QEMU is a FAST! processor emulator
CentOS Sources
2014-07-23 eb5a2f10f1f8f7030af2fc6c32fa910bd6a515c7
import qemu-kvm-1.5.3-60.el7_0.5
33 files added
1 files modified
3086 ■■■■■ changed files
SOURCES/kvm-Allow-mismatched-virtio-config-len.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Provide-init-function-for-ram-migration.patch 113 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch 106 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch 158 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch 91 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow-correctly-propagate-errors.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow1-Check-maximum-cluster-size.patch 175 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow1-Make-padding-in-the-header-explicit.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow1-Stricter-backing-file-length-check.patch 114 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch 119 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow1-Validate-image-size-CVE-2014-0223.patch 118 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qcow2-Free-preallocated-zero-clusters.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-skip-system-call-when-msi-route-is-unchanged.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-usb-fix-up-post-load-checks.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-allow-mapping-up-to-max-queue-size.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch 88 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-validate-config_len-on-load.patch 69 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-virtio-validate-num_sg-when-mapping.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmstate-add-VMSTATE_VALIDATE.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vmstate-add-VMS_MUST_EXIST.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch 110 ●●●●● patch | view | raw | blame | history
SPECS/qemu-kvm.spec 180 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-Allow-mismatched-virtio-config-len.patch
New file
@@ -0,0 +1,73 @@
From 88fd47b4c3a1a272d7e21ba0e7358e0a4e9ecf88 Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Mon, 30 Jun 2014 11:10:01 +0200
Subject: [PATCH] Allow mismatched virtio config-len
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1404126601-23992-2-git-send-email-dgilbert@redhat.com>
Patchwork-id: 59407
O-Subject: [RHEL-7.0.z qemu-kvm PATCH 1/1] Allow mismatched virtio config-len
Bugzilla: 1095782
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Commit 'virtio: validate config_len on load' restricted config_len
loaded from the wire to match the config_len that the device had.
Unfortunately, there are cases where this isn't true, the one
we found it on was the wce addition in virtio-blk.
Allow mismatched config-lengths:
   *) If the version on the wire is shorter then fine
   *) If the version on the wire is longer, load what we have space
      for and skip the rest.
(This is mst@redhat.com's rework of what I originally posted)
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 2f5732e9648fcddc8759a8fd25c0b41a38352be6)
---
 hw/virtio/virtio.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |   16 +++++++++++-----
 1 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 44309c2..132b5af 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -886,12 +886,18 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
         return -1;
     }
     config_len = qemu_get_be32(f);
-    if (config_len != vdev->config_len) {
-        error_report("Unexpected config length 0x%x. Expected 0x%zx",
-                     config_len, vdev->config_len);
-        return -1;
+
+    /*
+     * There are cases where the incoming config can be bigger or smaller
+     * than what we have; so load what we have space for, and skip
+     * any excess that's in the stream.
+     */
+    qemu_get_buffer(f, vdev->config, MIN(config_len, vdev->config_len));
+
+    while (config_len > vdev->config_len) {
+        qemu_get_byte(f);
+        config_len--;
     }
-    qemu_get_buffer(f, vdev->config, vdev->config_len);
     num = qemu_get_be32(f);
--
1.7.1
SOURCES/kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch
New file
@@ -0,0 +1,85 @@
From 118493a7515526d7adc52b1ca1b667db1458e98c Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Thu, 8 May 2014 11:27:33 +0200
Subject: [PATCH 21/30] Count used RAMBlock pages for migration_dirty_pages
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1399548453-9181-2-git-send-email-dgilbert@redhat.com>
Patchwork-id: 58746
O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 1/1] Count used RAMBlock pages for migration_dirty_pages
Bugzilla: 1110189
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
This is a fix for a bug triggered by a migration after hot unplugging
a few virtio-net NICs, that caused migration never to converge, because
'migration_dirty_pages' is incorrectly initialised.
'migration_dirty_pages' is used as a tally of the number of outstanding
dirty pages, to give the migration code an idea of how much more data
will need to be transferred, and thus whether it can end the iterative
phase.
It was initialised to the total size of the RAMBlock address space,
however hotunplug can leave this space sparse, and hence
migration_dirty_pages ended up too large.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit e30d1d8c7195848abb28a8c734a82b845b8b456a)
---
 arch_init.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 arch_init.c |   21 +++++++++++++++++----
 1 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index 22f7def..b88d686 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -728,11 +728,8 @@ static void reset_ram_globals(void)
 static int ram_save_setup(QEMUFile *f, void *opaque)
 {
     RAMBlock *block;
-    int64_t ram_pages = last_ram_offset() >> TARGET_PAGE_BITS;
+    int64_t ram_bitmap_pages; /* Size of bitmap in pages, including gaps */
-    migration_bitmap = bitmap_new(ram_pages);
-    bitmap_set(migration_bitmap, 0, ram_pages);
-    migration_dirty_pages = ram_pages;
     mig_throttle_on = false;
     dirty_rate_high_cnt = 0;
@@ -771,6 +768,22 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
     bytes_transferred = 0;
     reset_ram_globals();
+    ram_bitmap_pages = last_ram_offset() >> TARGET_PAGE_BITS;
+    migration_bitmap = bitmap_new(ram_bitmap_pages);
+    bitmap_set(migration_bitmap, 0, ram_bitmap_pages);
+
+    /*
+     * Count the total number of pages used by ram blocks not including any
+     * gaps due to alignment or unplugs.
+     */
+    migration_dirty_pages = 0;
+    QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+        uint64_t block_pages;
+
+        block_pages = block->length >> TARGET_PAGE_BITS;
+        migration_dirty_pages += block_pages;
+    }
+
     memory_global_dirty_log_start();
     migration_bitmap_sync();
     qemu_mutex_unlock_iothread();
--
1.7.1
SOURCES/kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch
New file
@@ -0,0 +1,170 @@
From ac978ade92aa12ae6c700b8be85a10355f728c78 Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Thu, 8 May 2014 10:58:41 +0200
Subject: [PATCH 19/30] Init the XBZRLE.lock in ram_mig_init
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1399546722-6350-4-git-send-email-dgilbert@redhat.com>
Patchwork-id: 58743
O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 3/4] Init the XBZRLE.lock in ram_mig_init
Bugzilla: 1110191
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Initialising the XBZRLE.lock earlier simplifies the lock use.
Based on Markus's patch in:
http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d97326eec2ca1313eaf0b5cffd69af5663b5af5d)
---
 arch_init.c | 61 +++++++++++++++++++++++++++++++------------------------------
 1 file changed, 31 insertions(+), 30 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 arch_init.c |   61 ++++++++++++++++++++++++++++++-----------------------------
 1 files changed, 31 insertions(+), 30 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index 37c9f6d..80e48f2 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -45,6 +45,7 @@
 #include "hw/audio/pcspk.h"
 #include "migration/page_cache.h"
 #include "qemu/config-file.h"
+#include "qemu/error-report.h"
 #include "qmp-commands.h"
 #include "trace.h"
 #include "exec/cpu-all.h"
@@ -167,11 +168,8 @@ static struct {
     /* Cache for XBZRLE, Protected by lock. */
     PageCache *cache;
     QemuMutex lock;
-} XBZRLE = {
-    .encoded_buf = NULL,
-    .current_buf = NULL,
-    .cache = NULL,
-};
+} XBZRLE;
+
 /* buffer used for XBZRLE decoding */
 static uint8_t *xbzrle_decoded_buf;
@@ -187,41 +185,44 @@ static void XBZRLE_cache_unlock(void)
         qemu_mutex_unlock(&XBZRLE.lock);
 }
+/*
+ * called from qmp_migrate_set_cache_size in main thread, possibly while
+ * a migration is in progress.
+ * A running migration maybe using the cache and might finish during this
+ * call, hence changes to the cache are protected by XBZRLE.lock().
+ */
 int64_t xbzrle_cache_resize(int64_t new_size)
 {
-    PageCache *new_cache, *cache_to_free;
+    PageCache *new_cache;
+    int64_t ret;
     if (new_size < TARGET_PAGE_SIZE) {
         return -1;
     }
-    /* no need to lock, the current thread holds qemu big lock */
+    XBZRLE_cache_lock();
+
     if (XBZRLE.cache != NULL) {
-        /* check XBZRLE.cache again later */
         if (pow2floor(new_size) == migrate_xbzrle_cache_size()) {
-            return pow2floor(new_size);
+            goto out_new_size;
         }
         new_cache = cache_init(new_size / TARGET_PAGE_SIZE,
                                         TARGET_PAGE_SIZE);
         if (!new_cache) {
-            DPRINTF("Error creating cache\n");
-            return -1;
-        }
-
-        XBZRLE_cache_lock();
-        /* the XBZRLE.cache may have be destroyed, check it again */
-        if (XBZRLE.cache != NULL) {
-            cache_to_free = XBZRLE.cache;
-            XBZRLE.cache = new_cache;
-        } else {
-            cache_to_free = new_cache;
+            error_report("Error creating cache");
+            ret = -1;
+            goto out;
         }
-        XBZRLE_cache_unlock();
-        cache_fini(cache_to_free);
+        cache_fini(XBZRLE.cache);
+        XBZRLE.cache = new_cache;
     }
-    return pow2floor(new_size);
+out_new_size:
+    ret = pow2floor(new_size);
+out:
+    XBZRLE_cache_unlock();
+    return ret;
 }
 /* accounting for migration statistics */
@@ -735,28 +736,27 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
     dirty_rate_high_cnt = 0;
     if (migrate_use_xbzrle()) {
-        qemu_mutex_lock_iothread();
+        XBZRLE_cache_lock();
         XBZRLE.cache = cache_init(migrate_xbzrle_cache_size() /
                                   TARGET_PAGE_SIZE,
                                   TARGET_PAGE_SIZE);
         if (!XBZRLE.cache) {
-            qemu_mutex_unlock_iothread();
-            DPRINTF("Error creating cache\n");
+            XBZRLE_cache_unlock();
+            error_report("Error creating cache");
             return -1;
         }
-        qemu_mutex_init(&XBZRLE.lock);
-        qemu_mutex_unlock_iothread();
+        XBZRLE_cache_unlock();
         /* We prefer not to abort if there is no memory */
         XBZRLE.encoded_buf = g_try_malloc0(TARGET_PAGE_SIZE);
         if (!XBZRLE.encoded_buf) {
-            DPRINTF("Error allocating encoded_buf\n");
+            error_report("Error allocating encoded_buf");
             return -1;
         }
         XBZRLE.current_buf = g_try_malloc(TARGET_PAGE_SIZE);
         if (!XBZRLE.current_buf) {
-            DPRINTF("Error allocating current_buf\n");
+            error_report("Error allocating current_buf");
             g_free(XBZRLE.encoded_buf);
             XBZRLE.encoded_buf = NULL;
             return -1;
@@ -1110,6 +1110,7 @@ static SaveVMHandlers savevm_ram_handlers = {
 void ram_mig_init(void)
 {
+    qemu_mutex_init(&XBZRLE.lock);
     register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
 }
--
1.7.1
SOURCES/kvm-Provide-init-function-for-ram-migration.patch
New file
@@ -0,0 +1,113 @@
From 8928f6a2f77e167b7602c3f3bb071641134e544e Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Thu, 8 May 2014 10:58:40 +0200
Subject: [PATCH 18/30] Provide init function for ram migration
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1399546722-6350-3-git-send-email-dgilbert@redhat.com>
Patchwork-id: 58742
O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 2/4] Provide init function for ram migration
Bugzilla: 1110191
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff
to do with ram migration (currently in arch_init.c).
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 0d6ab3ab9149767eba192ec5ad659fd34e55a291)
---
 arch_init.c                   | 7 ++++++-
 include/migration/migration.h | 2 --
 include/sysemu/arch_init.h    | 1 +
 vl.c                          | 3 +--
 4 files changed, 8 insertions(+), 5 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 arch_init.c                   |    7 ++++++-
 include/migration/migration.h |    2 --
 include/sysemu/arch_init.h    |    1 +
 vl.c                          |    3 +--
 4 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index 8641afa..37c9f6d 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -1099,7 +1099,7 @@ done:
     return ret;
 }
-SaveVMHandlers savevm_ram_handlers = {
+static SaveVMHandlers savevm_ram_handlers = {
     .save_live_setup = ram_save_setup,
     .save_live_iterate = ram_save_iterate,
     .save_live_complete = ram_save_complete,
@@ -1108,6 +1108,11 @@ SaveVMHandlers savevm_ram_handlers = {
     .cancel = ram_migration_cancel,
 };
+void ram_mig_init(void)
+{
+    register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
+}
+
 struct soundhw {
     const char *name;
     const char *descr;
diff --git a/include/migration/migration.h b/include/migration/migration.h
index 9314511..c99a67c 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -102,8 +102,6 @@ void free_xbzrle_decoded_buf(void);
 void acct_update_position(QEMUFile *f, size_t size, bool zero);
-extern SaveVMHandlers savevm_ram_handlers;
-
 uint64_t dup_mig_bytes_transferred(void);
 uint64_t dup_mig_pages_transferred(void);
 uint64_t skipped_mig_bytes_transferred(void);
diff --git a/include/sysemu/arch_init.h b/include/sysemu/arch_init.h
index be71bca..182d48d 100644
--- a/include/sysemu/arch_init.h
+++ b/include/sysemu/arch_init.h
@@ -29,6 +29,7 @@ extern const uint32_t arch_type;
 void select_soundhw(const char *optarg);
 void do_acpitable_option(const QemuOpts *opts);
 void do_smbios_option(QemuOpts *opts);
+void ram_mig_init(void);
 void cpudef_init(void);
 void audio_init(void);
 int tcg_available(void);
diff --git a/vl.c b/vl.c
index 51300e7..6ff06cc 100644
--- a/vl.c
+++ b/vl.c
@@ -4133,6 +4133,7 @@ int main(int argc, char **argv, char **envp)
     cpu_exec_init_all();
     blk_mig_init();
+    ram_mig_init();
     /* open the virtual block devices */
     if (snapshot)
@@ -4147,8 +4148,6 @@ int main(int argc, char **argv, char **envp)
     default_drive(default_floppy, snapshot, IF_FLOPPY, 0, FD_OPTS);
     default_drive(default_sdcard, snapshot, IF_SD, 0, SD_OPTS);
-    register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
-
     if (nb_numa_nodes > 0) {
         int i;
--
1.7.1
SOURCES/kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch
New file
@@ -0,0 +1,106 @@
From a00bde30c0730d3434d9f4556a9cb119f3f8d68d Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Thu, 8 May 2014 10:58:42 +0200
Subject: [PATCH 20/30] XBZRLE: Fix one XBZRLE corruption issues
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1399546722-6350-5-git-send-email-dgilbert@redhat.com>
Patchwork-id: 58744
O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 4/4] XBZRLE: Fix one XBZRLE corruption issues
Bugzilla: 1110191
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
From: ChenLiang <chenliang88@huawei.com>
The page may not be inserted into cache after executing save_xbzrle_page.
In case of failure to insert, the original page should be sent rather
than the page in the cache.
Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 1534ee93cc6be992c05577886b24bd44c37ecff6)
---
 arch_init.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 arch_init.c |   25 +++++++++++++------------
 1 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index 80e48f2..22f7def 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -341,7 +341,7 @@ static void xbzrle_cache_zero_page(ram_addr_t current_addr)
 #define ENCODING_FLAG_XBZRLE 0x1
-static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
+static int save_xbzrle_page(QEMUFile *f, uint8_t **current_data,
                             ram_addr_t current_addr, RAMBlock *block,
                             ram_addr_t offset, int cont, bool last_stage)
 {
@@ -349,19 +349,23 @@ static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
     uint8_t *prev_cached_page;
     if (!cache_is_cached(XBZRLE.cache, current_addr)) {
+        acct_info.xbzrle_cache_miss++;
         if (!last_stage) {
-            if (cache_insert(XBZRLE.cache, current_addr, current_data) == -1) {
+            if (cache_insert(XBZRLE.cache, current_addr, *current_data) == -1) {
                 return -1;
+            } else {
+                /* update *current_data when the page has been
+                   inserted into cache */
+                *current_data = get_cached_data(XBZRLE.cache, current_addr);
             }
         }
-        acct_info.xbzrle_cache_miss++;
         return -1;
     }
     prev_cached_page = get_cached_data(XBZRLE.cache, current_addr);
     /* save current buffer into memory */
-    memcpy(XBZRLE.current_buf, current_data, TARGET_PAGE_SIZE);
+    memcpy(XBZRLE.current_buf, *current_data, TARGET_PAGE_SIZE);
     /* XBZRLE encoding (if there is no overflow) */
     encoded_len = xbzrle_encode_buffer(prev_cached_page, XBZRLE.current_buf,
@@ -374,7 +378,10 @@ static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
         DPRINTF("Overflow\n");
         acct_info.xbzrle_overflows++;
         /* update data in the cache */
-        memcpy(prev_cached_page, current_data, TARGET_PAGE_SIZE);
+        if (!last_stage) {
+            memcpy(prev_cached_page, *current_data, TARGET_PAGE_SIZE);
+            *current_data = prev_cached_page;
+        }
         return -1;
     }
@@ -599,15 +606,9 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
                  */
                 xbzrle_cache_zero_page(current_addr);
             } else if (!ram_bulk_stage && migrate_use_xbzrle()) {
-                bytes_sent = save_xbzrle_page(f, p, current_addr, block,
+                bytes_sent = save_xbzrle_page(f, &p, current_addr, block,
                                               offset, cont, last_stage);
                 if (!last_stage) {
-                    /* We must send exactly what's in the xbzrle cache
-                     * even if the page wasn't xbzrle compressed, so that
-                     * it's right next time.
-                     */
-                    p = get_cached_data(XBZRLE.cache, current_addr);
-
                     /* Can't send this cached data async, since the cache page
                      * might get updated before it gets to the wire
                      */
--
1.7.1
SOURCES/kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch
New file
@@ -0,0 +1,158 @@
From e30b7a4a8810a49a1b8a915a9ed174b9b254c999 Mon Sep 17 00:00:00 2001
From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Date: Thu, 8 May 2014 10:58:39 +0200
Subject: [PATCH 17/30] XBZRLE: Fix qemu crash when resize the xbzrle cache
RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
Message-id: <1399546722-6350-2-git-send-email-dgilbert@redhat.com>
Patchwork-id: 58741
O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 1/4] XBZRLE: Fix qemu crash when resize the xbzrle cache
Bugzilla: 1110191
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
From: Gonglei <arei.gonglei@huawei.com>
Resizing the xbzrle cache during migration causes qemu-crash,
because the main-thread and migration-thread modify the xbzrle
cache size concurrently without lock-protection.
Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit fd8cec932c2ddc687e2da954978954b46a926f90)
---
 arch_init.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 49 insertions(+), 3 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 arch_init.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index f5d521a..8641afa 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -164,8 +164,9 @@ static struct {
     uint8_t *encoded_buf;
     /* buffer for storing page content */
     uint8_t *current_buf;
-    /* Cache for XBZRLE */
+    /* Cache for XBZRLE, Protected by lock. */
     PageCache *cache;
+    QemuMutex lock;
 } XBZRLE = {
     .encoded_buf = NULL,
     .current_buf = NULL,
@@ -174,16 +175,52 @@ static struct {
 /* buffer used for XBZRLE decoding */
 static uint8_t *xbzrle_decoded_buf;
+static void XBZRLE_cache_lock(void)
+{
+    if (migrate_use_xbzrle())
+        qemu_mutex_lock(&XBZRLE.lock);
+}
+
+static void XBZRLE_cache_unlock(void)
+{
+    if (migrate_use_xbzrle())
+        qemu_mutex_unlock(&XBZRLE.lock);
+}
+
 int64_t xbzrle_cache_resize(int64_t new_size)
 {
+    PageCache *new_cache, *cache_to_free;
+
     if (new_size < TARGET_PAGE_SIZE) {
         return -1;
     }
+    /* no need to lock, the current thread holds qemu big lock */
     if (XBZRLE.cache != NULL) {
-        return cache_resize(XBZRLE.cache, new_size / TARGET_PAGE_SIZE) *
-            TARGET_PAGE_SIZE;
+        /* check XBZRLE.cache again later */
+        if (pow2floor(new_size) == migrate_xbzrle_cache_size()) {
+            return pow2floor(new_size);
+        }
+        new_cache = cache_init(new_size / TARGET_PAGE_SIZE,
+                                        TARGET_PAGE_SIZE);
+        if (!new_cache) {
+            DPRINTF("Error creating cache\n");
+            return -1;
+        }
+
+        XBZRLE_cache_lock();
+        /* the XBZRLE.cache may have be destroyed, check it again */
+        if (XBZRLE.cache != NULL) {
+            cache_to_free = XBZRLE.cache;
+            XBZRLE.cache = new_cache;
+        } else {
+            cache_to_free = new_cache;
+        }
+        XBZRLE_cache_unlock();
+
+        cache_fini(cache_to_free);
     }
+
     return pow2floor(new_size);
 }
@@ -539,6 +576,8 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
             ret = ram_control_save_page(f, block->offset,
                                offset, TARGET_PAGE_SIZE, &bytes_sent);
+            XBZRLE_cache_lock();
+
             current_addr = block->offset + offset;
             if (ret != RAM_SAVE_CONTROL_NOT_SUPP) {
                 if (ret != RAM_SAVE_CONTROL_DELAYED) {
@@ -587,6 +626,7 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
                 acct_info.norm_pages++;
             }
+            XBZRLE_cache_unlock();
             /* if page is unmodified, continue to the next */
             if (bytes_sent > 0) {
                 last_sent_block = block;
@@ -654,6 +694,7 @@ static void migration_end(void)
         migration_bitmap = NULL;
     }
+    XBZRLE_cache_lock();
     if (XBZRLE.cache) {
         cache_fini(XBZRLE.cache);
         g_free(XBZRLE.cache);
@@ -663,6 +704,7 @@ static void migration_end(void)
         XBZRLE.encoded_buf = NULL;
         XBZRLE.current_buf = NULL;
     }
+    XBZRLE_cache_unlock();
 }
 static void ram_migration_cancel(void *opaque)
@@ -693,13 +735,17 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
     dirty_rate_high_cnt = 0;
     if (migrate_use_xbzrle()) {
+        qemu_mutex_lock_iothread();
         XBZRLE.cache = cache_init(migrate_xbzrle_cache_size() /
                                   TARGET_PAGE_SIZE,
                                   TARGET_PAGE_SIZE);
         if (!XBZRLE.cache) {
+            qemu_mutex_unlock_iothread();
             DPRINTF("Error creating cache\n");
             return -1;
         }
+        qemu_mutex_init(&XBZRLE.lock);
+        qemu_mutex_unlock_iothread();
         /* We prefer not to abort if there is no memory */
         XBZRLE.encoded_buf = g_try_malloc0(TARGET_PAGE_SIZE);
--
1.7.1
SOURCES/kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch
New file
@@ -0,0 +1,91 @@
From 3322e336871252ea0ff22920cfb13d302b07bd11 Mon Sep 17 00:00:00 2001
From: Gal Hammer <ghammer@redhat.com>
Date: Sun, 16 Mar 2014 09:57:09 +0100
Subject: [PATCH 28/30] char: restore read callback on a reattached (hotplug) chardev
RH-Author: Gal Hammer <ghammer@redhat.com>
Message-id: <1394963829-5384-1-git-send-email-ghammer@redhat.com>
Patchwork-id: 58105
O-Subject: [RHEL-7.0 qemu-kvm PATCH] char: restore read callback on a reattached (hotplug) chardev
Bugzilla: 1110219
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Amit Shah <amit.shah@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=7207613
Upstream: commit ac1b84dd1e020648db82a99260891aa982d1142c
Fix a bug that was introduced in commit 386a5a1e. A removal of a device
set the chr handlers to NULL. However when the device is plugged back,
its read callback is not restored so data can't be transferred from the
host to the guest (e.g. via the virtio-serial port).
Signed-off-by: Gal Hammer <ghammer@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 qemu-char.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 qemu-char.c |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/qemu-char.c b/qemu-char.c
index 983f686..930f3d4 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -215,7 +215,7 @@ void qemu_chr_add_handlers(CharDriverState *s,
     s->chr_read = fd_read;
     s->chr_event = fd_event;
     s->handler_opaque = opaque;
-    if (s->chr_update_read_handler)
+    if (fe_open && s->chr_update_read_handler)
         s->chr_update_read_handler(s);
     if (!s->explicit_fe_open) {
@@ -1140,13 +1140,14 @@ static void pty_chr_state(CharDriverState *chr, int connected)
         if (!s->connected) {
             s->connected = 1;
             qemu_chr_be_generic_open(chr);
+        }
+        if (!chr->fd_in_tag) {
             chr->fd_in_tag = io_add_watch_poll(s->fd, pty_chr_read_poll,
                                                pty_chr_read, chr);
         }
     }
 }
-
 static void pty_chr_close(struct CharDriverState *chr)
 {
     PtyCharDriver *s = chr->opaque;
@@ -2514,6 +2515,17 @@ static void tcp_chr_connect(void *opaque)
     qemu_chr_be_generic_open(chr);
 }
+static void tcp_chr_update_read_handler(CharDriverState *chr)
+{
+    TCPCharDriver *s = chr->opaque;
+
+    remove_fd_in_watch(chr);
+    if (s->chan) {
+        chr->fd_in_tag = io_add_watch_poll(s->chan, tcp_chr_read_poll,
+                                           tcp_chr_read, chr);
+    }
+}
+
 #define IACSET(x,a,b,c) x[0] = a; x[1] = b; x[2] = c;
 static void tcp_chr_telnet_init(int fd)
 {
@@ -2669,6 +2681,7 @@ static CharDriverState *qemu_chr_open_socket_fd(int fd, bool do_nodelay,
     chr->get_msgfd = tcp_get_msgfd;
     chr->chr_add_client = tcp_chr_add_client;
     chr->chr_add_watch = tcp_chr_add_watch;
+    chr->chr_update_read_handler = tcp_chr_update_read_handler;
     /* be isn't opened until we get a connection */
     chr->explicit_be_open = true;
--
1.7.1
SOURCES/kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch
New file
@@ -0,0 +1,73 @@
From 53cea58f1e2ed721356a705ec22751083f9e23b5 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:24:37 +0200
Subject: [PATCH 12/30] hpet: fix buffer overrun on invalid state load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055633-6261-4-git-send-email-mst@redhat.com>
Patchwork-id: 58851
O-Subject: [PATCH qemu-kvm RHEL7.0.z 4/5] hpet: fix buffer overrun on invalid state load
Bugzilla: 1095706
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095706
---
 hw/timer/hpet.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/timer/hpet.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index dd486a1..54ffa49 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -222,6 +222,18 @@ static int hpet_pre_load(void *opaque)
     return 0;
 }
+static bool hpet_validate_num_timers(void *opaque, int version_id)
+{
+    HPETState *s = opaque;
+
+    if (s->num_timers < HPET_MIN_TIMERS) {
+        return false;
+    } else if (s->num_timers > HPET_MAX_TIMERS) {
+        return false;
+    }
+    return true;
+}
+
 static int hpet_post_load(void *opaque, int version_id)
 {
     HPETState *s = opaque;
@@ -290,6 +302,7 @@ static const VMStateDescription vmstate_hpet = {
         VMSTATE_UINT64(isr, HPETState),
         VMSTATE_UINT64(hpet_counter, HPETState),
         VMSTATE_UINT8_V(num_timers, HPETState, 2),
+        VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
         VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
                                     vmstate_hpet_timer, HPETTimer),
         VMSTATE_END_OF_LIST()
--
1.7.1
SOURCES/kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
New file
@@ -0,0 +1,77 @@
From ed30bd1d0e45463cc48aeb839b4ae3c65009ce79 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:24:43 +0200
Subject: [PATCH 13/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055633-6261-5-git-send-email-mst@redhat.com>
Patchwork-id: 58852
O-Subject: [PATCH qemu-kvm RHEL7.0.z 5/5] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
Bugzilla: 1095714
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095714
---
 hw/pci/pcie_aer.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/pci/pcie_aer.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
index 1ce72ce..ab5c9c6 100644
--- a/hw/pci/pcie_aer.c
+++ b/hw/pci/pcie_aer.c
@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
     }
 };
+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
+{
+    PCIEAERLog *s = opaque;
+
+    return s->log_num <= s->log_max;
+}
+
 const VMStateDescription vmstate_pcie_aer_log = {
     .name = "PCIE_AER_ERROR_LOG",
     .version_id = 1,
@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
     .minimum_version_id_old = 1,
     .fields     = (VMStateField[]) {
         VMSTATE_UINT16(log_num, PCIEAERLog),
-        VMSTATE_UINT16(log_max, PCIEAERLog),
+        VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
+        VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
         VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
                               vmstate_pcie_aer_err, PCIEAERErr),
         VMSTATE_END_OF_LIST()
--
1.7.1
SOURCES/kvm-qcow-correctly-propagate-errors.patch
New file
@@ -0,0 +1,78 @@
From 8e046eb446573101d92b41a88ebe1066a42d653c Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:43 +0200
Subject: [PATCH 22/30] qcow: correctly propagate errors
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-2-git-send-email-kwolf@redhat.com>
Patchwork-id: 59096
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 1/6] qcow: correctly propagate errors
Bugzilla: 1097229
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b6d5066d32f9e6c3d7508c1af9ae78327a927120)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block/qcow.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index c470e05..b57b900 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -119,17 +119,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
     if (header.version != QCOW_VERSION) {
         char version[64];
         snprintf(version, sizeof(version), "QCOW version %d", header.version);
-        qerror_report(QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
-            bs->device_name, "qcow", version);
+        error_set(errp, QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
+                  bs->device_name, "qcow", version);
         ret = -ENOTSUP;
         goto fail;
     }
     if (header.size <= 1 || header.cluster_bits < 9) {
+        error_setg(errp, "invalid value in qcow header");
         ret = -EINVAL;
         goto fail;
     }
     if (header.crypt_method > QCOW_CRYPT_AES) {
+        error_setg(errp, "invalid encryption method in qcow header");
         ret = -EINVAL;
         goto fail;
     }
@@ -686,15 +688,13 @@ static int qcow_create(const char *filename, QEMUOptionParameter *options,
     ret = bdrv_create_file(filename, options, &local_err);
     if (ret < 0) {
-        qerror_report_err(local_err);
-        error_free(local_err);
+        error_propagate(errp, local_err);
         return ret;
     }
     ret = bdrv_file_open(&qcow_bs, filename, NULL, BDRV_O_RDWR, &local_err);
     if (ret < 0) {
-        qerror_report_err(local_err);
-        error_free(local_err);
+        error_propagate(errp, local_err);
         return ret;
     }
--
1.7.1
SOURCES/kvm-qcow1-Check-maximum-cluster-size.patch
New file
@@ -0,0 +1,175 @@
From 0867b2aac8b789d492af127b12437e526774b7cf Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:45 +0200
Subject: [PATCH 24/30] qcow1: Check maximum cluster size
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-4-git-send-email-kwolf@redhat.com>
Patchwork-id: 59098
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 3/6] qcow1: Check maximum cluster size
Bugzilla: 1097229
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Conflicts:
    tests/qemu-iotests/group
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
---
 block/qcow.c               | 10 ++++++--
 tests/qemu-iotests/092     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/092.out | 13 ++++++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100755 tests/qemu-iotests/092
 create mode 100644 tests/qemu-iotests/092.out
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c               |   10 +++++-
 tests/qemu-iotests/092     |   63 ++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/092.out |   13 +++++++++
 tests/qemu-iotests/group   |    1 +
 4 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100755 tests/qemu-iotests/092
 create mode 100644 tests/qemu-iotests/092.out
diff --git a/block/qcow.c b/block/qcow.c
index 220ac04..2efe2fc 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -126,11 +126,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
-    if (header.size <= 1 || header.cluster_bits < 9) {
-        error_setg(errp, "invalid value in qcow header");
+    if (header.size <= 1) {
+        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
         ret = -EINVAL;
         goto fail;
     }
+    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+        error_setg(errp, "Cluster size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         error_setg(errp, "invalid encryption method in qcow header");
         ret = -EINVAL;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
new file mode 100755
index 0000000..d060e6f
--- /dev/null
+++ b/tests/qemu-iotests/092
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# qcow1 format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1    # failure is the default!
+
+_cleanup()
+{
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto generic
+_supported_os Linux
+
+offset_cluster_bits=32
+
+echo
+echo "== Invalid cluster size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
new file mode 100644
index 0000000..8bf8158
--- /dev/null
+++ b/tests/qemu-iotests/092.out
@@ -0,0 +1,13 @@
+QA output created by 092
+
+== Invalid cluster size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index ad96fcf..d6d4a7f 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -81,3 +81,4 @@
 084 img auto
 086 rw auto quick
 088 rw auto
+092 rw auto quick
--
1.7.1
SOURCES/kvm-qcow1-Make-padding-in-the-header-explicit.patch
New file
@@ -0,0 +1,52 @@
From 3dae291d6b66443e016123ff763e89c07119cacb Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:44 +0200
Subject: [PATCH 23/30] qcow1: Make padding in the header explicit
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-3-git-send-email-kwolf@redhat.com>
Patchwork-id: 59097
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 2/6] qcow1: Make padding in the header explicit
Bugzilla: 1097229
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
We were relying on all compilers inserting the same padding in the
header struct that is used for the on-disk format. Let's not do that.
Mark the struct as packed and insert an explicit padding field for
compatibility.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
---
 block/qcow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index b57b900..220ac04 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -48,9 +48,10 @@ typedef struct QCowHeader {
     uint64_t size; /* in bytes */
     uint8_t cluster_bits;
     uint8_t l2_bits;
+    uint16_t padding;
     uint32_t crypt_method;
     uint64_t l1_table_offset;
-} QCowHeader;
+} QEMU_PACKED QCowHeader;
 #define L2_CACHE_SIZE 16
--
1.7.1
SOURCES/kvm-qcow1-Stricter-backing-file-length-check.patch
New file
@@ -0,0 +1,114 @@
From 9e8900ff62bb5c0009ca25a98158650e39f99c47 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:48 +0200
Subject: [PATCH 27/30] qcow1: Stricter backing file length check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-7-git-send-email-kwolf@redhat.com>
Patchwork-id: 59100
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 6/6] qcow1: Stricter backing file length check
Bugzilla: 1097236
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
│(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
---
 block/qcow.c               |  7 +++++--
 tests/qemu-iotests/092     | 11 +++++++++++
 tests/qemu-iotests/092.out |  7 +++++++
 3 files changed, 23 insertions(+), 2 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c               |    7 +++++--
 tests/qemu-iotests/092     |   11 +++++++++++
 tests/qemu-iotests/092.out |    7 +++++++
 3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 4fdc751..ad44f78 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
                      Error **errp)
 {
     BDRVQcowState *s = bs->opaque;
-    int len, i, shift, ret;
+    unsigned int len, i, shift;
+    int ret;
     QCowHeader header;
     ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
@@ -200,7 +201,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
         if (len > 1023) {
-            len = 1023;
+            error_setg(errp, "Backing file name too long");
+            ret = -EINVAL;
+            goto fail;
         }
         ret = bdrv_pread(bs->file, header.backing_file_offset,
                    bs->backing_file, len);
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index ae6ca76..a8c0c9c 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,8 @@ _supported_fmt qcow
 _supported_proto generic
 _supported_os Linux
+offset_backing_file_offset=8
+offset_backing_file_size=16
 offset_size=24
 offset_cluster_bits=32
 offset_l2_bits=33
@@ -81,6 +83,15 @@ poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
 poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
 { $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid backing file length =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\xff"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index ac03302..496d8f0 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -28,4 +28,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: Image too large
 no file open, try 'help open'
+
+== Invalid backing file length ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
 *** done
--
1.7.1
SOURCES/kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
New file
@@ -0,0 +1,119 @@
From 6cec75be66671262a640c0424d93902862f6f1e7 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:46 +0200
Subject: [PATCH 25/30] qcow1: Validate L2 table size (CVE-2014-0222)
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-5-git-send-email-kwolf@redhat.com>
Patchwork-id: 59099
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 4/6] qcow1: Validate L2 table size (CVE-2014-0222)
Bugzilla: 1097229
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
---
 block/qcow.c               |  8 ++++++++
 tests/qemu-iotests/092     | 15 +++++++++++++++
 tests/qemu-iotests/092.out | 11 +++++++++++
 3 files changed, 34 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c               |    8 ++++++++
 tests/qemu-iotests/092     |   15 +++++++++++++++
 tests/qemu-iotests/092.out |   11 +++++++++++
 3 files changed, 34 insertions(+), 0 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 2efe2fc..f266701 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -137,6 +137,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
+    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+     * so bytes = num_entries << 3. */
+    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+        error_setg(errp, "L2 table size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         error_setg(errp, "invalid encryption method in qcow header");
         ret = -EINVAL;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index d060e6f..fb8bacc 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -44,6 +44,7 @@ _supported_proto generic
 _supported_os Linux
 offset_cluster_bits=32
+offset_l2_bits=33
 echo
 echo "== Invalid cluster size =="
@@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
 poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid L2 table size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 8bf8158..73918b3 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
 no file open, try 'help open'
+
+== Invalid L2 table size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
 *** done
--
1.7.1
SOURCES/kvm-qcow1-Validate-image-size-CVE-2014-0223.patch
New file
@@ -0,0 +1,118 @@
From a193c89099b75ab17e530fb909813373f72c1ca7 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 2 Jun 2014 13:54:47 +0200
Subject: [PATCH 26/30] qcow1: Validate image size (CVE-2014-0223)
RH-Author: Kevin Wolf <kwolf@redhat.com>
Message-id: <1401717288-3918-6-git-send-email-kwolf@redhat.com>
Patchwork-id: 59101
O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 5/6] qcow1: Validate image size (CVE-2014-0223)
Bugzilla: 1097236
RH-Acked-by: Max Reitz <mreitz@redhat.com>
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
---
 block/qcow.c               | 16 ++++++++++++++--
 tests/qemu-iotests/092     |  9 +++++++++
 tests/qemu-iotests/092.out |  7 +++++++
 3 files changed, 30 insertions(+), 2 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow.c               |   16 ++++++++++++++--
 tests/qemu-iotests/092     |    9 +++++++++
 tests/qemu-iotests/092.out |    7 +++++++
 3 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index f266701..4fdc751 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
     int cluster_sectors;
     int l2_bits;
     int l2_size;
-    int l1_size;
+    unsigned int l1_size;
     uint64_t cluster_offset_mask;
     uint64_t l1_table_offset;
     uint64_t *l1_table;
@@ -164,7 +164,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
     /* read the level 1 table */
     shift = s->cluster_bits + s->l2_bits;
-    s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
+    if (header.size > UINT64_MAX - (1LL << shift)) {
+        error_setg(errp, "Image too large");
+        ret = -EINVAL;
+        goto fail;
+    } else {
+        uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
+        if (l1_size > INT_MAX / sizeof(uint64_t)) {
+            error_setg(errp, "Image too large");
+            ret = -EINVAL;
+            goto fail;
+        }
+        s->l1_size = l1_size;
+    }
     s->l1_table_offset = header.l1_table_offset;
     s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index fb8bacc..ae6ca76 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,7 @@ _supported_fmt qcow
 _supported_proto generic
 _supported_os Linux
+offset_size=24
 offset_cluster_bits=32
 offset_l2_bits=33
@@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
 poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+echo
+echo "== Invalid size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
+{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 73918b3..ac03302 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 an
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
 no file open, try 'help open'
+
+== Invalid size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
 *** done
--
1.7.1
SOURCES/kvm-qcow2-Free-preallocated-zero-clusters.patch
New file
@@ -0,0 +1,55 @@
From 0a83451f1962265f2ac2d43c7c1cbbf1ecd77552 Mon Sep 17 00:00:00 2001
From: Max Reitz <mreitz@redhat.com>
Date: Fri, 2 May 2014 16:06:20 +0200
Subject: [PATCH 29/30] qcow2: Free preallocated zero clusters
RH-Author: Max Reitz <mreitz@redhat.com>
Message-id: <1399046781-16359-2-git-send-email-mreitz@redhat.com>
Patchwork-id: 58644
O-Subject: [RHEL-7.0 qemu-kvm PATCH 1/2] qcow2: Free preallocated zero clusters
Bugzilla: 1110188
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
In qcow2_free_any_clusters, preallocated zero clusters should be freed
just as normal clusters are.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8f730dd24edd2576ecbd596de7ea4361296b129c)
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 block/qcow2-refcount.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/qcow2-refcount.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 73ae4e3..429b01c 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -811,11 +811,13 @@ void qcow2_free_any_clusters(BlockDriverState *bs, uint64_t l2_entry,
         }
         break;
     case QCOW2_CLUSTER_NORMAL:
-        qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
-                            nb_clusters << s->cluster_bits, type);
+    case QCOW2_CLUSTER_ZERO:
+        if (l2_entry & L2E_OFFSET_MASK) {
+            qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
+                                nb_clusters << s->cluster_bits, type);
+        }
         break;
     case QCOW2_CLUSTER_UNALLOCATED:
-    case QCOW2_CLUSTER_ZERO:
         break;
     default:
         abort();
--
1.7.1
SOURCES/kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch
New file
@@ -0,0 +1,145 @@
From f5484ed380fdff9c3d6895b72f4a05c312ee37ea Mon Sep 17 00:00:00 2001
From: Max Reitz <mreitz@redhat.com>
Date: Fri, 2 May 2014 16:06:21 +0200
Subject: [PATCH 30/30] qemu-iotests: Discard preallocated zero clusters
RH-Author: Max Reitz <mreitz@redhat.com>
Message-id: <1399046781-16359-3-git-send-email-mreitz@redhat.com>
Patchwork-id: 58645
O-Subject: [RHEL-7.0 qemu-kvm PATCH 2/2] qemu-iotests: Discard preallocated zero clusters
Bugzilla: 1110188
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
Add a new test case for discarding preallocated zero clusters; doing
this should not result in any leaks.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 975a93c082452db9aa1397a797ca8f13ba367393)
Conflicts:
    tests/qemu-iotests/group
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
 tests/qemu-iotests/066     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/066.out | 13 ++++++++++
 tests/qemu-iotests/group   |  1 +
 3 files changed, 77 insertions(+)
 create mode 100755 tests/qemu-iotests/066
 create mode 100644 tests/qemu-iotests/066.out
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 tests/qemu-iotests/066     |   63 ++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/066.out |   13 +++++++++
 tests/qemu-iotests/group   |    1 +
 3 files changed, 77 insertions(+), 0 deletions(-)
 create mode 100755 tests/qemu-iotests/066
 create mode 100644 tests/qemu-iotests/066.out
diff --git a/tests/qemu-iotests/066 b/tests/qemu-iotests/066
new file mode 100755
index 0000000..1c2452b
--- /dev/null
+++ b/tests/qemu-iotests/066
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Test case for discarding preallocated zero clusters in qcow2
+#
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=mreitz@redhat.com
+
+seq="$(basename $0)"
+echo "QA output created by $seq"
+
+here="$PWD"
+tmp=/tmp/$$
+status=1    # failure is the default!
+
+_cleanup()
+{
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+# This tests qocw2-specific low-level functionality
+_supported_fmt qcow2
+_supported_proto generic
+_supported_os Linux
+
+IMGOPTS="compat=1.1"
+IMG_SIZE=64M
+
+echo
+echo "=== Testing snapshotting an image with zero clusters ==="
+echo
+_make_test_img $IMG_SIZE
+# Write some normal clusters, zero them (creating preallocated zero clusters)
+# and discard those
+$QEMU_IO -c "write 0 256k" -c "write -z 0 256k" -c "discard 0 256k" "$TEST_IMG" \
+         | _filter_qemu_io
+# Check the image (there shouldn't be any leaks)
+_check_test_img
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/066.out b/tests/qemu-iotests/066.out
new file mode 100644
index 0000000..9139780
--- /dev/null
+++ b/tests/qemu-iotests/066.out
@@ -0,0 +1,13 @@
+QA output created by 066
+
+=== Testing snapshotting an image with zero clusters ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
+wrote 262144/262144 bytes at offset 0
+256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+wrote 262144/262144 bytes at offset 0
+256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+discard 262144/262144 bytes at offset 0
+256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+No errors were found on the image.
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index d6d4a7f..e588404 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -68,6 +68,7 @@
 063 rw auto
 064 rw auto
 065 rw auto
+066 rw auto
 067 rw auto
 068 rw auto
 070 rw auto
--
1.7.1
SOURCES/kvm-skip-system-call-when-msi-route-is-unchanged.patch
New file
@@ -0,0 +1,51 @@
From 00a2c1d4f4dff271a314f0e9eb3b4c873b1a06c1 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Mon, 19 May 2014 09:57:40 +0200
Subject: [PATCH 2/2] kvm: skip system call when msi route is unchanged
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400493448-29146-3-git-send-email-mst@redhat.com>
Patchwork-id: 58949
O-Subject: [PATCH qemu-kvm RHEL7.1 2/2] kvm: skip system call when msi route is unchanged
Bugzilla: 1110693
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
Some guests do a large number of mask/unmask
calls which currently trigger expensive route update
system calls.
Detect that route in unchanged and skip the system call.
Reported-by: "Zhanghaoyu (A)" <haoyu.zhang@huawei.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
(cherry picked from commit 40509f7f52672fe41c2cce895e187352fc09f53a)
---
 kvm-all.c | 4 ++++
 1 file changed, 4 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 kvm-all.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/kvm-all.c b/kvm-all.c
index 592301a..f7f621b 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -1008,6 +1008,10 @@ static int kvm_update_routing_entry(KVMState *s,
             continue;
         }
+        if(!memcmp(entry, new_entry, sizeof *entry)) {
+            return 0;
+        }
+
         *entry = *new_entry;
         kvm_irqchip_commit_routes(s);
--
1.7.1
SOURCES/kvm-usb-fix-up-post-load-checks.patch
New file
@@ -0,0 +1,64 @@
From f01e8ceed912ea31bf22046197fd18b82e554e48 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Thu, 15 May 2014 09:52:52 +0200
Subject: [PATCH 16/30] usb: fix up post load checks
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400144747-16304-1-git-send-email-mst@redhat.com>
Patchwork-id: 58906
O-Subject: [PATCH qemu-kvm RHEL7.0.z] usb: fix up post load checks
Bugzilla: 1096828
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
    seems fine, no need to fail migration
2. When state is DATA, passing index > len
   will cause memcpy with negative length,
   resulting in heap overflow
First of the issues was reported by dgilbert.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e)
Note: in maintainer's tree
 git://github.com/juanquintela/qemu.git tags/migration/20140515,
 pull request sent
CVE-2014-3461
Bugzilla: 1096828
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7459773
Tested: lightly on developer's box
---
 hw/usb/bus.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/usb/bus.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index 9766b7f..f4eeb5e 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
     }
     if (dev->setup_index < 0 ||
         dev->setup_len < 0 ||
-        dev->setup_index >= sizeof(dev->data_buf) ||
-        dev->setup_len >= sizeof(dev->data_buf)) {
+        dev->setup_index > dev->setup_len ||
+        dev->setup_len > sizeof(dev->data_buf)) {
         return -EINVAL;
     }
     return 0;
--
1.7.1
SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch
New file
@@ -0,0 +1,62 @@
From bbe33dbd43e6b562459624adb801f9b35d0f5211 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:26:17 +0200
Subject: [PATCH 15/30] usb: sanity check setup_index+setup_len in post_load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055942-6418-2-git-send-email-mst@redhat.com>
Patchwork-id: 58854
O-Subject: [PATCH qemu-kvm RHEL7.0.z 2/2] usb: sanity check setup_index+setup_len in post_load
Bugzilla: 1095746
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Tested: lightly on developer's box
Bugzilla: 1095743
Note: the fix isn't complete upstream. there's a separate bugzilla to
fix more issues upstream and in rhel.
---
 hw/usb/bus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/usb/bus.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index e0c3a77..9766b7f 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
     } else {
         dev->attached = 1;
     }
-    if (dev->setup_index >= sizeof(dev->data_buf) ||
+    if (dev->setup_index < 0 ||
+        dev->setup_len < 0 ||
+        dev->setup_index >= sizeof(dev->data_buf) ||
         dev->setup_len >= sizeof(dev->data_buf)) {
         return -EINVAL;
     }
--
1.7.1
SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch
New file
@@ -0,0 +1,49 @@
From 586e92b335a98dcfbb4a797eb744753038da4374 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:26:14 +0200
Subject: [PATCH 14/30] usb: sanity check setup_index+setup_len in post_load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055942-6418-1-git-send-email-mst@redhat.com>
Patchwork-id: 58853
O-Subject: [PATCH qemu-kvm RHEL7.0.z 1/2] usb: sanity check setup_index+setup_len in post_load
Bugzilla: 1095746
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c60174e847082ab9f70720f86509a3353f816fad)
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Tested: lightly on developer's box
Bugzilla: 1095743
---
 hw/usb/bus.c | 4 ++++
 1 file changed, 4 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/usb/bus.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index fe6bd13..e0c3a77 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -49,6 +49,10 @@ static int usb_device_post_load(void *opaque, int version_id)
     } else {
         dev->attached = 1;
     }
+    if (dev->setup_index >= sizeof(dev->data_buf) ||
+        dev->setup_len >= sizeof(dev->data_buf)) {
+        return -EINVAL;
+    }
     return 0;
 }
--
1.7.1
SOURCES/kvm-virtio-allow-mapping-up-to-max-queue-size.patch
New file
@@ -0,0 +1,54 @@
From 7a967f4dd36ab8cba940bacda4c893829affcd8d Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:11:59 +0200
Subject: [PATCH 09/30] virtio: allow mapping up to max queue size
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054952-6106-2-git-send-email-mst@redhat.com>
Patchwork-id: 58847
O-Subject: [PATCH qemu-kvm RHEL7.0 2/2] virtio: allow mapping up to max queue size
Bugzilla: 1095765
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
It's a loop from i < num_sg  and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Upstream status: 937251408051e0489f78e4db3c92e045b147b38b
(in maintainer's tree, PULL request sent)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095765
---
 hw/virtio/virtio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 2667390..44309c2 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -423,7 +423,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
     unsigned int i;
     hwaddr len;
-    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+    if (num_sg > VIRTQUEUE_MAX_SIZE) {
         error_report("virtio: map attempt out of bounds: %zd > %d",
                      num_sg, VIRTQUEUE_MAX_SIZE);
         exit(1);
--
1.7.1
SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch
New file
@@ -0,0 +1,61 @@
From d1ada486bbdecd785762a192eae716a3484d4f16 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:52 +0200
Subject: [PATCH 05/30] virtio: avoid buffer overrun on incoming migration
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-10-git-send-email-mst@redhat.com>
Patchwork-id: 58843
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: avoid buffer overrun on incoming migration
Bugzilla: 1095737
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095737
---
 hw/virtio/virtio.c | 3 +++
 1 file changed, 3 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 070d64e..9600a12 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -867,6 +867,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     qemu_get_8s(f, &vdev->status);
     qemu_get_8s(f, &vdev->isr);
     qemu_get_be16s(f, &vdev->queue_sel);
+    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
+        return -1;
+    }
     qemu_get_be32s(f, &features);
     if (virtio_set_features(vdev, features) < 0) {
--
1.7.1
SOURCES/kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
New file
@@ -0,0 +1,80 @@
From fbae1c1a80fc0c1495c86695f5f48ee1003c2a1a Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:39 +0200
Subject: [PATCH 01/30] virtio-net: fix buffer overflow on invalid state load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-1-git-send-email-mst@redhat.com>
Patchwork-id: 58839
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: fix buffer overflow on invalid state load
Bugzilla: 1095677
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
>         n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
Bugzilla: 1095677
Tested: on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
---
 include/hw/virtio/virtio-net.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 include/hw/virtio/virtio-net.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
index 75723a8..a02fc50 100644
--- a/include/hw/virtio/virtio-net.h
+++ b/include/hw/virtio/virtio-net.h
@@ -174,8 +174,8 @@ typedef struct VirtIONet {
     uint8_t nobcast;
     uint8_t vhost_started;
     struct {
-        int in_use;
-        int first_multi;
+        uint32_t in_use;
+        uint32_t first_multi;
         uint8_t multi_overflow;
         uint8_t uni_overflow;
         uint8_t *macs;
--
1.7.1
SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
New file
@@ -0,0 +1,77 @@
From 2b6768100640ef4b0387f42391f5e9e82cf67284 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:45 +0200
Subject: [PATCH 03/30] virtio-net: out-of-bounds buffer write on invalid state load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-3-git-send-email-mst@redhat.com>
Patchwork-id: 58841
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: out-of-bounds buffer write on invalid state load
Bugzilla: 1095689
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }
        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla: 1095689
---
 hw/net/virtio-net.c | 5 +++++
 1 file changed, 5 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/net/virtio-net.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f6ed241..f72be9f 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1334,6 +1334,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         }
         n->curr_queues = qemu_get_be16(f);
+        if (n->curr_queues > n->max_queues) {
+            error_report("virtio-net: curr_queues %x > max_queues %x",
+                         n->curr_queues, n->max_queues);
+            return -1;
+        }
         for (i = 1; i < n->curr_queues; i++) {
             n->vqs[i].tx_waiting = qemu_get_be32(f);
         }
--
1.7.1
SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch
New file
@@ -0,0 +1,76 @@
From a3f3310a41ed5af1c701fea5dd7892dd9409e7d8 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:42 +0200
Subject: [PATCH 02/30] virtio-net: out-of-bounds buffer write on load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-2-git-send-email-mst@redhat.com>
Patchwork-id: 58840
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: out-of-bounds buffer write on load
Bugzilla: 1095684
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
Bugzilla: 1095684
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
---
 hw/net/virtio-net.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/net/virtio-net.c |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 2d559e0..f6ed241 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1273,10 +1273,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
             qemu_get_buffer(f, n->mac_table.macs,
                             n->mac_table.in_use * ETH_ALEN);
-        } else if (n->mac_table.in_use) {
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-            g_free(buf);
+        } else {
+            int64_t i;
+
+            /* Overflow detected - can happen if source has a larger MAC table.
+             * We simply set overflow flag so there's no need to maintain the
+             * table of addresses, discard them all.
+             * Note: 64 bit math to avoid integer overflow.
+             */
+            for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
+                qemu_get_byte(f);
+            }
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
             n->mac_table.in_use = 0;
         }
--
1.7.1
SOURCES/kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
New file
@@ -0,0 +1,74 @@
From 246b73b5e55eedcc30a213a685a46ad2f117862e Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:49 +0200
Subject: [PATCH 04/30] virtio: out-of-bounds buffer write on invalid state load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-4-git-send-email-mst@redhat.com>
Patchwork-id: 58842
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: out-of-bounds buffer write on invalid state load
Bugzilla: 1095694
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
    num = qemu_get_be32(f);
    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla: 1095694
---
 hw/virtio/virtio.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index b5bb0b6..070d64e 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -851,7 +851,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
-    int num, i, ret;
+    int i, ret;
+    uint32_t num;
     uint32_t features;
     uint32_t supported_features;
     BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
@@ -879,6 +880,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     num = qemu_get_be32(f);
+    if (num > VIRTIO_PCI_QUEUE_MAX) {
+        error_report("Invalid number of PCI queues: 0x%x", num);
+        return -1;
+    }
+
     for (i = 0; i < num; i++) {
         vdev->vq[i].vring.num = qemu_get_be32(f);
         vdev->vq[i].pa = qemu_get_be64(f);
--
1.7.1
SOURCES/kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
New file
@@ -0,0 +1,88 @@
From 1900368b14d425fdfe1b084892d7e2b86ba64903 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:55 +0200
Subject: [PATCH 06/30] virtio-scsi: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-11-git-send-email-mst@redhat.com>
Patchwork-id: 58844
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-scsi: fix buffer overrun on invalid state load
Bugzilla: 1095741
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095741
---
 hw/scsi/virtio-scsi.c | 9 +++++++++
 1 file changed, 9 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/scsi/virtio-scsi.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 57541b4..7cf3e4b 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -145,6 +145,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
     qemu_get_be32s(f, &n);
     assert(n < vs->conf.num_queues);
     qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+    /* TODO: add a way for SCSIBusInfo's load_request to fail,
+     * and fail migration instead of asserting here.
+     * When we do, we might be able to re-enable NDEBUG below.
+     */
+#ifdef NDEBUG
+#error building with NDEBUG is not supported
+#endif
+    assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
+    assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
     virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
     scsi_req_ref(sreq);
--
1.7.1
SOURCES/kvm-virtio-validate-config_len-on-load.patch
New file
@@ -0,0 +1,69 @@
From 3a5fadc2341be9efd129aed5cd04ebdba2cdc36d Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:07:58 +0200
Subject: [PATCH 07/30] virtio: validate config_len on load
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054498-4366-17-git-send-email-mst@redhat.com>
Patchwork-id: 58845
O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: validate config_len on load
Bugzilla: 1095782
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095782
---
 hw/virtio/virtio.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 9600a12..686dfbb 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -852,6 +852,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
     int i, ret;
+    int32_t config_len;
     uint32_t num;
     uint32_t features;
     uint32_t supported_features;
@@ -878,7 +879,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
                      features, supported_features);
         return -1;
     }
-    vdev->config_len = qemu_get_be32(f);
+    config_len = qemu_get_be32(f);
+    if (config_len != vdev->config_len) {
+        error_report("Unexpected config length 0x%x. Expected 0x%zx",
+                     config_len, vdev->config_len);
+        return -1;
+    }
     qemu_get_buffer(f, vdev->config, vdev->config_len);
     num = qemu_get_be32(f);
--
1.7.1
SOURCES/kvm-virtio-validate-num_sg-when-mapping.patch
New file
@@ -0,0 +1,62 @@
From 24625e2c2eb6e259b621c7ff11671977fa705578 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:11:56 +0200
Subject: [PATCH 08/30] virtio: validate num_sg when mapping
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400054952-6106-1-git-send-email-mst@redhat.com>
Patchwork-id: 58846
O-Subject: [PATCH qemu-kvm RHEL7.0 1/2] virtio: validate num_sg when mapping
Bugzilla: 1095765
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Amos Kong <akong@redhat.com>
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Tested: lightly on developer's box
Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
Bugzilla:1095765
---
 hw/virtio/virtio.c | 6 ++++++
 1 file changed, 6 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/virtio/virtio.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 686dfbb..2667390 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -423,6 +423,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
     unsigned int i;
     hwaddr len;
+    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+        error_report("virtio: map attempt out of bounds: %zd > %d",
+                     num_sg, VIRTQUEUE_MAX_SIZE);
+        exit(1);
+    }
+
     for (i = 0; i < num_sg; i++) {
         len = sg[i].iov_len;
         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
--
1.7.1
SOURCES/kvm-vmstate-add-VMSTATE_VALIDATE.patch
New file
@@ -0,0 +1,51 @@
From 1886b0146de0847ff5f81e5d89ba3893bbab63fc Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:24:33 +0200
Subject: [PATCH 11/30] vmstate: add VMSTATE_VALIDATE
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055633-6261-3-git-send-email-mst@redhat.com>
Patchwork-id: 58850
O-Subject: [PATCH qemu-kvm RHEL7.0.z 3/5] vmstate: add VMSTATE_VALIDATE
Bugzilla: 1095706
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
---
 include/migration/vmstate.h | 8 ++++++++
 1 file changed, 8 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 include/migration/vmstate.h |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 95d1ce6..f2652e6 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -202,6 +202,14 @@ extern const VMStateInfo vmstate_info_bitmap;
     .offset       = vmstate_offset_value(_state, _field, _type),     \
 }
+/* Validate state using a boolean predicate. */
+#define VMSTATE_VALIDATE(_name, _test) { \
+    .name         = (_name),                                         \
+    .field_exists = (_test),                                         \
+    .flags        = VMS_ARRAY | VMS_MUST_EXIST,                      \
+    .num          = 0, /* 0 elements: no data, only run _test */     \
+}
+
 #define VMSTATE_POINTER(_field, _state, _version, _info, _type) {    \
     .name       = (stringify(_field)),                               \
     .version_id = (_version),                                        \
--
1.7.1
SOURCES/kvm-vmstate-add-VMS_MUST_EXIST.patch
New file
@@ -0,0 +1,76 @@
From 939cbb6cf8128369e0ca2ec21b33d2fc40699142 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Wed, 14 May 2014 08:24:29 +0200
Subject: [PATCH 10/30] vmstate: add VMS_MUST_EXIST
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400055633-6261-2-git-send-email-mst@redhat.com>
Patchwork-id: 58849
O-Subject: [PATCH qemu-kvm RHEL7.0.z 2/5] vmstate: add VMS_MUST_EXIST
Bugzilla: 1095706
RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Juan Quintela <quintela@redhat.com>
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
---
 include/migration/vmstate.h |  1 +
 savevm.c                    | 10 ++++++++++
 2 files changed, 11 insertions(+)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 include/migration/vmstate.h |    1 +
 savevm.c                    |   10 ++++++++++
 2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 11d93e1..95d1ce6 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -98,6 +98,7 @@ enum VMStateFlags {
     VMS_MULTIPLY         = 0x200,  /* multiply "size" field by field_size */
     VMS_VARRAY_UINT8     = 0x400,  /* Array with size in uint8_t field*/
     VMS_VARRAY_UINT32    = 0x800,  /* Array with size in uint32_t field*/
+    VMS_MUST_EXIST       = 0x1000, /* Field must exist in input */
 };
 typedef struct {
diff --git a/savevm.c b/savevm.c
index 6efbb75..5d1b563 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1740,6 +1740,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
                     return ret;
                 }
             }
+        } else if (field->flags & VMS_MUST_EXIST) {
+            fprintf(stderr, "Input validation failed: %s/%s\n",
+                    vmsd->name, field->name);
+            return -1;
         }
         field++;
     }
@@ -1800,6 +1804,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
                     field->info->put(f, addr, size);
                 }
             }
+        } else {
+            if (field->flags & VMS_MUST_EXIST) {
+                fprintf(stderr, "Output state validation failed: %s/%s\n",
+                        vmsd->name, field->name);
+                assert(!(field->flags & VMS_MUST_EXIST));
+            }
         }
         field++;
     }
--
1.7.1
SOURCES/kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch
New file
@@ -0,0 +1,110 @@
From c878c42b892a18de84888766f14107005b4c4466 Mon Sep 17 00:00:00 2001
From: Michael S. Tsirkin <mst@redhat.com>
Date: Mon, 19 May 2014 09:57:37 +0200
Subject: [PATCH 1/2] kvm: zero-initialize KVM_SET_GSI_ROUTING input
RH-Author: Michael S. Tsirkin <mst@redhat.com>
Message-id: <1400493448-29146-2-git-send-email-mst@redhat.com>
Patchwork-id: 58948
O-Subject: [PATCH qemu-kvm RHEL7.1 1/2] kvm: zero-initialize KVM_SET_GSI_ROUTING input
Bugzilla: 1110693
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
kvm_add_routing_entry makes an attempt to
zero-initialize any new routing entry.
However, it fails to initialize padding
within the u field of the structure
kvm_irq_routing_entry.
Other functions like kvm_irqchip_update_msi_route
also fail to initialize the padding field in
kvm_irq_routing_entry.
It's better to just make sure all input is initialized.
Once it is, we can also drop complex field by field assignment and just
do the simple *a = *b to update a route entry.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
(cherry picked from commit 0fbc20740342713f282b118b4a446c4c43df3f4a)
---
 kvm-all.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 kvm-all.c |   19 +++++++------------
 1 files changed, 7 insertions(+), 12 deletions(-)
diff --git a/kvm-all.c b/kvm-all.c
index adc0a8e..592301a 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -988,11 +988,8 @@ static void kvm_add_routing_entry(KVMState *s,
     }
     n = s->irq_routes->nr++;
     new = &s->irq_routes->entries[n];
-    memset(new, 0, sizeof(*new));
-    new->gsi = entry->gsi;
-    new->type = entry->type;
-    new->flags = entry->flags;
-    new->u = entry->u;
+
+    *new = *entry;
     set_gsi(s, entry->gsi);
@@ -1011,9 +1008,7 @@ static int kvm_update_routing_entry(KVMState *s,
             continue;
         }
-        entry->type = new_entry->type;
-        entry->flags = new_entry->flags;
-        entry->u = new_entry->u;
+        *entry = *new_entry;
         kvm_irqchip_commit_routes(s);
@@ -1025,7 +1020,7 @@ static int kvm_update_routing_entry(KVMState *s,
 void kvm_irqchip_add_irq_route(KVMState *s, int irq, int irqchip, int pin)
 {
-    struct kvm_irq_routing_entry e;
+    struct kvm_irq_routing_entry e = {};
     assert(pin < s->gsi_count);
@@ -1138,7 +1133,7 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg)
             return virq;
         }
-        route = g_malloc(sizeof(KVMMSIRoute));
+        route = g_malloc0(sizeof(KVMMSIRoute));
         route->kroute.gsi = virq;
         route->kroute.type = KVM_IRQ_ROUTING_MSI;
         route->kroute.flags = 0;
@@ -1159,7 +1154,7 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg)
 int kvm_irqchip_add_msi_route(KVMState *s, MSIMessage msg)
 {
-    struct kvm_irq_routing_entry kroute;
+    struct kvm_irq_routing_entry kroute = {};
     int virq;
     if (!kvm_gsi_routing_enabled()) {
@@ -1185,7 +1180,7 @@ int kvm_irqchip_add_msi_route(KVMState *s, MSIMessage msg)
 int kvm_irqchip_update_msi_route(KVMState *s, int virq, MSIMessage msg)
 {
-    struct kvm_irq_routing_entry kroute;
+    struct kvm_irq_routing_entry kroute = {};
     if (!kvm_irqchip_in_kernel()) {
         return -ENOSYS;
--
1.7.1
SPECS/qemu-kvm.spec
@@ -73,7 +73,7 @@
Summary: QEMU is a FAST! processor emulator
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
Release: 60%{?dist}_0.2
Release: 60%{?dist}.5
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -2228,6 +2228,72 @@
Patch1090: kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch
# For bz#1094820 - Hot plug CPU not working with RHEL6  machine types running on RHEL7 host.
Patch1091: kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch
# For bz#1095677 - CVE-2013-4148 qemu-kvm: qemu: virtio-net: buffer overflow on invalid state load [rhel-7.0.z]
Patch1092: kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
# For bz#1095684 - CVE-2013-4149 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on load [rhel-7.0.z]
Patch1093: kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch
# For bz#1095689 - CVE-2013-4150 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on invalid state load [rhel-7.0.z]
Patch1094: kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
# For bz#1095694 - CVE-2013-4151 qemu-kvm: qemu: virtio: out-of-bounds buffer write on invalid state load [rhel-7.0.z]
Patch1095: kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
# For bz#1095737 - CVE-2013-6399 qemu-kvm: qemu: virtio: buffer overrun on incoming migration [rhel-7.0.z]
Patch1096: kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch
# For bz#1095741 - CVE-2013-4542 qemu-kvm: qemu: virtio-scsi: buffer overrun on invalid state load [rhel-7.0.z]
Patch1097: kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
# For bz#1095782 - CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z]
Patch1098: kvm-virtio-validate-config_len-on-load.patch
# For bz#1095765 - CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z]
Patch1099: kvm-virtio-validate-num_sg-when-mapping.patch
# For bz#1095765 - CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z]
Patch1100: kvm-virtio-allow-mapping-up-to-max-queue-size.patch
# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
Patch1101: kvm-vmstate-add-VMS_MUST_EXIST.patch
# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
Patch1102: kvm-vmstate-add-VMSTATE_VALIDATE.patch
# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
Patch1103: kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch
# For bz#1095714 - CVE-2013-4529 qemu-kvm: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load [rhel-7.0.z]
Patch1104: kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
# For bz#1095746 - CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z]
Patch1105: kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch
# For bz#1095746 - CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z]
Patch1106: kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch
# For bz#1096828 - CVE-2014-3461 qemu-kvm: Qemu: usb: fix up post load checks [rhel-7.0.z]
Patch1107: kvm-usb-fix-up-post-load-checks.patch
# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
Patch1108: kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch
# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
Patch1109: kvm-Provide-init-function-for-ram-migration.patch
# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
Patch1110: kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch
# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
Patch1111: kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch
# For bz#1110189 - migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics
Patch1112: kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch
# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
Patch1113: kvm-qcow-correctly-propagate-errors.patch
# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
Patch1114: kvm-qcow1-Make-padding-in-the-header-explicit.patch
# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
Patch1115: kvm-qcow1-Check-maximum-cluster-size.patch
# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
Patch1116: kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
# For bz#1097236 - CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z]
Patch1117: kvm-qcow1-Validate-image-size-CVE-2014-0223.patch
# For bz#1097236 - CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z]
Patch1118: kvm-qcow1-Stricter-backing-file-length-check.patch
# For bz#1110219 - Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again
Patch1119: kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch
# For bz#1110188 - qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)
Patch1120: kvm-qcow2-Free-preallocated-zero-clusters.patch
# For bz#1110188 - qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)
Patch1121: kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch
# For bz#1110693 - 2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput
Patch1122: kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch
# For bz#1110693 - 2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput
Patch1123: kvm-skip-system-call-when-msi-route-is-unchanged.patch
# For bz#1095782 - CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z]
Patch1124: kvm-Allow-mismatched-virtio-config-len.patch
BuildRequires: zlib-devel
@@ -3521,6 +3587,39 @@
%patch1089 -p1
%patch1090 -p1
%patch1091 -p1
%patch1092 -p1
%patch1093 -p1
%patch1094 -p1
%patch1095 -p1
%patch1096 -p1
%patch1097 -p1
%patch1098 -p1
%patch1099 -p1
%patch1100 -p1
%patch1101 -p1
%patch1102 -p1
%patch1103 -p1
%patch1104 -p1
%patch1105 -p1
%patch1106 -p1
%patch1107 -p1
%patch1108 -p1
%patch1109 -p1
%patch1110 -p1
%patch1111 -p1
%patch1112 -p1
%patch1113 -p1
%patch1114 -p1
%patch1115 -p1
%patch1116 -p1
%patch1117 -p1
%patch1118 -p1
%patch1119 -p1
%patch1120 -p1
%patch1121 -p1
%patch1122 -p1
%patch1123 -p1
%patch1124 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -3937,6 +4036,85 @@
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Wed Jul 02 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.5
- kvm-Allow-mismatched-virtio-config-len.patch [bz#1095782]
- Resolves: bz#1095782
  (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z])
* Wed Jun 18 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.4
- kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch [bz#1110693]
- kvm-skip-system-call-when-msi-route-is-unchanged.patch [bz#1110693]
- Resolves: bz#1110693
  (2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput)
* Tue Jun 17 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.3
- kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch [bz#1095677]
- kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch [bz#1095684]
- kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch [bz#1095689]
- kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch [bz#1095694]
- kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch [bz#1095737]
- kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095741]
- kvm-virtio-validate-config_len-on-load.patch [bz#1095782]
- kvm-virtio-validate-num_sg-when-mapping.patch [bz#1095765]
- kvm-virtio-allow-mapping-up-to-max-queue-size.patch [bz#1095765]
- kvm-vmstate-add-VMS_MUST_EXIST.patch [bz#1095706]
- kvm-vmstate-add-VMSTATE_VALIDATE.patch [bz#1095706]
- kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095706]
- kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch [bz#1095714]
- kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch [bz#1095746]
- kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch [bz#1095746]
- kvm-usb-fix-up-post-load-checks.patch [bz#1096828]
- kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch [bz#1110191]
- kvm-Provide-init-function-for-ram-migration.patch [bz#1110191]
- kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch [bz#1110191]
- kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch [bz#1110191]
- kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch [bz#1110189]
- kvm-qcow-correctly-propagate-errors.patch [bz#1097229]
- kvm-qcow1-Make-padding-in-the-header-explicit.patch [bz#1097229]
- kvm-qcow1-Check-maximum-cluster-size.patch [bz#1097229]
- kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch [bz#1097229]
- kvm-qcow1-Validate-image-size-CVE-2014-0223.patch [bz#1097236]
- kvm-qcow1-Stricter-backing-file-length-check.patch [bz#1097236]
- kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch [bz#1110219]
- kvm-qcow2-Free-preallocated-zero-clusters.patch [bz#1110188]
- kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch [bz#1110188]
- Resolves: bz#1095677
  (CVE-2013-4148 qemu-kvm: qemu: virtio-net: buffer overflow on invalid state load [rhel-7.0.z])
- Resolves: bz#1095684
  (CVE-2013-4149 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on load [rhel-7.0.z])
- Resolves: bz#1095689
  (CVE-2013-4150 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on invalid state load [rhel-7.0.z])
- Resolves: bz#1095694
  (CVE-2013-4151 qemu-kvm: qemu: virtio: out-of-bounds buffer write on invalid state load [rhel-7.0.z])
- Resolves: bz#1095706
  (CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z])
- Resolves: bz#1095714
  (CVE-2013-4529 qemu-kvm: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load [rhel-7.0.z])
- Resolves: bz#1095737
  (CVE-2013-6399 qemu-kvm: qemu: virtio: buffer overrun on incoming migration [rhel-7.0.z])
- Resolves: bz#1095741
  (CVE-2013-4542 qemu-kvm: qemu: virtio-scsi: buffer overrun on invalid state load [rhel-7.0.z])
- Resolves: bz#1095746
  (CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z])
- Resolves: bz#1095765
  (CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z])
- Resolves: bz#1095782
  (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z])
- Resolves: bz#1096828
  (CVE-2014-3461 qemu-kvm: Qemu: usb: fix up post load checks [rhel-7.0.z])
- Resolves: bz#1097229
  (CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z])
- Resolves: bz#1097236
  (CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z])
- Resolves: bz#1110188
  (qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi))
- Resolves: bz#1110189
  (migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics)
- Resolves: bz#1110191
  (Reduce the migrate cache size during migration causes qemu segment fault)
- Resolves: bz#1110219
  (Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again)
* Wed May 07 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.2
- kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch [bz#1094820]
- Resolves: bz#1094820