diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch new file mode 100644 index 0000000..9401ea7 --- /dev/null +++ b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch @@ -0,0 +1,94 @@ +From: Aurelien Jarno +Date: Sun, 13 Sep 2015 23:03:44 +0200 +Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and + vpermxor + +For vector instructions, the helpers get pointers to the vector register +in arguments. Some operands might point to the same register, including +the operand holding the result. + +When emulating instructions which access the vector elements in a +non-linear way, we need to store the result in an temporary variable. + +This fixes openssl when emulating a POWER8 CPU. + +Cc: Tom Musta +Cc: Alexander Graf +Cc: qemu-stable@nongnu.org +Signed-off-by: Aurelien Jarno +--- + target-ppc/int_helper.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c +index 0a55d5e..b122868 100644 +--- a/target-ppc/int_helper.c ++++ b/target-ppc/int_helper.c +@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) + + void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u32) { +- r->AVRW(i) = b->AVRW(i) ^ ++ result.AVRW(i) = b->AVRW(i) ^ + (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ + AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ + AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ + AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); + } ++ *r = result; + } + + void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u8) { +- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); ++ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); + } ++ *r = result; + } + + void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) +@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + + void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) + { ++ ppc_avr_t result; + int i; + + VECTOR_FOR_INORDER_I(i, u8) { +- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); ++ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); + } ++ *r = result; + } + + #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) +@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) + + void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) + { ++ ppc_avr_t result; + int i; ++ + VECTOR_FOR_INORDER_I(i, u8) { + int indexA = c->u8[i] >> 4; + int indexB = c->u8[i] & 0xF; + #if defined(HOST_WORDS_BIGENDIAN) +- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; ++ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; + #else +- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; ++ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; + #endif + } ++ *r = result; + } + + #undef VECTOR_FOR_INORDER_I diff --git a/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch b/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch deleted file mode 100644 index fbe778b..0000000 --- a/0001-vnc-fix-memory-corruption-CVE-2015-5225.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 17 Aug 2015 19:56:53 +0200 -Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential -memory corruption issues" can become negative. Result is (possibly -exploitable) memory corruption. Reason for that is it uses the stride -instead of bytes per scanline to apply limits. - -For the server surface is is actually fine. vnc creates that itself, -there is never any padding and thus scanline length always equals stride. - -For the guest surface scanline length and stride are typically identical -too, but it doesn't has to be that way. So add and use a new variable -(guest_ll) for the guest scanline length. Also rename min_stride to -line_bytes to make more clear what it actually is. Finally sprinkle -in an assert() to make sure we never use a negative _cmp_bytes again. - -Reported-by: 范祚至(库特) -Reviewed-by: P J P -Signed-off-by: Gerd Hoffmann -(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) ---- - ui/vnc.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/ui/vnc.c b/ui/vnc.c -index e26973a..caf82f5 100644 ---- a/ui/vnc.c -+++ b/ui/vnc.c -@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) - pixman_image_get_width(vd->server)); - int height = MIN(pixman_image_get_height(vd->guest.fb), - pixman_image_get_height(vd->server)); -- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; -+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; - uint8_t *guest_row0 = NULL, *server_row0; - VncState *vs; - int has_dirty = 0; -@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) - * Update server dirty map. - */ - server_row0 = (uint8_t *)pixman_image_get_data(vd->server); -- server_stride = guest_stride = pixman_image_get_stride(vd->server); -+ server_stride = guest_stride = guest_ll = -+ pixman_image_get_stride(vd->server); - cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, - server_stride); - if (vd->guest.format != VNC_SERVER_FB_FORMAT) { - int width = pixman_image_get_width(vd->server); - tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); - } else { -+ int guest_bpp = -+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); - guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); - guest_stride = pixman_image_get_stride(vd->guest.fb); -+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); - } -- min_stride = MIN(server_stride, guest_stride); -+ line_bytes = MIN(server_stride, guest_ll); - - for (;;) { - int x; -@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) - if (!test_and_clear_bit(x, vd->guest.dirty[y])) { - continue; - } -- if ((x + 1) * cmp_bytes > min_stride) { -- _cmp_bytes = min_stride - x * cmp_bytes; -+ if ((x + 1) * cmp_bytes > line_bytes) { -+ _cmp_bytes = line_bytes - x * cmp_bytes; - } -+ assert(_cmp_bytes >= 0); - if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { - continue; - } diff --git a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch deleted file mode 100644 index 9401ea7..0000000 --- a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:44 +0200 -Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and - vpermxor - -For vector instructions, the helpers get pointers to the vector register -in arguments. Some operands might point to the same register, including -the operand holding the result. - -When emulating instructions which access the vector elements in a -non-linear way, we need to store the result in an temporary variable. - -This fixes openssl when emulating a POWER8 CPU. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/int_helper.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c -index 0a55d5e..b122868 100644 ---- a/target-ppc/int_helper.c -+++ b/target-ppc/int_helper.c -@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) - - void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u32) { -- r->AVRW(i) = b->AVRW(i) ^ -+ result.AVRW(i) = b->AVRW(i) ^ - (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ - AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ - AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ - AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); - } -+ *r = result; - } - - void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); - } -+ *r = result; - } - - void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) -@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - - void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); - } -+ *r = result; - } - - #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) -@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) - - void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) - { -+ ppc_avr_t result; - int i; -+ - VECTOR_FOR_INORDER_I(i, u8) { - int indexA = c->u8[i] >> 4; - int indexB = c->u8[i] & 0xF; - #if defined(HOST_WORDS_BIGENDIAN) -- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; -+ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; - #else -- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; -+ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; - #endif - } -+ *r = result; - } - - #undef VECTOR_FOR_INORDER_I diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch new file mode 100644 index 0000000..2d2f370 --- /dev/null +++ b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch @@ -0,0 +1,49 @@ +From: Aurelien Jarno +Date: Sun, 13 Sep 2015 23:03:45 +0200 +Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding + +The xscmpodp and xscmpudp instructions only have the AX, BX bits in +there encoding, the lowest bit (usually TX) is marked as an invalid +bit. We therefore can't decode them with GEN_XX2FORM, which decodes +the two lowest bit. + +Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark +the lowest bit as invalid. + +Cc: Tom Musta +Cc: Alexander Graf +Cc: qemu-stable@nongnu.org +Signed-off-by: Aurelien Jarno +--- + target-ppc/translate.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/target-ppc/translate.c b/target-ppc/translate.c +index 84c5cea..c0eed13 100644 +--- a/target-ppc/translate.c ++++ b/target-ppc/translate.c +@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) + ++#undef GEN_XX2IFORM ++#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ ++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) ++ + #undef GEN_XX3_RC_FORM + #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ + GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ +@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), + GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), + GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), + GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), +-GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), +-GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), ++GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), ++GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), + GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), + GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), + GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), diff --git a/0003-ide-fix-ATAPI-command-permissions.patch b/0003-ide-fix-ATAPI-command-permissions.patch new file mode 100644 index 0000000..7afc084 --- /dev/null +++ b/0003-ide-fix-ATAPI-command-permissions.patch @@ -0,0 +1,141 @@ +From: John Snow +Date: Thu, 17 Sep 2015 14:17:05 -0400 +Subject: [PATCH] ide: fix ATAPI command permissions + +We're a little too lenient with what we'll let an ATAPI drive handle. +Clamp down on the IDE command execution table to remove CD_OK permissions +from commands that are not and have never been ATAPI commands. + +For ATAPI command validity, please see: +- ATA4 Section 6.5 ("PACKET Command feature set") +- ATA8/ACS Section 4.3 ("The PACKET feature set") +- ACS3 Section 4.3 ("The PACKET feature set") + +ACS3 has a historical command validity table in Table B.4 +("Historical Command Assignments") that can be referenced to find when +a command was introduced, deprecated, obsoleted, etc. + +The only reference for ATAPI command validity is by checking that +version's PACKET feature set section. + +ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 +therefore are assumed to have never been ATAPI commands. + +Mandatory commands, as listed in ATA8-ACS3, are: + +- DEVICE RESET +- EXECUTE DEVICE DIAGNOSTIC +- IDENTIFY DEVICE +- IDENTIFY PACKET DEVICE +- NOP +- PACKET +- READ SECTOR(S) +- SET FEATURES + +Optional commands as listed in ATA8-ACS3, are: + +- FLUSH CACHE +- READ LOG DMA EXT +- READ LOG EXT +- WRITE LOG DMA EXT +- WRITE LOG EXT + +All other commands are illegal to send to an ATAPI device and should +be rejected by the device. + +CD_OK removal justifications: + +0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. +0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. +0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. +0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. +0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. +0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. +0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. +0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. +0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. +0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. +0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. + +This patch fixes a divide by zero fault that can be caused by sending +the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to +attempt to use zeroed CHS values to perform sector arithmetic. + +Reported-by: Qinghao Tang +Signed-off-by: John Snow +Reviewed-by: Markus Armbruster +Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com +CC: qemu-stable@nongnu.org +(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) +--- + hw/ide/core.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 50449ca..71caea9 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1747,11 +1747,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1770,12 +1770,12 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, + [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, +@@ -1789,19 +1789,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch deleted file mode 100644 index 2d2f370..0000000 --- a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:45 +0200 -Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding - -The xscmpodp and xscmpudp instructions only have the AX, BX bits in -there encoding, the lowest bit (usually TX) is marked as an invalid -bit. We therefore can't decode them with GEN_XX2FORM, which decodes -the two lowest bit. - -Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark -the lowest bit as invalid. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/translate.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/target-ppc/translate.c b/target-ppc/translate.c -index 84c5cea..c0eed13 100644 ---- a/target-ppc/translate.c -+++ b/target-ppc/translate.c -@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) - -+#undef GEN_XX2IFORM -+#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) -+ - #undef GEN_XX3_RC_FORM - #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ -@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), - GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), - GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), - GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), --GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), --GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), -+GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), -+GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), - GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), - GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), - GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), diff --git a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch deleted file mode 100644 index 9e77105..0000000 --- a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: P J P -Date: Fri, 4 Sep 2015 17:21:06 +0100 -Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor - (CVE-2015-6815) - -While processing transmit descriptors, it could lead to an infinite -loop if 'bytes' was to become zero; Add a check to avoid it. - -[The guest can force 'bytes' to 0 by setting the hdr_len and mss -descriptor fields to 0. ---Stefan] - -Signed-off-by: P J P -Signed-off-by: Stefan Hajnoczi -Reviewed-by: Thomas Huth -Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com -(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7) ---- - hw/net/e1000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index 5c6bcd0..09c9e9d 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - memmove(tp->data, tp->header, tp->hdr_len); - tp->size = tp->hdr_len; - } -- } while (split_size -= bytes); -+ split_size -= bytes; -+ } while (bytes && split_size); - } else if (!tp->tse && tp->cptse) { - // context descriptor TSE is not set, while data descriptor TSE is set - DBGOUT(TXERR, "TCP segmentation error\n"); diff --git a/0004-virtio-introduce-virtqueue_unmap_sg.patch b/0004-virtio-introduce-virtqueue_unmap_sg.patch new file mode 100644 index 0000000..1481b88 --- /dev/null +++ b/0004-virtio-introduce-virtqueue_unmap_sg.patch @@ -0,0 +1,54 @@ +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:28 +0800 +Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() + +Factor out sg unmapping logic. This will be reused by the patch that +can discard descriptor. + +Cc: Michael S. Tsirkin +Cc: Andrew James +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c) +--- + hw/virtio/virtio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 788b556..242aecb 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) + return vring_avail_idx(vq) == vq->last_avail_idx; + } + +-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, +- unsigned int len, unsigned int idx) ++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) + { + unsigned int offset; + int i; + +- trace_virtqueue_fill(vq, elem, len, idx); +- + offset = 0; + for (i = 0; i < elem->in_num; i++) { + size_t size = MIN(len - offset, elem->in_sg[i].iov_len); +@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + cpu_physical_memory_unmap(elem->out_sg[i].iov_base, + elem->out_sg[i].iov_len, + 0, elem->out_sg[i].iov_len); ++} ++ ++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len, unsigned int idx) ++{ ++ trace_virtqueue_fill(vq, elem, len, idx); ++ ++ virtqueue_unmap_sg(vq, elem, len); + + idx = (idx + vring_used_idx(vq)) % vq->vring.num; + diff --git a/0005-ide-fix-ATAPI-command-permissions.patch b/0005-ide-fix-ATAPI-command-permissions.patch deleted file mode 100644 index 7afc084..0000000 --- a/0005-ide-fix-ATAPI-command-permissions.patch +++ /dev/null @@ -1,141 +0,0 @@ -From: John Snow -Date: Thu, 17 Sep 2015 14:17:05 -0400 -Subject: [PATCH] ide: fix ATAPI command permissions - -We're a little too lenient with what we'll let an ATAPI drive handle. -Clamp down on the IDE command execution table to remove CD_OK permissions -from commands that are not and have never been ATAPI commands. - -For ATAPI command validity, please see: -- ATA4 Section 6.5 ("PACKET Command feature set") -- ATA8/ACS Section 4.3 ("The PACKET feature set") -- ACS3 Section 4.3 ("The PACKET feature set") - -ACS3 has a historical command validity table in Table B.4 -("Historical Command Assignments") that can be referenced to find when -a command was introduced, deprecated, obsoleted, etc. - -The only reference for ATAPI command validity is by checking that -version's PACKET feature set section. - -ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 -therefore are assumed to have never been ATAPI commands. - -Mandatory commands, as listed in ATA8-ACS3, are: - -- DEVICE RESET -- EXECUTE DEVICE DIAGNOSTIC -- IDENTIFY DEVICE -- IDENTIFY PACKET DEVICE -- NOP -- PACKET -- READ SECTOR(S) -- SET FEATURES - -Optional commands as listed in ATA8-ACS3, are: - -- FLUSH CACHE -- READ LOG DMA EXT -- READ LOG EXT -- WRITE LOG DMA EXT -- WRITE LOG EXT - -All other commands are illegal to send to an ATAPI device and should -be rejected by the device. - -CD_OK removal justifications: - -0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. -0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. -0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. -0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. -0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. -0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. -0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. -0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. -0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. -0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. -0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. - -This patch fixes a divide by zero fault that can be caused by sending -the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to -attempt to use zeroed CHS values to perform sector arithmetic. - -Reported-by: Qinghao Tang -Signed-off-by: John Snow -Reviewed-by: Markus Armbruster -Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com -CC: qemu-stable@nongnu.org -(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) ---- - hw/ide/core.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 50449ca..71caea9 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -1747,11 +1747,11 @@ static const struct { - } ide_cmd_table[0x100] = { - /* NOP not implemented, mandatory for CD */ - [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, -- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, -+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, - [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, - [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, - [WIN_READ] = { cmd_read_pio, ALL_OK }, -- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, -+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, - [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, -@@ -1770,12 +1770,12 @@ static const struct { - [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, - [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, - [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, -- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, - [WIN_PACKETCMD] = { cmd_packet, CD_OK }, - [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, - [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, -@@ -1789,19 +1789,19 @@ static const struct { - [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, - [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, - [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, -- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, - [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, - [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, - [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, - [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, - [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, - [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, -- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, -+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, - }; - - static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0005-virtio-introduce-virtqueue_discard.patch b/0005-virtio-introduce-virtqueue_discard.patch new file mode 100644 index 0000000..817665a --- /dev/null +++ b/0005-virtio-introduce-virtqueue_discard.patch @@ -0,0 +1,50 @@ +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:29 +0800 +Subject: [PATCH] virtio: introduce virtqueue_discard() + +This patch introduces virtqueue_discard() to discard a descriptor and +unmap the sgs. This will be used by the patch that will discard +descriptor when packet is truncated. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade) +--- + hw/virtio/virtio.c | 7 +++++++ + include/hw/virtio/virtio.h | 2 ++ + 2 files changed, 9 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 242aecb..b1f4e16 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, + 0, elem->out_sg[i].iov_len); + } + ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) ++{ ++ vq->last_avail_idx--; ++ virtqueue_unmap_sg(vq, elem, len); ++} ++ + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx) + { +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h +index cccae89..8023bde 100644 +--- a/include/hw/virtio/virtio.h ++++ b/include/hw/virtio/virtio.h +@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n); + void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); + void virtqueue_flush(VirtQueue *vq, unsigned int count); ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len); + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx); + diff --git a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch deleted file mode 100644 index c1f70ca..0000000 --- a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: P J P -Date: Tue, 15 Sep 2015 16:46:59 +0530 -Subject: [PATCH] net: avoid infinite loop when receiving - packets(CVE-2015-5278) - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. While receiving packets -via ne2000_receive() routine, a local 'index' variable -could exceed the ring buffer size, leading to an infinite -loop situation. - -Reported-by: Qinghao Tang -Signed-off-by: P J P -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943) ---- - hw/net/ne2000.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 3492db3..44a4264 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - if (index <= s->stop) - avail = s->stop - index; - else -- avail = 0; -+ break; - len = size; - if (len > avail) - len = avail; diff --git a/0006-virtio-net-correctly-drop-truncated-packets.patch b/0006-virtio-net-correctly-drop-truncated-packets.patch new file mode 100644 index 0000000..eb21dbb --- /dev/null +++ b/0006-virtio-net-correctly-drop-truncated-packets.patch @@ -0,0 +1,43 @@ +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:30 +0800 +Subject: [PATCH] virtio-net: correctly drop truncated packets + +When packet is truncated during receiving, we drop the packets but +neither discard the descriptor nor add and signal used +descriptor. This will lead several issues: + +- sg mappings are leaked +- rx will be stalled if a lots of packets were truncated + +In order to be consistent with vhost, fix by discarding the descriptor +in this case. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3) +--- + hw/net/virtio-net.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 1510839..775389b 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf, size_t + * must have consumed the complete packet. + * Otherwise, drop it. */ + if (!n->mergeable_rx_bufs && offset < size) { +-#if 0 +- error_report("virtio-net truncated non-mergeable packet: " +- "i %zd mergeable %d offset %zd, size %zd, " +- "guest hdr len %zd, host hdr len %zd", +- i, n->mergeable_rx_bufs, +- offset, size, n->guest_hdr_len, n->host_hdr_len); +-#endif ++ virtqueue_discard(q->rx_vq, &elem, total); + return size; + } + diff --git a/0007-mirror-Fix-coroutine-reentrance.patch b/0007-mirror-Fix-coroutine-reentrance.patch new file mode 100644 index 0000000..9faced1 --- /dev/null +++ b/0007-mirror-Fix-coroutine-reentrance.patch @@ -0,0 +1,117 @@ +From: Kevin Wolf +Date: Thu, 13 Aug 2015 10:41:50 +0200 +Subject: [PATCH] mirror: Fix coroutine reentrance + +This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero +write on target if sectors not allocated"), which was reported to cause +aborts with the message "Co-routine re-entered recursively". + +The cause for this bug is the following code in mirror_iteration_done(): + + if (s->common.busy) { + qemu_coroutine_enter(s->common.co, NULL); + } + +This has always been ugly because - unlike most places that reenter - it +doesn't have a specific yield that it pairs with, but is more +uncontrolled. What we really mean here is "reenter the coroutine if +it's in one of the four explicit yields in mirror.c". + +This used to be equivalent with s->common.busy because neither +mirror_run() nor mirror_iteration() call any function that could yield. +However since commit dcfb3beb this doesn't hold true any more: +bdrv_get_block_status_above() can yield. + +So what happens is that bdrv_get_block_status_above() wants to take a +lock that is already held, so it adds itself to the queue of waiting +coroutines and yields. Instead of being woken up by the unlock function, +however, it gets woken up by mirror_iteration_done(), which is obviously +wrong. + +In most cases the code actually happens to cope fairly well with such +cases, but in this specific case, the unlock must already have scheduled +the coroutine for wakeup when mirror_iteration_done() reentered it. And +then the coroutine happened to process the scheduled restarts and tried +to reenter itself recursively. + +This patch fixes the problem by pairing the reenter in +mirror_iteration_done() with specific yields instead of abusing +s->common.busy. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Paolo Bonzini +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Jeff Cody +Message-id: 1439455310-11263-1-git-send-email-kwolf@redhat.com +Signed-off-by: Jeff Cody +(cherry picked from commit e424aff5f307227b1c2512bbb8ece891bb895cef) +--- + block/mirror.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/block/mirror.c b/block/mirror.c +index fc4d8f5..b2fb4b9 100644 +--- a/block/mirror.c ++++ b/block/mirror.c +@@ -60,6 +60,7 @@ typedef struct MirrorBlockJob { + int sectors_in_flight; + int ret; + bool unmap; ++ bool waiting_for_io; + } MirrorBlockJob; + + typedef struct MirrorOp { +@@ -114,11 +115,7 @@ static void mirror_iteration_done(MirrorOp *op, int ret) + qemu_iovec_destroy(&op->qiov); + g_slice_free(MirrorOp, op); + +- /* Enter coroutine when it is not sleeping. The coroutine sleeps to +- * rate-limit itself. The coroutine will eventually resume since there is +- * a sleep timeout so don't wake it early. +- */ +- if (s->common.busy) { ++ if (s->waiting_for_io) { + qemu_coroutine_enter(s->common.co, NULL); + } + } +@@ -203,7 +200,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s) + /* Wait for I/O to this cluster (from a previous iteration) to be done. */ + while (test_bit(next_chunk, s->in_flight_bitmap)) { + trace_mirror_yield_in_flight(s, sector_num, s->in_flight); ++ s->waiting_for_io = true; + qemu_coroutine_yield(); ++ s->waiting_for_io = false; + } + + do { +@@ -239,7 +238,9 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s) + */ + while (nb_chunks == 0 && s->buf_free_count < added_chunks) { + trace_mirror_yield_buf_busy(s, nb_chunks, s->in_flight); ++ s->waiting_for_io = true; + qemu_coroutine_yield(); ++ s->waiting_for_io = false; + } + if (s->buf_free_count < nb_chunks + added_chunks) { + trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight); +@@ -333,7 +334,9 @@ static void mirror_free_init(MirrorBlockJob *s) + static void mirror_drain(MirrorBlockJob *s) + { + while (s->in_flight > 0) { ++ s->waiting_for_io = true; + qemu_coroutine_yield(); ++ s->waiting_for_io = false; + } + } + +@@ -506,7 +509,9 @@ static void coroutine_fn mirror_run(void *opaque) + if (s->in_flight == MAX_IN_FLIGHT || s->buf_free_count == 0 || + (cnt == 0 && s->in_flight > 0)) { + trace_mirror_yield(s, s->in_flight, s->buf_free_count, cnt); ++ s->waiting_for_io = true; + qemu_coroutine_yield(); ++ s->waiting_for_io = false; + continue; + } else if (cnt != 0) { + delay_ns = mirror_iteration(s); diff --git a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch deleted file mode 100644 index d197a7e..0000000 --- a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: P J P -Date: Tue, 15 Sep 2015 16:40:49 +0530 -Subject: [PATCH] net: add checks to validate ring buffer - pointers(CVE-2015-5279) - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. While receiving packets -via ne2000_receive() routine, a local 'index' variable -could exceed the ring buffer size, which could lead to a -memory buffer overflow. Added other checks at initialisation. - -Reported-by: Qinghao Tang -Signed-off-by: P J P -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) ---- - hw/net/ne2000.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 44a4264..2bdb4c9 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - } - - index = s->curpag << 8; -+ if (index >= NE2000_PMEM_END) { -+ index = s->start; -+ } - /* 4 bytes for header */ - total_len = size + 4; - /* address for next packet (4 bytes for CRC) */ -@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) - offset = addr | (page << 4); - switch(offset) { - case EN0_STARTPG: -- s->start = val << 8; -+ if (val << 8 <= NE2000_PMEM_END) { -+ s->start = val << 8; -+ } - break; - case EN0_STOPPG: -- s->stop = val << 8; -+ if (val << 8 <= NE2000_PMEM_END) { -+ s->stop = val << 8; -+ } - break; - case EN0_BOUNDARY: -- s->boundary = val; -+ if (val << 8 < NE2000_PMEM_END) { -+ s->boundary = val; -+ } - break; - case EN0_IMR: - s->imr = val; -@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) - s->phys[offset - EN1_PHYS] = val; - break; - case EN1_CURPAG: -- s->curpag = val; -+ if (val << 8 < NE2000_PMEM_END) { -+ s->curpag = val; -+ } - break; - case EN1_MULT ... EN1_MULT + 7: - s->mult[offset - EN1_MULT] = val; diff --git a/qemu.spec b/qemu.spec index fc125d2..90c635b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -39,8 +39,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.4.0 -Release: 4%{?dist} +Version: 2.4.0.1 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -68,22 +68,18 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface -# (bz #1255899) -Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch # Fix emulation of various instructions, required by libm in F22 ppc64 # guests. -Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch -Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch -# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) -Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch +Patch0001: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +Patch0002: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch # CVE-2015-6855: ide: divide by zero issue (bz #1261793) -Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch -# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) -Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch -# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz -# #1263287) -Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch +Patch0003: 0003-ide-fix-ATAPI-command-permissions.patch +# CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) +Patch0004: 0004-virtio-introduce-virtqueue_unmap_sg.patch +Patch0005: 0005-virtio-introduce-virtqueue_discard.patch +Patch0006: 0006-virtio-net-correctly-drop-truncated-packets.patch +# drive-mirror: Fix coroutine reentrance (bz #1266936) +Patch0007: 0007-mirror-Fix-coroutine-reentrance.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1216,6 +1212,11 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Oct 08 2015 Cole Robinson - 2:2.4.0.1-1 +- Rebased to version 2.4.0.1 +- CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) +- drive-mirror: Fix coroutine reentrance (bz #1266936) + * Mon Sep 21 2015 Cole Robinson - 2:2.4.0-4 - CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) - CVE-2015-6855: ide: divide by zero issue (bz #1261793) diff --git a/sources b/sources index ecf5405..d4f0f63 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -186ee8194140a484a455f8e3c74589f4 qemu-2.4.0.tar.bz2 +c99445164e77184a9ba2e7dbf7ed5c29 qemu-2.4.0.1.tar.bz2