From 723d95470d87017f54e3f216fa652e94c9abf625 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 11 2014 19:58:04 +0000 Subject: Rebased to version 2.1.1 CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956) CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz #1139115) --- diff --git a/0001-block.curl-adding-timeout-option.patch b/0001-block.curl-adding-timeout-option.patch deleted file mode 100644 index a52d6bd..0000000 --- a/0001-block.curl-adding-timeout-option.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 Mon Sep 17 00:00:00 2001 -From: Daniel Henrique Barboza -Date: Wed, 13 Aug 2014 12:44:27 -0300 -Subject: [PATCH] block.curl: adding 'timeout' option - -The curl hardcoded timeout (5 seconds) sometimes is not long -enough depending on the remote server configuration and network -traffic. The user should be able to set how much long he is -willing to wait for the connection. - -Adding a new option to set this timeout gives the user this -flexibility. The previous default timeout of 5 seconds will be -used if this option is not present. - -Reviewed-by: Fam Zheng -Signed-off-by: Daniel Henrique Barboza -Reviewed-by: Benoit Canet -Tested-by: Richard W.M. Jones -Signed-off-by: Stefan Hajnoczi ---- - block/curl.c | 13 ++++++++++++- - qemu-options.hx | 10 ++++++++-- - 2 files changed, 20 insertions(+), 3 deletions(-) - -diff --git a/block/curl.c b/block/curl.c -index d4b85d2..2698ae3 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_NUM_ACB 8 - #define SECTOR_SIZE 512 - #define READ_AHEAD_DEFAULT (256 * 1024) -+#define CURL_TIMEOUT_DEFAULT 5 - - #define FIND_RET_NONE 0 - #define FIND_RET_OK 1 -@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_BLOCK_OPT_URL "url" - #define CURL_BLOCK_OPT_READAHEAD "readahead" - #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" -+#define CURL_BLOCK_OPT_TIMEOUT "timeout" - - struct BDRVCURLState; - -@@ -109,6 +111,7 @@ typedef struct BDRVCURLState { - char *url; - size_t readahead_size; - bool sslverify; -+ int timeout; - bool accept_range; - AioContext *aio_context; - } BDRVCURLState; -@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) - curl_easy_setopt(state->curl, CURLOPT_URL, s->url); - curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, - (long) s->sslverify); -- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5); -+ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); - curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, - (void *)curl_read_cb); - curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state); -@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = { - .type = QEMU_OPT_BOOL, - .help = "Verify SSL certificate" - }, -+ { -+ .name = CURL_BLOCK_OPT_TIMEOUT, -+ .type = QEMU_OPT_NUMBER, -+ .help = "Curl timeout" -+ }, - { /* end of list */ } - }, - }; -@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - goto out_noclean; - } - -+ s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT, -+ CURL_TIMEOUT_DEFAULT); -+ - s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); - - file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); -diff --git a/qemu-options.hx b/qemu-options.hx -index c573dd8..52d56f4 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k. - @item sslverify - Whether to verify the remote server's certificate when connecting over SSL. It - can have the value 'on' or 'off'. It defaults to 'on'. -+ -+@item timeout -+Set the timeout in seconds of the CURL connection. This timeout is the time -+that CURL waits for a response from the remote server to get the size of the -+image to be downloaded. If not set, the default timeout of 5 seconds is used. - @end table - - Note that when passing options to qemu explicitly, @option{driver} is the value -@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o - @end example - - Example: boot from an image stored on a VMware vSphere server with a self-signed --certificate using a local overlay for writes and a readahead of 64k -+certificate using a local overlay for writes, a readahead of 64k and a timeout -+of 10 seconds. - @example --qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2 -+qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2 - - qemu-system-x86_64 -drive file=/tmp/test.qcow2 - @end example --- -2.0.4 - diff --git a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch deleted file mode 100644 index 281cb42..0000000 --- a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +++ /dev/null @@ -1,126 +0,0 @@ -From a94f83d94fdf907680f068f1be7ad13d1f697067 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Fri, 29 Aug 2014 16:03:12 +0100 -Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https - requests. - -In order to access VMware ESX efficiently, we need to send a session -cookie. This patch is very simple and just allows you to send that -session cookie. It punts on the question of how you get the session -cookie in the first place, but in practice you can just run a `curl' -command against the server and extract the cookie that way. - -To use it, add file.cookie to the curl URL. For example: - -$ qemu-img info 'json: { - "file.driver":"https", - "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1", - "file.sslverify":"off", - "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}' -image: [...] -file format: raw -virtual size: 8.0G (8589934592 bytes) -disk size: unavailable - -Signed-off-by: Richard W.M. Jones -Signed-off-by: Stefan Hajnoczi ---- - block/curl.c | 16 ++++++++++++++++ - qemu-options.hx | 5 +++++ - 2 files changed, 21 insertions(+) - -diff --git a/block/curl.c b/block/curl.c -index 2698ae3..9051bc0 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, - #define CURL_BLOCK_OPT_READAHEAD "readahead" - #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" - #define CURL_BLOCK_OPT_TIMEOUT "timeout" -+#define CURL_BLOCK_OPT_COOKIE "cookie" - - struct BDRVCURLState; - -@@ -112,6 +113,7 @@ typedef struct BDRVCURLState { - size_t readahead_size; - bool sslverify; - int timeout; -+ char *cookie; - bool accept_range; - AioContext *aio_context; - } BDRVCURLState; -@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s) - curl_easy_setopt(state->curl, CURLOPT_URL, s->url); - curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, - (long) s->sslverify); -+ if (s->cookie) { -+ curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie); -+ } - curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); - curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, - (void *)curl_read_cb); -@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = { - .type = QEMU_OPT_NUMBER, - .help = "Curl timeout" - }, -+ { -+ .name = CURL_BLOCK_OPT_COOKIE, -+ .type = QEMU_OPT_STRING, -+ .help = "Pass the cookie or list of cookies with each request" -+ }, - { /* end of list */ } - }, - }; -@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - QemuOpts *opts; - Error *local_err = NULL; - const char *file; -+ const char *cookie; - double d; - - static int inited = 0; -@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - - s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); - -+ cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE); -+ s->cookie = g_strdup(cookie); -+ - file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); - if (file == NULL) { - error_setg(errp, "curl block driver requires an 'url' option"); -@@ -593,6 +607,7 @@ out: - curl_easy_cleanup(state->curl); - state->curl = NULL; - out_noclean: -+ g_free(s->cookie); - g_free(s->url); - qemu_opts_del(opts); - return -EINVAL; -@@ -695,6 +710,7 @@ static void curl_close(BlockDriverState *bs) - DPRINTF("CURL: Close\n"); - curl_detach_aio_context(bs); - -+ g_free(s->cookie); - g_free(s->url); - } - -diff --git a/qemu-options.hx b/qemu-options.hx -index 52d56f4..5479cf5 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k. - Whether to verify the remote server's certificate when connecting over SSL. It - can have the value 'on' or 'off'. It defaults to 'on'. - -+@item cookie -+Send this cookie (it can also be a list of cookies separated by ';') with -+each outgoing request. Only supported when using protocols such as HTTP -+which support cookies, otherwise ignored. -+ - @item timeout - Set the timeout in seconds of the CURL connection. This timeout is the time - that CURL waits for a response from the remote server to get the size of the --- -2.0.4 - diff --git a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch deleted file mode 100644 index f8ef3c8..0000000 --- a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a2f468e48f8b6559ec9123e94948bc373b788941 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Thu, 28 Aug 2014 09:04:21 +0100 -Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following -mechanical change was made: - - if (!state) { -- qemu_aio_wait(); -+ aio_poll(state->s->aio_context, true); - } - -The new code now checks if state is NULL and then dereferences it -('state->s') which is obviously incorrect. - -This commit replaces state->s->aio_context with -bdrv_get_aio_context(bs), fixing this problem. The two other hunks -are concerned with getting the BlockDriverState pointer bs to where it -is needed. - -The original bug causes a segfault when using libguestfs to access a -VMware vCenter Server and doing any kind of complex read-heavy -operations. With this commit the segfault goes away. - -Signed-off-by: Richard W.M. Jones -Reviewed-by: Paolo Bonzini -Reviewed-by: Benoît Canet -Signed-off-by: Stefan Hajnoczi ---- - block/curl.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/block/curl.c b/block/curl.c -index 9051bc0..0258339 100644 ---- a/block/curl.c -+++ b/block/curl.c -@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg) - #endif - } - --static CURLState *curl_init_state(BDRVCURLState *s) -+static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s) - { - CURLState *state = NULL; - int i, j; -@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) - break; - } - if (!state) { -- aio_poll(state->s->aio_context, true); -+ aio_poll(bdrv_get_aio_context(bs), true); - } - } while(!state); - -@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, - DPRINTF("CURL: Opening %s\n", file); - s->aio_context = bdrv_get_aio_context(bs); - s->url = g_strdup(file); -- state = curl_init_state(s); -+ state = curl_init_state(bs, s); - if (!state) - goto out_noclean; - -@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p) - } - - // No cache found, so let's start a new request -- state = curl_init_state(s); -+ state = curl_init_state(acb->common.bs, s); - if (!state) { - acb->common.cb(acb->common.opaque, -EIO); - qemu_aio_release(acb); --- -2.0.4 - diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch index 5be7cd9..4358d91 100644 --- a/0001-loader-Add-load_image_gzipped-function.patch +++ b/0001-loader-Add-load_image_gzipped-function.patch @@ -1,7 +1,7 @@ -From ddf2a3a69486376897ae654c8f1f0aa8cbae6c24 Mon Sep 17 00:00:00 2001 +From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" -Date: Mon, 4 Aug 2014 12:25:08 +0100 -Subject: [PATCH 1/2] loader: Add load_image_gzipped function. +Date: Tue, 19 Aug 2014 18:56:28 +0100 +Subject: [PATCH] loader: Add load_image_gzipped function. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -11,13 +11,20 @@ gzipped. It is uncompressed before storing it in guest memory. Signed-off-by: Richard W.M. Jones Reviewed-by: Alex Bennée +Reviewed-by: Peter Crosthwaite +Reviewed-by: Alex Bennée +Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com +[PMM: removed stray space before ')'] +Signed-off-by: Peter Maydell + +(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75) --- hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ include/hw/loader.h | 1 + 2 files changed, 49 insertions(+) diff --git a/hw/core/loader.c b/hw/core/loader.c -index 2bf6b8f..83136e8 100644 +index 2bf6b8f..0fde699 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz) @@ -47,7 +54,7 @@ index 2bf6b8f..83136e8 100644 + /* Is it a gzip-compressed file? */ + if (len < 2 || + compressed_data[0] != 0x1f || -+ compressed_data[1] != 0x8b ) { ++ compressed_data[1] != 0x8b) { + goto out; + } + @@ -87,6 +94,3 @@ index 796cbf9..00c9117 100644 #define ELF_LOAD_FAILED -1 #define ELF_LOAD_NOT_ELF -2 --- -2.0.4 - diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch index d2521c1..1702946 100644 --- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch @@ -1,7 +1,7 @@ -From fc77c3116f7e4b3400e576c51e73ade2edee350a Mon Sep 17 00:00:00 2001 +From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" -Date: Tue, 29 Jul 2014 23:32:31 +0100 -Subject: [PATCH 2/2] aarch64: Allow -kernel option to take a gzip-compressed +Date: Tue, 19 Aug 2014 18:56:28 +0100 +Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed kernel. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -25,36 +25,25 @@ Currently this is only done when emulating aarch64. Signed-off-by: Richard W.M. Jones Reviewed-by: Alex Bennée +Reviewed-by: Peter Crosthwaite +Reviewed-by: Alex Bennée +Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com +Signed-off-by: Peter Maydell +(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad) --- - hw/arm/boot.c | 9 +++++++++ - 1 file changed, 9 insertions(+) + hw/arm/boot.c | 7 +++++++ + 1 file changed, 7 insertions(+) diff --git a/hw/arm/boot.c b/hw/arm/boot.c -index 1241761..c71c4d5 100644 +index 3d1f4a2..b7d60aa 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c -@@ -448,6 +448,7 @@ static void do_cpu_reset(void *opaque) - void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) - { - CPUState *cs = CPU(cpu); -+ int allow_compressed_kernels = 0; - int kernel_size; - int initrd_size; - int is_linux = 0; -@@ -469,6 +470,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) - primary_loader = bootloader_aarch64; - kernel_load_offset = KERNEL64_LOAD_ADDR; - elf_machine = EM_AARCH64; -+ allow_compressed_kernels = 1; - } else { - primary_loader = bootloader; - kernel_load_offset = KERNEL_LOAD_ADDR; -@@ -514,6 +516,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) +@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) kernel_size = load_uimage(info->kernel_filename, &entry, NULL, &is_linux); } + /* On aarch64, it's the bootloader's job to uncompress the kernel. */ -+ if (allow_compressed_kernels && kernel_size < 0) { ++ if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) { + entry = info->loader_start + kernel_load_offset; + kernel_size = load_image_gzipped(info->kernel_filename, entry, + info->ram_size - kernel_load_offset); @@ -63,6 +52,3 @@ index 1241761..c71c4d5 100644 if (kernel_size < 0) { entry = info->loader_start + kernel_load_offset; kernel_size = load_image_targphys(info->kernel_filename, entry, --- -2.0.4 - diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch new file mode 100644 index 0000000..1cfbc69 --- /dev/null +++ b/0003-block.curl-adding-timeout-option.patch @@ -0,0 +1,113 @@ +From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Wed, 13 Aug 2014 12:44:27 -0300 +Subject: [PATCH] block.curl: adding 'timeout' option + +The curl hardcoded timeout (5 seconds) sometimes is not long +enough depending on the remote server configuration and network +traffic. The user should be able to set how much long he is +willing to wait for the connection. + +Adding a new option to set this timeout gives the user this +flexibility. The previous default timeout of 5 seconds will be +used if this option is not present. + +Reviewed-by: Fam Zheng +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Benoit Canet +Tested-by: Richard W.M. Jones +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0) +--- + block/curl.c | 13 ++++++++++++- + qemu-options.hx | 10 ++++++++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/block/curl.c b/block/curl.c +index 79ff2f1..6f45547 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, + #define CURL_NUM_ACB 8 + #define SECTOR_SIZE 512 + #define READ_AHEAD_DEFAULT (256 * 1024) ++#define CURL_TIMEOUT_DEFAULT 5 + + #define FIND_RET_NONE 0 + #define FIND_RET_OK 1 +@@ -71,6 +72,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, + #define CURL_BLOCK_OPT_URL "url" + #define CURL_BLOCK_OPT_READAHEAD "readahead" + #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" ++#define CURL_BLOCK_OPT_TIMEOUT "timeout" + + struct BDRVCURLState; + +@@ -109,6 +111,7 @@ typedef struct BDRVCURLState { + char *url; + size_t readahead_size; + bool sslverify; ++ int timeout; + bool accept_range; + AioContext *aio_context; + } BDRVCURLState; +@@ -382,7 +385,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) + curl_easy_setopt(state->curl, CURLOPT_URL, s->url); + curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, + (long) s->sslverify); +- curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, 5); ++ curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); + curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, + (void *)curl_read_cb); + curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state); +@@ -489,6 +492,11 @@ static QemuOptsList runtime_opts = { + .type = QEMU_OPT_BOOL, + .help = "Verify SSL certificate" + }, ++ { ++ .name = CURL_BLOCK_OPT_TIMEOUT, ++ .type = QEMU_OPT_NUMBER, ++ .help = "Curl timeout" ++ }, + { /* end of list */ } + }, + }; +@@ -525,6 +533,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, + goto out_noclean; + } + ++ s->timeout = qemu_opt_get_number(opts, CURL_BLOCK_OPT_TIMEOUT, ++ CURL_TIMEOUT_DEFAULT); ++ + s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); + + file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); +diff --git a/qemu-options.hx b/qemu-options.hx +index 1549625..dcb008b 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k. + @item sslverify + Whether to verify the remote server's certificate when connecting over SSL. It + can have the value 'on' or 'off'. It defaults to 'on'. ++ ++@item timeout ++Set the timeout in seconds of the CURL connection. This timeout is the time ++that CURL waits for a response from the remote server to get the size of the ++image to be downloaded. If not set, the default timeout of 5 seconds is used. + @end table + + Note that when passing options to qemu explicitly, @option{driver} is the value +@@ -2372,9 +2377,10 @@ qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-o + @end example + + Example: boot from an image stored on a VMware vSphere server with a self-signed +-certificate using a local overlay for writes and a readahead of 64k ++certificate using a local overlay for writes, a readahead of 64k and a timeout ++of 10 seconds. + @example +-qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k"@}' /tmp/test.qcow2 ++qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2 + + qemu-system-x86_64 -drive file=/tmp/test.qcow2 + @end example diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch new file mode 100644 index 0000000..345b94d --- /dev/null +++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch @@ -0,0 +1,124 @@ +From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Fri, 29 Aug 2014 16:03:12 +0100 +Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https + requests. + +In order to access VMware ESX efficiently, we need to send a session +cookie. This patch is very simple and just allows you to send that +session cookie. It punts on the question of how you get the session +cookie in the first place, but in practice you can just run a `curl' +command against the server and extract the cookie that way. + +To use it, add file.cookie to the curl URL. For example: + +$ qemu-img info 'json: { + "file.driver":"https", + "file.url":"https://vcenter/folder/Windows%202003/Windows%202003-flat.vmdk?dcPath=Datacenter&dsName=datastore1", + "file.sslverify":"off", + "file.cookie":"vmware_soap_session=\"52a01262-bf93-ccce-d379-8dabb3e55560\""}' +image: [...] +file format: raw +virtual size: 8.0G (8589934592 bytes) +disk size: unavailable + +Signed-off-by: Richard W.M. Jones +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067) +--- + block/curl.c | 16 ++++++++++++++++ + qemu-options.hx | 5 +++++ + 2 files changed, 21 insertions(+) + +diff --git a/block/curl.c b/block/curl.c +index 6f45547..537e257 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, + #define CURL_BLOCK_OPT_READAHEAD "readahead" + #define CURL_BLOCK_OPT_SSLVERIFY "sslverify" + #define CURL_BLOCK_OPT_TIMEOUT "timeout" ++#define CURL_BLOCK_OPT_COOKIE "cookie" + + struct BDRVCURLState; + +@@ -112,6 +113,7 @@ typedef struct BDRVCURLState { + size_t readahead_size; + bool sslverify; + int timeout; ++ char *cookie; + bool accept_range; + AioContext *aio_context; + } BDRVCURLState; +@@ -385,6 +387,9 @@ static CURLState *curl_init_state(BDRVCURLState *s) + curl_easy_setopt(state->curl, CURLOPT_URL, s->url); + curl_easy_setopt(state->curl, CURLOPT_SSL_VERIFYPEER, + (long) s->sslverify); ++ if (s->cookie) { ++ curl_easy_setopt(state->curl, CURLOPT_COOKIE, s->cookie); ++ } + curl_easy_setopt(state->curl, CURLOPT_TIMEOUT, s->timeout); + curl_easy_setopt(state->curl, CURLOPT_WRITEFUNCTION, + (void *)curl_read_cb); +@@ -497,6 +502,11 @@ static QemuOptsList runtime_opts = { + .type = QEMU_OPT_NUMBER, + .help = "Curl timeout" + }, ++ { ++ .name = CURL_BLOCK_OPT_COOKIE, ++ .type = QEMU_OPT_STRING, ++ .help = "Pass the cookie or list of cookies with each request" ++ }, + { /* end of list */ } + }, + }; +@@ -509,6 +519,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, + QemuOpts *opts; + Error *local_err = NULL; + const char *file; ++ const char *cookie; + double d; + + static int inited = 0; +@@ -538,6 +549,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, + + s->sslverify = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_SSLVERIFY, true); + ++ cookie = qemu_opt_get(opts, CURL_BLOCK_OPT_COOKIE); ++ s->cookie = g_strdup(cookie); ++ + file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); + if (file == NULL) { + error_setg(errp, "curl block driver requires an 'url' option"); +@@ -593,6 +607,7 @@ out: + curl_easy_cleanup(state->curl); + state->curl = NULL; + out_noclean: ++ g_free(s->cookie); + g_free(s->url); + qemu_opts_del(opts); + return -EINVAL; +@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs) + DPRINTF("CURL: Close\n"); + curl_detach_aio_context(bs); + ++ g_free(s->cookie); + g_free(s->url); + } + +diff --git a/qemu-options.hx b/qemu-options.hx +index dcb008b..53b6171 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k. + Whether to verify the remote server's certificate when connecting over SSL. It + can have the value 'on' or 'off'. It defaults to 'on'. + ++@item cookie ++Send this cookie (it can also be a list of cookies separated by ';') with ++each outgoing request. Only supported when using protocols such as HTTP ++which support cookies, otherwise ignored. ++ + @item timeout + Set the timeout in seconds of the CURL connection. This timeout is the time + that CURL waits for a response from the remote server to get the size of the diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch new file mode 100644 index 0000000..594dc3f --- /dev/null +++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch @@ -0,0 +1,77 @@ +From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 28 Aug 2014 09:04:21 +0100 +Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In commit 63f0f45f2e89b60ff8245fec81328ddfde42a303 the following +mechanical change was made: + + if (!state) { +- qemu_aio_wait(); ++ aio_poll(state->s->aio_context, true); + } + +The new code now checks if state is NULL and then dereferences it +('state->s') which is obviously incorrect. + +This commit replaces state->s->aio_context with +bdrv_get_aio_context(bs), fixing this problem. The two other hunks +are concerned with getting the BlockDriverState pointer bs to where it +is needed. + +The original bug causes a segfault when using libguestfs to access a +VMware vCenter Server and doing any kind of complex read-heavy +operations. With this commit the segfault goes away. + +Signed-off-by: Richard W.M. Jones +Reviewed-by: Paolo Bonzini +Reviewed-by: Benoît Canet +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941) +--- + block/curl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/block/curl.c b/block/curl.c +index 537e257..d28b701 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg) + #endif + } + +-static CURLState *curl_init_state(BDRVCURLState *s) ++static CURLState *curl_init_state(BlockDriverState *bs, BDRVCURLState *s) + { + CURLState *state = NULL; + int i, j; +@@ -375,7 +375,7 @@ static CURLState *curl_init_state(BDRVCURLState *s) + break; + } + if (!state) { +- aio_poll(state->s->aio_context, true); ++ aio_poll(bdrv_get_aio_context(bs), true); + } + } while(!state); + +@@ -566,7 +566,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, + DPRINTF("CURL: Opening %s\n", file); + s->aio_context = bdrv_get_aio_context(bs); + s->url = g_strdup(file); +- state = curl_init_state(s); ++ state = curl_init_state(bs, s); + if (!state) + goto out_noclean; + +@@ -651,7 +651,7 @@ static void curl_readv_bh_cb(void *p) + } + + // No cache found, so let's start a new request +- state = curl_init_state(s); ++ state = curl_init_state(acb->common.bs, s); + if (!state) { + acb->common.cb(acb->common.opaque, -EIO); + qemu_aio_release(acb); diff --git a/qemu.spec b/qemu.spec index 6a01fff..17a44eb 100644 --- a/qemu.spec +++ b/qemu.spec @@ -151,8 +151,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.1.0 -Release: 6%{?dist} +Version: 2.1.1 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -192,16 +192,13 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Upstream commit: 235e74afcb85285a8e35e75f0cb6e6811267bb75 -Patch1: 0001-loader-Add-load_image_gzipped-function.patch -# Upstream commit: 6f5d3cbe8892367026526a7deed0ceecc700a7ad -Patch2: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch -# Upstream commit: 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 -Patch3: 0001-block.curl-adding-timeout-option.patch -# Upstream commit: a94f83d94fdf907680f068f1be7ad13d1f697067 -Patch4: 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch -# Upstream commit: a2f468e48f8b6559ec9123e94948bc373b788941 -Patch5: 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +# Allow aarch64 to boot compressed kernel +Patch0001: 0001-loader-Add-load_image_gzipped-function.patch +Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +# Fix crash in curl driver +Patch0003: 0003-block.curl-adding-timeout-option.patch +Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -727,11 +724,13 @@ CAC emulation development files. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +# Allow aarch64 to boot compressed kernel +%patch0001 -p1 +%patch0002 -p1 +# Fix crash in curl driver +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 %build @@ -1511,6 +1510,12 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Sep 11 2014 Cole Robinson - 2:2.1.1-1 +- Rebased to version 2.1.1 +- CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956) +- CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz + #1139115) + * Wed Sep 3 2014 Richard W.M. Jones 2:2.1.0-6 - Add upstream patches to: * Fix crash in curl driver. diff --git a/sources b/sources index 1db3d6d..bb54534 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6726977292b448cbc7f89998fac6983b qemu-2.1.0.tar.bz2 +78b1b51bfa2eee424e1bfdf3b66daa64 qemu-2.1.1.tar.bz2