Subject: xen: fix ioreq handling - -Avoid double fetches and bounds check size to avoid overflowing -internal variables. - -This is XSA-197. - -Reported-by: yanghongke -Signed-off-by: Jan Beulich -Reviewed-by: Stefano Stabellini - ---- a/xen-hvm.c -+++ b/xen-hvm.c -@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req) - trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr, - req->data, req->count, req->size); - -+ if (req->size > sizeof(uint32_t)) { -+ hw_error("PIO: bad size (%u)", req->size); -+ } -+ - if (req->dir == IOREQ_READ) { - if (!req->data_is_ptr) { - req->data = do_inp(req->addr, req->size); -@@ -846,6 +850,10 @@ static void cpu_ioreq_move(ioreq_t *req) - trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr, - req->data, req->count, req->size); - -+ if (req->size > sizeof(req->data)) { -+ hw_error("MMIO: bad size (%u)", req->size); -+ } -+ - if (!req->data_is_ptr) { - if (req->dir == IOREQ_READ) { - for (i = 0; i < req->count; i++) { -@@ -1010,11 +1018,13 @@ static int handle_buffered_iopage(XenIOS - req.df = 1; - req.type = buf_req->type; - req.data_is_ptr = 0; -+ xen_rmb(); - qw = (req.size == 8); - if (qw) { - buf_req = &buf_page->buf_ioreq[(rdptr + 1) % - IOREQ_BUFFER_SLOT_NUM]; - req.data |= ((uint64_t)buf_req->data) << 32; -+ xen_rmb(); - } - - handle_ioreq(state, &req); -@@ -1045,7 +1055,11 @@ static void cpu_handle_ioreq(void *opaqu - - handle_buffered_iopage(state); - if (req) { -- handle_ioreq(state, req); -+ ioreq_t copy = *req; -+ -+ xen_rmb(); -+ handle_ioreq(state, ©); -+ req->data = copy.data; - - if (req->state != STATE_IOREQ_INPROCESS) { - fprintf(stderr, "Badness in I/O request ... not in service?!: " diff --git a/xsa198.patch b/xsa198.patch deleted file mode 100644 index dbf7084..0000000 --- a/xsa198.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 71a389ae940bc52bf897a6e5becd73fd8ede94c5 Mon Sep 17 00:00:00 2001 -From: Ian Jackson -Date: Thu, 3 Nov 2016 16:37:40 +0000 -Subject: [PATCH] pygrub: Properly quote results, when returning them to the - caller: - -* When the caller wants sexpr output, use `repr()' - This is what Xend expects. - - The returned S-expressions are now escaped and quoted by Python, - generally using '...'. Previously kernel and ramdisk were unquoted - and args was quoted with "..." but without proper escaping. This - change may break toolstacks which do not properly dequote the - returned S-expressions. - -* When the caller wants "simple" output, crash if the delimiter is - contained in the returned value. - - With --output-format=simple it does not seem like this could ever - happen, because the bootloader config parsers all take line-based - input from the various bootloader config files. - - With --output-format=simple0, this can happen if the bootloader - config file contains nul bytes. - -This is XSA-198. - -Signed-off-by: Ian Jackson -Tested-by: Ian Jackson -Reviewed-by: Andrew Cooper ---- - tools/pygrub/src/pygrub | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub -index 40f9584..dd0c8f7 100755 ---- a/tools/pygrub/src/pygrub -+++ b/tools/pygrub/src/pygrub -@@ -721,14 +721,17 @@ def sniff_netware(fs, cfg): - return cfg - - def format_sxp(kernel, ramdisk, args): -- s = "linux (kernel %s)" % kernel -+ s = "linux (kernel %s)" % repr(kernel) - if ramdisk: -- s += "(ramdisk %s)" % ramdisk -+ s += "(ramdisk %s)" % repr(ramdisk) - if args: -- s += "(args \"%s\")" % args -+ s += "(args %s)" % repr(args) - return s - - def format_simple(kernel, ramdisk, args, sep): -+ for check in (kernel, ramdisk, args): -+ if check is not None and sep in check: -+ raise RuntimeError, "simple format cannot represent delimiter-containing value" - s = ("kernel %s" % kernel) + sep - if ramdisk: - s += ("ramdisk %s" % ramdisk) + sep --- -2.1.4 -