diff --git a/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch index 91d711e..f3ab197 100644 --- a/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch +++ b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch @@ -1,18 +1,15 @@ -From c8c95fc7f40ace3e7125bcd2cbec1a7c39627503 Mon Sep 17 00:00:00 2001 -From: Miroslav Rezanina -Date: Tue, 14 Apr 2020 07:08:25 +0200 -Subject: [PATCH 1/2] gluster: Handle changed glfs_ftruncate signature +From b5c74112b314c185335de246c465d14ef68509a3 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Sun, 16 Feb 2020 16:02:24 +0100 +Subject: [PATCH 4/6] gluster: Handle changed glfs_ftruncate signature -RH-Author: Miroslav Rezanina -Message-id: <251e640171ad2596aa802518bbb936478c34c39c.1586442545.git.mrezanin@redhat.com> -Patchwork-id: 94621 -O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] gluster: Handle changed glfs_ftruncate signature -Bugzilla: 1822235 -RH-Acked-by: John Snow -RH-Acked-by: Stefano Garzarella +Message-id: <20200216160225.22498-2-mlevitsk@redhat.com> +Patchwork-id: 93881 +O-Subject: [RHEL-7.9 qemu-kvm PATCH 1/2] gluster: Handle changed glfs_ftruncate signature +Bugzilla: 1802215 +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Max Reitz - -From: Miroslav Rezanina +RH-Acked-by: Stefano Garzarella From: Prasanna Kumar Kalever @@ -28,6 +25,7 @@ Signed-off-by: Kevin Wolf (cherry picked from commit e014dbe74e0484188164c61ff6843f8a04a8cb9d) Signed-off-by: Maxim Levitsky +RHEL: fixed conflicts Signed-off-by: Miroslav Rezanina --- block/gluster.c | 5 +++++ diff --git a/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch index 67399c8..8b3b12c 100644 --- a/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +++ b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch @@ -1,19 +1,16 @@ -From 0ac5c46ee89604090f766124d67b6530433140fd Mon Sep 17 00:00:00 2001 -From: Miroslav Rezanina -Date: Tue, 14 Apr 2020 07:08:27 +0200 -Subject: [PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds +From b9bf902e0a6739ba5db697fbd9b8f063dd130618 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Sun, 16 Feb 2020 16:02:25 +0100 +Subject: [PATCH 5/6] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args -RH-Author: Miroslav Rezanina -Message-id: <5ef3ecfcbfd79eda54fef2609efd3c7cb5710630.1586442545.git.mrezanin@redhat.com> -Patchwork-id: 94623 -O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args -Bugzilla: 1822235 -RH-Acked-by: John Snow -RH-Acked-by: Stefano Garzarella +Message-id: <20200216160225.22498-3-mlevitsk@redhat.com> +Patchwork-id: 93880 +O-Subject: [RHEL-7.9 qemu-kvm PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args +Bugzilla: 1802215 +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Max Reitz - -From: Miroslav Rezanina +RH-Acked-by: Stefano Garzarella From: Niels de Vos diff --git a/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch new file mode 100644 index 0000000..ab471c9 --- /dev/null +++ b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch @@ -0,0 +1,72 @@ +From d01fad2a8757f4e3b449a888b93a0ba9fda54daa Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 5 Mar 2020 13:49:51 +0100 +Subject: [PATCH 6/6] seccomp: set the seccomp filter to all threads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200305134951.23851-1-otubo@redhat.com> +Patchwork-id: 94161 +O-Subject: [RHEL-7.9 qemu-kvm PATCH] seccomp: set the seccomp filter to all threads +Bugzilla: 1618503 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Mohammed Gamal + +commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 +Author: Marc-André Lureau +Date: Wed Aug 22 19:02:50 2018 +0200 + + When using "-seccomp on", the seccomp policy is only applied to the + main thread, the vcpu worker thread and other worker threads created + after seccomp policy is applied; the seccomp policy is not applied to + e.g. the RCU thread because it is created before the seccomp policy is + applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. + + This can be verified with + for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done + Seccomp: 2 + Seccomp: 0 + Seccomp: 0 + Seccomp: 2 + Seccomp: 2 + Seccomp: 2 + + Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use + seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy + on all threads. + + libseccomp requirement was bumped to 2.2.0 in previous patch. + libseccomp should fail to set the filter if it can't honour + SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on + kernel < 3.17. + + Signed-off-by: Marc-André Lureau + Acked-by: Eduardo Otubo + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + qemu-seccomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index e947909..828083b 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -264,6 +264,11 @@ int seccomp_start(void) + goto seccomp_return; + } + ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++ if (rc != 0) { ++ goto seccomp_return; ++ } ++ + for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); + if (rc < 0) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-disable-tcp_emu.patch b/SOURCES/kvm-slirp-disable-tcp_emu.patch new file mode 100644 index 0000000..55d44d5 --- /dev/null +++ b/SOURCES/kvm-slirp-disable-tcp_emu.patch @@ -0,0 +1,69 @@ +From d4913063320e52d9c3716732d8c6b7396a2288b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 28 Jan 2020 13:32:53 +0100 +Subject: [PATCH 3/6] slirp: disable tcp_emu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200128133253.794107-2-marcandre.lureau@redhat.com> +Patchwork-id: 93569 +O-Subject: [RHEL-8.2.0 qemu-kvm + RHEL-7.7 qemu-kvm + RHEL-6.11 qemu-kvm PATCH 1/1] slirp: disable tcp_emu() +Bugzilla: 1791679 +RH-Acked-by: Danilo de Paula +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +Since libslirp 4.1, tcp_emu() is disabled by default because it is +known to cause several CVEs and is not useful today in most +cases. Qemu upstream doesn't have an option to enable it back at this +point, it's not clear if we ever want to expose that option anyway. + +See also upstream commit 07c2a44b67e ("emu: disable by default") + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1791677 +Signed-off-by: Marc-André Lureau +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 4 ++-- + slirp/udp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 8dae0cc..0ca7f02 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -516,7 +516,7 @@ tcp_tos(struct socket *so) + while(tcptos[i].tos) { + if ((tcptos[i].fport && (ntohs(so->so_fport) == tcptos[i].fport)) || + (tcptos[i].lport && (ntohs(so->so_lport) == tcptos[i].lport))) { +- so->so_emu = tcptos[i].emu; ++ so->so_emu = 0; /* disabled */ + return tcptos[i].tos; + } + i++; +@@ -526,7 +526,7 @@ tcp_tos(struct socket *so) + for (emup = tcpemu; emup; emup = emup->next) { + if ((emup->fport && (ntohs(so->so_fport) == emup->fport)) || + (emup->lport && (ntohs(so->so_lport) == emup->lport))) { +- so->so_emu = emup->emu; ++ so->so_emu = 0; /* disabled */ + return emup->tos; + } + } +diff --git a/slirp/udp.c b/slirp/udp.c +index 2188176..ee92790 100644 +--- a/slirp/udp.c ++++ b/slirp/udp.c +@@ -339,7 +339,7 @@ udp_tos(struct socket *so) + while(udptos[i].tos) { + if ((udptos[i].fport && ntohs(so->so_fport) == udptos[i].fport) || + (udptos[i].lport && ntohs(so->so_lport) == udptos[i].lport)) { +- so->so_emu = udptos[i].emu; ++ so->so_emu = 0; /* disabled */ + return udptos[i].tos; + } + i++; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch deleted file mode 100644 index 42c2abf..0000000 --- a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 901de585a893830992a137f6e191434b2f533428 Mon Sep 17 00:00:00 2001 -From: jmaloy -Date: Thu, 13 Feb 2020 21:08:18 +0100 -Subject: [PATCH 2/2] tcp_emu: fix unsafe snprintf() usages -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Message-id: <20200213210818.9090-3-jmaloy@redhat.com> -Patchwork-id: 93832 -O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] tcp_emu: fix unsafe snprintf() usages -Bugzilla: 1798970 -RH-Acked-by: Philippe Mathieu-Daudé -RH-Acked-by: Eduardo Habkost -RH-Acked-by: Stefan Hajnoczi - -From: Marc-André Lureau - -Various calls to snprintf() assume that snprintf() returns "only" the -number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Before patch ce131029, if there isn't enough room in "m_data" for the -"DCC ..." message, we overflow "m_data". - -After the patch, if there isn't enough room for the same, we don't -overflow "m_data", but we set "m_len" out-of-bounds. The next time an -access is bounded by "m_len", we'll have a buffer overflow then. - -Use slirp_fmt*() to fix potential OOB memory access. - -Reported-by: Laszlo Ersek -Signed-off-by: Marc-André Lureau -Reviewed-by: Samuel Thibault -Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> -(cherry picked from commit 68ccb8021a838066f0951d4b2817eb6b6f10a843) - -Manually re-adapted since the cherry-pick didn't apply cleanly. - -Signed-off-by: Jon Maloy -Signed-off-by: Miroslav Rezanina ---- - slirp/tcp_subr.c | 44 +++++++++++++++++++++----------------------- - 1 file changed, 21 insertions(+), 23 deletions(-) - -diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c -index e83575e..8dae0cc 100644 ---- a/slirp/tcp_subr.c -+++ b/slirp/tcp_subr.c -@@ -610,8 +610,7 @@ tcp_emu(struct socket *so, struct mbuf *m) - NTOHS(n1); - NTOHS(n2); - m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); -- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); -- assert(m->m_len < M_ROOM(m)); -+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); - } else { - *eol = '\r'; - } -@@ -651,9 +650,9 @@ tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "ORT %d,%d,%d,%d,%d,%d\r\n%s", -- n1, n2, n3, n4, n5, n6, x==7?buff:""); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "ORT %d,%d,%d,%d,%d,%d\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { - /* -@@ -684,10 +683,9 @@ tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -- n1, n2, n3, n4, n5, n6, x==7?buff:""); -- -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", -+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - return 1; - } - -@@ -710,8 +708,8 @@ tcp_emu(struct socket *so, struct mbuf *m) - if (m->m_data[m->m_len-1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = snprintf(m->m_data, M_ROOM(m), -- "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)); - return 1; - - case EMU_IRC: -@@ -731,10 +729,10 @@ tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC CHAT chat %lu %u%c\n", -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, - htonl(laddr), htons(lport), -@@ -742,10 +740,10 @@ tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC SEND %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { - if ((so = tcp_listen(slirp, INADDR_ANY, 0, - htonl(laddr), htons(lport), -@@ -753,10 +751,10 @@ tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, M_FREEROOM(m), -- "DCC MOVE %s %lu %u %u%c\n", buff, -- (unsigned long)ntohl(so->so_faddr.s_addr), -- ntohs(so->so_fport), n1, 1); -+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, -+ (unsigned long)ntohl(so->so_faddr.s_addr), -+ ntohs(so->so_fport), n1, 1); - } - return 1; - --- -1.8.3.1 - diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch new file mode 100644 index 0000000..5bcfa9c --- /dev/null +++ b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch @@ -0,0 +1,150 @@ +From 7617de175ec7d3004aa276ffca3f41d721bc4ae5 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 13 Feb 2020 21:08:18 +0100 +Subject: [PATCH 2/6] tcp_emu: fix unsafe snprintf() usages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200213210818.9090-3-jmaloy@redhat.com> +Patchwork-id: 93832 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] tcp_emu: fix unsafe snprintf() usages +Bugzilla: 1800515 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +From: Marc-André Lureau + +Various calls to snprintf() assume that snprintf() returns "only" the +number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Before patch ce131029, if there isn't enough room in "m_data" for the +"DCC ..." message, we overflow "m_data". + +After the patch, if there isn't enough room for the same, we don't +overflow "m_data", but we set "m_len" out-of-bounds. The next time an +access is bounded by "m_len", we'll have a buffer overflow then. + +Use slirp_fmt*() to fix potential OOB memory access. + +Reported-by: Laszlo Ersek +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> +(cherry picked from commit 68ccb8021a838066f0951d4b2817eb6b6f10a843) + +Manually re-adapted since the cherry-pick didn't apply cleanly. + +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index e83575e..8dae0cc 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -610,8 +610,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + NTOHS(n1); + NTOHS(n2); + m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); +- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); +- assert(m->m_len < M_ROOM(m)); ++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); + } else { + *eol = '\r'; + } +@@ -651,9 +650,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "ORT %d,%d,%d,%d,%d,%d\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { + /* +@@ -684,10 +683,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); +- ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } + +@@ -710,8 +708,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), +- "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)); + return 1; + + case EMU_IRC: +@@ -731,10 +729,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC CHAT chat %lu %u%c\n", +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -742,10 +740,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC SEND %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -753,10 +751,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC MOVE %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } + return 1; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers.patch deleted file mode 100644 index e888d28..0000000 --- a/SOURCES/kvm-util-add-slirp_fmt-helpers.patch +++ /dev/null @@ -1,140 +0,0 @@ -From a90900d27423b09f268774dd664fb161a44c1c24 Mon Sep 17 00:00:00 2001 -From: jmaloy -Date: Thu, 13 Feb 2020 21:08:17 +0100 -Subject: [PATCH 1/2] util: add slirp_fmt() helpers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Message-id: <20200213210818.9090-2-jmaloy@redhat.com> -Patchwork-id: 93831 -O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] util: add slirp_fmt() helpers -Bugzilla: 1798970 -RH-Acked-by: Maxim Levitsky -RH-Acked-by: Eduardo Habkost -RH-Acked-by: Stefan Hajnoczi - -From: Marc-André Lureau - -Various calls to snprintf() in libslirp assume that snprintf() returns -"only" the number of bytes written (excluding terminating NUL). - -https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 - -"Upon successful completion, the snprintf() function shall return the -number of bytes that would be written to s had n been sufficiently -large excluding the terminating null byte." - -Introduce slirp_fmt() that handles several pathological cases the -way libslirp usually expect: - -- treat error as fatal (instead of silently returning -1) - -- fmt0() will always \0 end - -- return the number of bytes actually written (instead of what would - have been written, which would usually result in OOB later), including - the ending \0 for fmt0() - -- warn if truncation happened (instead of ignoring) - - Other less common cases can still be handled with strcpy/snprintf() etc. - -Signed-off-by: Marc-André Lureau -Reviewed-by: Samuel Thibault -Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> - -Manually re-adapted from 30648c03b27fb8d9611b723184216cd3174b6775 -since cerry-pick cannot be used here. There is no util.c file in this -code version, so we add the two new functions as static functions in -the file where they are going to be used. - -Signed-off-by: Jon Maloy -Signed-off-by: Miroslav Rezanina ---- - slirp/tcp_subr.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 65 insertions(+) - -diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c -index 19e2245..e83575e 100644 ---- a/slirp/tcp_subr.c -+++ b/slirp/tcp_subr.c -@@ -44,6 +44,9 @@ - /* Don't do rfc1323 performance enhancements */ - #define TCP_DO_RFC1323 0 - -+static int slirp_fmt(char *str, size_t size, const char *format, ...); -+static int slirp_fmt0(char *str, size_t size, const char *format, ...); -+ - /* - * Tcp initialization - */ -@@ -935,3 +938,65 @@ int tcp_ctl(struct socket *so) - sb->sb_wptr += sb->sb_cc; - return 0; - } -+ -+static int slirp_vsnprintf(char *str, size_t size, -+ const char *format, va_list args) -+{ -+ int rv = vsnprintf(str, size, format, args); -+ -+ if (rv < 0) { -+ g_error("vsnprintf() failed: %s", g_strerror(errno)); -+ } -+ -+ return rv; -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - returns the number of bytes written (excluding optional \0-ending) -+ * - dies on error -+ * - warn on truncation -+ */ -+static int slirp_fmt(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv > size) { -+ g_critical("vsnprintf() truncation"); -+ } -+ -+ return MIN(rv, size); -+} -+ -+/* -+ * A snprintf()-like function that: -+ * - always \0-end (unless size == 0) -+ * - returns the number of bytes actually written, including \0 ending -+ * - dies on error -+ * - warn on truncation -+ */ -+static int slirp_fmt0(char *str, size_t size, const char *format, ...) -+{ -+ va_list args; -+ int rv; -+ -+ va_start(args, format); -+ rv = slirp_vsnprintf(str, size, format, args); -+ va_end(args); -+ -+ if (rv >= size) { -+ g_critical("vsnprintf() truncation"); -+ if (size > 0) -+ str[size - 1] = '\0'; -+ rv = size; -+ } else { -+ rv += 1; /* include \0 */ -+ } -+ -+ return rv; -+} --- -1.8.3.1 - diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch new file mode 100644 index 0000000..763eb2a --- /dev/null +++ b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch @@ -0,0 +1,140 @@ +From cf712371da839a8655506aacc2908f7ffc3988ab Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 13 Feb 2020 21:08:17 +0100 +Subject: [PATCH 1/6] util: add slirp_fmt() helpers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200213210818.9090-2-jmaloy@redhat.com> +Patchwork-id: 93831 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] util: add slirp_fmt() helpers +Bugzilla: 1800515 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +From: Marc-André Lureau + +Various calls to snprintf() in libslirp assume that snprintf() returns +"only" the number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Introduce slirp_fmt() that handles several pathological cases the +way libslirp usually expect: + +- treat error as fatal (instead of silently returning -1) + +- fmt0() will always \0 end + +- return the number of bytes actually written (instead of what would + have been written, which would usually result in OOB later), including + the ending \0 for fmt0() + +- warn if truncation happened (instead of ignoring) + + Other less common cases can still be handled with strcpy/snprintf() etc. + +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> + +Manually re-adapted from 30648c03b27fb8d9611b723184216cd3174b6775 +since cerry-pick cannot be used here. There is no util.c file in this +code version, so we add the two new functions as static functions in +the file where they are going to be used. + +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 19e2245..e83575e 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -44,6 +44,9 @@ + /* Don't do rfc1323 performance enhancements */ + #define TCP_DO_RFC1323 0 + ++static int slirp_fmt(char *str, size_t size, const char *format, ...); ++static int slirp_fmt0(char *str, size_t size, const char *format, ...); ++ + /* + * Tcp initialization + */ +@@ -935,3 +938,65 @@ int tcp_ctl(struct socket *so) + sb->sb_wptr += sb->sb_cc; + return 0; + } ++ ++static int slirp_vsnprintf(char *str, size_t size, ++ const char *format, va_list args) ++{ ++ int rv = vsnprintf(str, size, format, args); ++ ++ if (rv < 0) { ++ g_error("vsnprintf() failed: %s", g_strerror(errno)); ++ } ++ ++ return rv; ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - returns the number of bytes written (excluding optional \0-ending) ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv > size) { ++ g_critical("vsnprintf() truncation"); ++ } ++ ++ return MIN(rv, size); ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - always \0-end (unless size == 0) ++ * - returns the number of bytes actually written, including \0 ending ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt0(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv >= size) { ++ g_critical("vsnprintf() truncation"); ++ if (size > 0) ++ str[size - 1] = '\0'; ++ rv = size; ++ } else { ++ rv += 1; /* include \0 */ ++ } ++ ++ return rv; ++} +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch b/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch new file mode 100644 index 0000000..bd7820d --- /dev/null +++ b/SOURCES/kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch @@ -0,0 +1,1008 @@ +From 87a76b97164685ea1e1aaab6a35bfbaf18c60366 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Mon, 25 May 2020 21:20:00 -0400 +Subject: [PATCH] vnc: fix memory leak when vnc disconnect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: jmaloy +Message-id: <20200525212000.355756-2-jmaloy@redhat.com> +Patchwork-id: 96752 +O-Subject: [RHEL-7.9 qemu-kvm PATCH v2 1/1] vnc: fix memory leak when vnc disconnect +Bugzilla: 1810408 +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Daniel P. Berrange +RH-Acked-by: Philippe Mathieu-Daudé + +From: Li Qiang + +Currently when qemu receives a vnc connect, it creates a 'VncState' to +represent this connection. In 'vnc_worker_thread_loop' it creates a +local 'VncState'. The connection 'VcnState' and local 'VncState' exchange +data in 'vnc_async_encoding_start' and 'vnc_async_encoding_end'. +In 'zrle_compress_data' it calls 'deflateInit2' to allocate the libz library +opaque data. The 'VncState' used in 'zrle_compress_data' is the local +'VncState'. In 'vnc_zrle_clear' it calls 'deflateEnd' to free the libz +library opaque data. The 'VncState' used in 'vnc_zrle_clear' is the connection +'VncState'. In currently implementation there will be a memory leak when the +vnc disconnect. Following is the asan output backtrack: + +Direct leak of 29760 byte(s) in 5 object(s) allocated from: + 0 0xffffa67ef3c3 in __interceptor_calloc (/lib64/libasan.so.4+0xd33c3) + 1 0xffffa65071cb in g_malloc0 (/lib64/libglib-2.0.so.0+0x571cb) + 2 0xffffa5e968f7 in deflateInit2_ (/lib64/libz.so.1+0x78f7) + 3 0xaaaacec58613 in zrle_compress_data ui/vnc-enc-zrle.c:87 + 4 0xaaaacec58613 in zrle_send_framebuffer_update ui/vnc-enc-zrle.c:344 + 5 0xaaaacec34e77 in vnc_send_framebuffer_update ui/vnc.c:919 + 6 0xaaaacec5e023 in vnc_worker_thread_loop ui/vnc-jobs.c:271 + 7 0xaaaacec5e5e7 in vnc_worker_thread ui/vnc-jobs.c:340 + 8 0xaaaacee4d3c3 in qemu_thread_start util/qemu-thread-posix.c:502 + 9 0xffffa544e8bb in start_thread (/lib64/libpthread.so.0+0x78bb) + 10 0xffffa53965cb in thread_start (/lib64/libc.so.6+0xd55cb) + +This is because the opaque allocated in 'deflateInit2' is not freed in +'deflateEnd'. The reason is that the 'deflateEnd' calls 'deflateStateCheck' +and in the latter will check whether 's->strm != strm'(libz's data structure). +This check will be true so in 'deflateEnd' it just return 'Z_STREAM_ERROR' and +not free the data allocated in 'deflateInit2'. + +The reason this happens is that the 'VncState' contains the whole 'VncZrle', +so when calling 'deflateInit2', the 's->strm' will be the local address. +So 's->strm != strm' will be true. + +To fix this issue, we need to make 'zrle' of 'VncState' to be a pointer. +Then the connection 'VncState' and local 'VncState' exchange mechanism will +work as expection. The 'tight' of 'VncState' has the same issue, let's also turn +it to a pointer. + +Reported-by: Ying Fang +Signed-off-by: Li Qiang +Message-id: 20190831153922.121308-1-liq3ea@163.com +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0) +Manually re-adapted, since there has been a huge number of conflicting +commits applied upsteam since this code version. The re-adapted commit +was still very similar to the upstream one in the end. + +Signed-off-by: Jon Maloy +Signed-off-by: Jon Maloy +--- + ui/vnc-enc-tight.c | 219 +++++++++++++++++++------------------ + ui/vnc-enc-zlib.c | 11 +- + ui/vnc-enc-zrle-template.c | 2 +- + ui/vnc-enc-zrle.c | 68 ++++++------ + ui/vnc.c | 12 +- + ui/vnc.h | 4 +- + 6 files changed, 162 insertions(+), 154 deletions(-) + +diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c +index e6966aebc3..f01375d5ef 100644 +--- a/ui/vnc-enc-tight.c ++++ b/ui/vnc-enc-tight.c +@@ -119,7 +119,7 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, + + static bool tight_can_send_png_rect(VncState *vs, int w, int h) + { +- if (vs->tight.type != VNC_ENCODING_TIGHT_PNG) { ++ if (vs->tight->type != VNC_ENCODING_TIGHT_PNG) { + return false; + } + +@@ -147,7 +147,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h) + int pixels = 0; + int pix, left[3]; + unsigned int errors; +- unsigned char *buf = vs->tight.tight.buffer; ++ unsigned char *buf = vs->tight->tight.buffer; + + /* + * If client is big-endian, color samples begin from the second +@@ -214,7 +214,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h) + int pixels = 0; \ + int sample, sum, left[3]; \ + unsigned int errors; \ +- unsigned char *buf = vs->tight.tight.buffer; \ ++ unsigned char *buf = vs->tight->tight.buffer; \ + \ + endian = 0; /* FIXME: ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) != \ + (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG)); */ \ +@@ -294,8 +294,8 @@ static int + tight_detect_smooth_image(VncState *vs, int w, int h) + { + unsigned int errors; +- int compression = vs->tight.compression; +- int quality = vs->tight.quality; ++ int compression = vs->tight->compression; ++ int quality = vs->tight->quality; + + if (!vs->vd->lossy) { + return 0; +@@ -307,7 +307,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h) + return 0; + } + +- if (vs->tight.quality != (uint8_t)-1) { ++ if (vs->tight->quality != (uint8_t)-1) { + if (w * h < VNC_TIGHT_JPEG_MIN_RECT_SIZE) { + return 0; + } +@@ -318,9 +318,9 @@ tight_detect_smooth_image(VncState *vs, int w, int h) + } + + if (vs->client_pf.bytes_per_pixel == 4) { +- if (vs->tight.pixel24) { ++ if (vs->tight->pixel24) { + errors = tight_detect_smooth_image24(vs, w, h); +- if (vs->tight.quality != (uint8_t)-1) { ++ if (vs->tight->quality != (uint8_t)-1) { + return (errors < tight_conf[quality].jpeg_threshold24); + } + return (errors < tight_conf[compression].gradient_threshold24); +@@ -350,7 +350,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h) + uint##bpp##_t c0, c1, ci; \ + int i, n0, n1; \ + \ +- data = (uint##bpp##_t *)vs->tight.tight.buffer; \ ++ data = (uint##bpp##_t *)vs->tight->tight.buffer; \ + \ + c0 = data[0]; \ + i = 1; \ +@@ -421,9 +421,9 @@ static int tight_fill_palette(VncState *vs, int x, int y, + { + int max; + +- max = count / tight_conf[vs->tight.compression].idx_max_colors_divisor; ++ max = count / tight_conf[vs->tight->compression].idx_max_colors_divisor; + if (max < 2 && +- count >= tight_conf[vs->tight.compression].mono_min_rect_size) { ++ count >= tight_conf[vs->tight->compression].mono_min_rect_size) { + max = 2; + } + if (max >= 256) { +@@ -555,7 +555,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) + int x, y, c; + + buf32 = (uint32_t *)buf; +- memset(vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); ++ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); + + if (1 /* FIXME: (vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) == + (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) */) { +@@ -573,7 +573,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) + upper[c] = 0; + here[c] = 0; + } +- prev = (int *)vs->tight.gradient.buffer; ++ prev = (int *)vs->tight->gradient.buffer; + for (x = 0; x < w; x++) { + pix32 = *buf32++; + for (c = 0; c < 3; c++) { +@@ -613,7 +613,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) + int prediction; \ + int x, y, c; \ + \ +- memset (vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); \ ++ memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); \ + \ + endian = 0; /* FIXME: ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) != \ + (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG)); */ \ +@@ -630,7 +630,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) + upper[c] = 0; \ + here[c] = 0; \ + } \ +- prev = (int *)vs->tight.gradient.buffer; \ ++ prev = (int *)vs->tight->gradient.buffer; \ + for (x = 0; x < w; x++) { \ + pix = *buf; \ + if (endian) { \ +@@ -786,7 +786,7 @@ static void extend_solid_area(VncState *vs, int x, int y, int w, int h, + static int tight_init_stream(VncState *vs, int stream_id, + int level, int strategy) + { +- z_streamp zstream = &vs->tight.stream[stream_id]; ++ z_streamp zstream = &vs->tight->stream[stream_id]; + + if (zstream->opaque == NULL) { + int err; +@@ -804,15 +804,15 @@ static int tight_init_stream(VncState *vs, int stream_id, + return -1; + } + +- vs->tight.levels[stream_id] = level; ++ vs->tight->levels[stream_id] = level; + zstream->opaque = vs; + } + +- if (vs->tight.levels[stream_id] != level) { ++ if (vs->tight->levels[stream_id] != level) { + if (deflateParams(zstream, level, strategy) != Z_OK) { + return -1; + } +- vs->tight.levels[stream_id] = level; ++ vs->tight->levels[stream_id] = level; + } + return 0; + } +@@ -840,11 +840,11 @@ static void tight_send_compact_size(VncState *vs, size_t len) + static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, + int level, int strategy) + { +- z_streamp zstream = &vs->tight.stream[stream_id]; ++ z_streamp zstream = &vs->tight->stream[stream_id]; + int previous_out; + + if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) { +- vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset); ++ vnc_write(vs, vs->tight->tight.buffer, vs->tight->tight.offset); + return bytes; + } + +@@ -853,13 +853,13 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, + } + + /* reserve memory in output buffer */ +- buffer_reserve(&vs->tight.zlib, bytes + 64); ++ buffer_reserve(&vs->tight->zlib, bytes + 64); + + /* set pointers */ +- zstream->next_in = vs->tight.tight.buffer; +- zstream->avail_in = vs->tight.tight.offset; +- zstream->next_out = vs->tight.zlib.buffer + vs->tight.zlib.offset; +- zstream->avail_out = vs->tight.zlib.capacity - vs->tight.zlib.offset; ++ zstream->next_in = vs->tight->tight.buffer; ++ zstream->avail_in = vs->tight->tight.offset; ++ zstream->next_out = vs->tight->zlib.buffer + vs->tight->zlib.offset; ++ zstream->avail_out = vs->tight->zlib.capacity - vs->tight->zlib.offset; + previous_out = zstream->avail_out; + zstream->data_type = Z_BINARY; + +@@ -869,14 +869,14 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, + return -1; + } + +- vs->tight.zlib.offset = vs->tight.zlib.capacity - zstream->avail_out; ++ vs->tight->zlib.offset = vs->tight->zlib.capacity - zstream->avail_out; + /* ...how much data has actually been produced by deflate() */ + bytes = previous_out - zstream->avail_out; + + tight_send_compact_size(vs, bytes); +- vnc_write(vs, vs->tight.zlib.buffer, bytes); ++ vnc_write(vs, vs->tight->zlib.buffer, bytes); + +- buffer_reset(&vs->tight.zlib); ++ buffer_reset(&vs->tight->zlib); + + return bytes; + } +@@ -928,16 +928,17 @@ static int send_full_color_rect(VncState *vs, int x, int y, int w, int h) + + vnc_write_u8(vs, stream << 4); /* no flushing, no filter */ + +- if (vs->tight.pixel24) { +- tight_pack24(vs, vs->tight.tight.buffer, w * h, &vs->tight.tight.offset); ++ if (vs->tight->pixel24) { ++ tight_pack24(vs, vs->tight->tight.buffer, w * h, ++ &vs->tight->tight.offset); + bytes = 3; + } else { + bytes = vs->client_pf.bytes_per_pixel; + } + + bytes = tight_compress_data(vs, stream, w * h * bytes, +- tight_conf[vs->tight.compression].raw_zlib_level, +- Z_DEFAULT_STRATEGY); ++ tight_conf[vs->tight->compression].raw_zlib_level, ++ Z_DEFAULT_STRATEGY); + + return (bytes >= 0); + } +@@ -948,14 +949,14 @@ static int send_solid_rect(VncState *vs) + + vnc_write_u8(vs, VNC_TIGHT_FILL << 4); /* no flushing, no filter */ + +- if (vs->tight.pixel24) { +- tight_pack24(vs, vs->tight.tight.buffer, 1, &vs->tight.tight.offset); ++ if (vs->tight->pixel24) { ++ tight_pack24(vs, vs->tight->tight.buffer, 1, &vs->tight->tight.offset); + bytes = 3; + } else { + bytes = vs->client_pf.bytes_per_pixel; + } + +- vnc_write(vs, vs->tight.tight.buffer, bytes); ++ vnc_write(vs, vs->tight->tight.buffer, bytes); + return 1; + } + +@@ -964,7 +965,7 @@ static int send_mono_rect(VncState *vs, int x, int y, + { + ssize_t bytes; + int stream = 1; +- int level = tight_conf[vs->tight.compression].mono_zlib_level; ++ int level = tight_conf[vs->tight->compression].mono_zlib_level; + + #ifdef CONFIG_VNC_PNG + if (tight_can_send_png_rect(vs, w, h)) { +@@ -992,26 +993,26 @@ static int send_mono_rect(VncState *vs, int x, int y, + uint32_t buf[2] = {bg, fg}; + size_t ret = sizeof (buf); + +- if (vs->tight.pixel24) { ++ if (vs->tight->pixel24) { + tight_pack24(vs, (unsigned char*)buf, 2, &ret); + } + vnc_write(vs, buf, ret); + +- tight_encode_mono_rect32(vs->tight.tight.buffer, w, h, bg, fg); ++ tight_encode_mono_rect32(vs->tight->tight.buffer, w, h, bg, fg); + break; + } + case 2: + vnc_write(vs, &bg, 2); + vnc_write(vs, &fg, 2); +- tight_encode_mono_rect16(vs->tight.tight.buffer, w, h, bg, fg); ++ tight_encode_mono_rect16(vs->tight->tight.buffer, w, h, bg, fg); + break; + default: + vnc_write_u8(vs, bg); + vnc_write_u8(vs, fg); +- tight_encode_mono_rect8(vs->tight.tight.buffer, w, h, bg, fg); ++ tight_encode_mono_rect8(vs->tight->tight.buffer, w, h, bg, fg); + break; + } +- vs->tight.tight.offset = bytes; ++ vs->tight->tight.offset = bytes; + + bytes = tight_compress_data(vs, stream, bytes, level, Z_DEFAULT_STRATEGY); + return (bytes >= 0); +@@ -1041,7 +1042,7 @@ static void write_palette(int idx, uint32_t color, void *opaque) + static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h) + { + int stream = 3; +- int level = tight_conf[vs->tight.compression].gradient_zlib_level; ++ int level = tight_conf[vs->tight->compression].gradient_zlib_level; + ssize_t bytes; + + if (vs->client_pf.bytes_per_pixel == 1) { +@@ -1051,23 +1052,23 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h) + vnc_write_u8(vs, (stream | VNC_TIGHT_EXPLICIT_FILTER) << 4); + vnc_write_u8(vs, VNC_TIGHT_FILTER_GRADIENT); + +- buffer_reserve(&vs->tight.gradient, w * 3 * sizeof (int)); ++ buffer_reserve(&vs->tight->gradient, w * 3 * sizeof(int)); + +- if (vs->tight.pixel24) { +- tight_filter_gradient24(vs, vs->tight.tight.buffer, w, h); ++ if (vs->tight->pixel24) { ++ tight_filter_gradient24(vs, vs->tight->tight.buffer, w, h); + bytes = 3; + } else if (vs->client_pf.bytes_per_pixel == 4) { +- tight_filter_gradient32(vs, (uint32_t *)vs->tight.tight.buffer, w, h); ++ tight_filter_gradient32(vs, (uint32_t *)vs->tight->tight.buffer, w, h); + bytes = 4; + } else { +- tight_filter_gradient16(vs, (uint16_t *)vs->tight.tight.buffer, w, h); ++ tight_filter_gradient16(vs, (uint16_t *)vs->tight->tight.buffer, w, h); + bytes = 2; + } + +- buffer_reset(&vs->tight.gradient); ++ buffer_reset(&vs->tight->gradient); + + bytes = w * h * bytes; +- vs->tight.tight.offset = bytes; ++ vs->tight->tight.offset = bytes; + + bytes = tight_compress_data(vs, stream, bytes, + level, Z_FILTERED); +@@ -1078,7 +1079,7 @@ static int send_palette_rect(VncState *vs, int x, int y, + int w, int h, VncPalette *palette) + { + int stream = 2; +- int level = tight_conf[vs->tight.compression].idx_zlib_level; ++ int level = tight_conf[vs->tight->compression].idx_zlib_level; + int colors; + ssize_t bytes; + +@@ -1105,12 +1106,12 @@ static int send_palette_rect(VncState *vs, int x, int y, + palette_iter(palette, write_palette, &priv); + vnc_write(vs, header, sizeof(header)); + +- if (vs->tight.pixel24) { ++ if (vs->tight->pixel24) { + tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset); + vs->output.offset = old_offset + offset; + } + +- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette); ++ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, palette); + break; + } + case 2: +@@ -1120,7 +1121,7 @@ static int send_palette_rect(VncState *vs, int x, int y, + + palette_iter(palette, write_palette, &priv); + vnc_write(vs, header, sizeof(header)); +- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette); ++ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette); + break; + } + default: +@@ -1128,7 +1129,7 @@ static int send_palette_rect(VncState *vs, int x, int y, + break; + } + bytes = w * h; +- vs->tight.tight.offset = bytes; ++ vs->tight->tight.offset = bytes; + + bytes = tight_compress_data(vs, stream, bytes, + level, Z_DEFAULT_STRATEGY); +@@ -1147,7 +1148,7 @@ static int send_palette_rect(VncState *vs, int x, int y, + static void jpeg_init_destination(j_compress_ptr cinfo) + { + VncState *vs = cinfo->client_data; +- Buffer *buffer = &vs->tight.jpeg; ++ Buffer *buffer = &vs->tight->jpeg; + + cinfo->dest->next_output_byte = (JOCTET *)buffer->buffer + buffer->offset; + cinfo->dest->free_in_buffer = (size_t)(buffer->capacity - buffer->offset); +@@ -1157,7 +1158,7 @@ static void jpeg_init_destination(j_compress_ptr cinfo) + static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo) + { + VncState *vs = cinfo->client_data; +- Buffer *buffer = &vs->tight.jpeg; ++ Buffer *buffer = &vs->tight->jpeg; + + buffer->offset = buffer->capacity; + buffer_reserve(buffer, 2048); +@@ -1169,7 +1170,7 @@ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo) + static void jpeg_term_destination(j_compress_ptr cinfo) + { + VncState *vs = cinfo->client_data; +- Buffer *buffer = &vs->tight.jpeg; ++ Buffer *buffer = &vs->tight->jpeg; + + buffer->offset = buffer->capacity - cinfo->dest->free_in_buffer; + } +@@ -1188,7 +1189,7 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality) + return send_full_color_rect(vs, x, y, w, h); + } + +- buffer_reserve(&vs->tight.jpeg, 2048); ++ buffer_reserve(&vs->tight->jpeg, 2048); + + cinfo.err = jpeg_std_error(&jerr); + jpeg_create_compress(&cinfo); +@@ -1223,9 +1224,9 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality) + + vnc_write_u8(vs, VNC_TIGHT_JPEG << 4); + +- tight_send_compact_size(vs, vs->tight.jpeg.offset); +- vnc_write(vs, vs->tight.jpeg.buffer, vs->tight.jpeg.offset); +- buffer_reset(&vs->tight.jpeg); ++ tight_send_compact_size(vs, vs->tight->jpeg.offset); ++ vnc_write(vs, vs->tight->jpeg.buffer, vs->tight->jpeg.offset); ++ buffer_reset(&vs->tight->jpeg); + + return 1; + } +@@ -1241,7 +1242,7 @@ static void write_png_palette(int idx, uint32_t pix, void *opaque) + VncState *vs = priv->vs; + png_colorp color = &priv->png_palette[idx]; + +- if (vs->tight.pixel24) ++ if (vs->tight->pixel24) + { + color->red = (pix >> vs->client_pf.rshift) & vs->client_pf.rmax; + color->green = (pix >> vs->client_pf.gshift) & vs->client_pf.gmax; +@@ -1268,10 +1269,10 @@ static void png_write_data(png_structp png_ptr, png_bytep data, + { + VncState *vs = png_get_io_ptr(png_ptr); + +- buffer_reserve(&vs->tight.png, vs->tight.png.offset + length); +- memcpy(vs->tight.png.buffer + vs->tight.png.offset, data, length); ++ buffer_reserve(&vs->tight->png, vs->tight->png.offset + length); ++ memcpy(vs->tight->png.buffer + vs->tight->png.offset, data, length); + +- vs->tight.png.offset += length; ++ vs->tight->png.offset += length; + } + + static void png_flush_data(png_structp png_ptr) +@@ -1296,8 +1297,8 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, + png_infop info_ptr; + png_colorp png_palette = NULL; + pixman_image_t *linebuf; +- int level = tight_png_conf[vs->tight.compression].png_zlib_level; +- int filters = tight_png_conf[vs->tight.compression].png_filters; ++ int level = tight_png_conf[vs->tight->compression].png_zlib_level; ++ int filters = tight_png_conf[vs->tight->compression].png_filters; + uint8_t *buf; + int dy; + +@@ -1341,21 +1342,23 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, + png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette)); + + if (vs->client_pf.bytes_per_pixel == 4) { +- tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette); ++ tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, ++ palette); + } else { +- tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette); ++ tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, ++ palette); + } + } + + png_write_info(png_ptr, info_ptr); + +- buffer_reserve(&vs->tight.png, 2048); ++ buffer_reserve(&vs->tight->png, 2048); + linebuf = qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, w); + buf = (uint8_t *)pixman_image_get_data(linebuf); + for (dy = 0; dy < h; dy++) + { + if (color_type == PNG_COLOR_TYPE_PALETTE) { +- memcpy(buf, vs->tight.tight.buffer + (dy * w), w); ++ memcpy(buf, vs->tight->tight.buffer + (dy * w), w); + } else { + qemu_pixman_linebuf_fill(linebuf, vs->vd->server, w, x, y + dy); + } +@@ -1373,27 +1376,27 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, + + vnc_write_u8(vs, VNC_TIGHT_PNG << 4); + +- tight_send_compact_size(vs, vs->tight.png.offset); +- vnc_write(vs, vs->tight.png.buffer, vs->tight.png.offset); +- buffer_reset(&vs->tight.png); ++ tight_send_compact_size(vs, vs->tight->png.offset); ++ vnc_write(vs, vs->tight->png.buffer, vs->tight->png.offset); ++ buffer_reset(&vs->tight->png); + return 1; + } + #endif /* CONFIG_VNC_PNG */ + + static void vnc_tight_start(VncState *vs) + { +- buffer_reset(&vs->tight.tight); ++ buffer_reset(&vs->tight->tight); + + // make the output buffer be the zlib buffer, so we can compress it later +- vs->tight.tmp = vs->output; +- vs->output = vs->tight.tight; ++ vs->tight->tmp = vs->output; ++ vs->output = vs->tight->tight; + } + + static void vnc_tight_stop(VncState *vs) + { + // switch back to normal output/zlib buffers +- vs->tight.tight = vs->output; +- vs->output = vs->tight.tmp; ++ vs->tight->tight = vs->output; ++ vs->output = vs->tight->tmp; + } + + static int send_sub_rect_nojpeg(VncState *vs, int x, int y, int w, int h, +@@ -1427,9 +1430,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, + int ret; + + if (colors == 0) { +- if (force || (tight_jpeg_conf[vs->tight.quality].jpeg_full && ++ if (force || (tight_jpeg_conf[vs->tight->quality].jpeg_full && + tight_detect_smooth_image(vs, w, h))) { +- int quality = tight_conf[vs->tight.quality].jpeg_quality; ++ int quality = tight_conf[vs->tight->quality].jpeg_quality; + + ret = send_jpeg_rect(vs, x, y, w, h, quality); + } else { +@@ -1441,9 +1444,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, + ret = send_mono_rect(vs, x, y, w, h, bg, fg); + } else if (colors <= 256) { + if (force || (colors > 96 && +- tight_jpeg_conf[vs->tight.quality].jpeg_idx && ++ tight_jpeg_conf[vs->tight->quality].jpeg_idx && + tight_detect_smooth_image(vs, w, h))) { +- int quality = tight_conf[vs->tight.quality].jpeg_quality; ++ int quality = tight_conf[vs->tight->quality].jpeg_quality; + + ret = send_jpeg_rect(vs, x, y, w, h, quality); + } else { +@@ -1467,20 +1470,20 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + bool allow_jpeg = true; + #endif + +- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type); ++ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type); + + vnc_tight_start(vs); + vnc_raw_send_framebuffer_update(vs, x, y, w, h); + vnc_tight_stop(vs); + + #ifdef CONFIG_VNC_JPEG +- if (!vs->vd->non_adaptive && vs->tight.quality != (uint8_t)-1) { ++ if (!vs->vd->non_adaptive && vs->tight->quality != (uint8_t)-1) { + double freq = vnc_update_freq(vs, x, y, w, h); + +- if (freq < tight_jpeg_conf[vs->tight.quality].jpeg_freq_min) { ++ if (freq < tight_jpeg_conf[vs->tight->quality].jpeg_freq_min) { + allow_jpeg = false; + } +- if (freq >= tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) { ++ if (freq >= tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) { + force_jpeg = true; + vnc_sent_lossy_rect(vs, x, y, w, h); + } +@@ -1490,7 +1493,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + colors = tight_fill_palette(vs, x, y, w * h, &fg, &bg, &palette); + + #ifdef CONFIG_VNC_JPEG +- if (allow_jpeg && vs->tight.quality != (uint8_t)-1) { ++ if (allow_jpeg && vs->tight->quality != (uint8_t)-1) { + ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, palette, + force_jpeg); + } else { +@@ -1506,7 +1509,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) + + static int send_sub_rect_solid(VncState *vs, int x, int y, int w, int h) + { +- vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type); ++ vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type); + + vnc_tight_start(vs); + vnc_raw_send_framebuffer_update(vs, x, y, w, h); +@@ -1524,8 +1527,8 @@ static int send_rect_simple(VncState *vs, int x, int y, int w, int h, + int rw, rh; + int n = 0; + +- max_size = tight_conf[vs->tight.compression].max_rect_size; +- max_width = tight_conf[vs->tight.compression].max_rect_width; ++ max_size = tight_conf[vs->tight->compression].max_rect_size; ++ max_width = tight_conf[vs->tight->compression].max_rect_width; + + if (split && (w > max_width || w * h > max_size)) { + max_sub_width = (w > max_width) ? max_width : w; +@@ -1634,16 +1637,16 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, + + if (vs->client_pf.bytes_per_pixel == 4 && vs->client_pf.rmax == 0xFF && + vs->client_pf.bmax == 0xFF && vs->client_pf.gmax == 0xFF) { +- vs->tight.pixel24 = true; ++ vs->tight->pixel24 = true; + } else { +- vs->tight.pixel24 = false; ++ vs->tight->pixel24 = false; + } + + #ifdef CONFIG_VNC_JPEG +- if (vs->tight.quality != (uint8_t)-1) { ++ if (vs->tight->quality != (uint8_t)-1) { + double freq = vnc_update_freq(vs, x, y, w, h); + +- if (freq > tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) { ++ if (freq > tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) { + return send_rect_simple(vs, x, y, w, h, false); + } + } +@@ -1655,8 +1658,8 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, + + /* Calculate maximum number of rows in one non-solid rectangle. */ + +- max_rows = tight_conf[vs->tight.compression].max_rect_size; +- max_rows /= MIN(tight_conf[vs->tight.compression].max_rect_width, w); ++ max_rows = tight_conf[vs->tight->compression].max_rect_size; ++ max_rows /= MIN(tight_conf[vs->tight->compression].max_rect_width, w); + + return find_large_solid_color_rect(vs, x, y, w, h, max_rows); + } +@@ -1664,33 +1667,33 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, + int vnc_tight_send_framebuffer_update(VncState *vs, int x, int y, + int w, int h) + { +- vs->tight.type = VNC_ENCODING_TIGHT; ++ vs->tight->type = VNC_ENCODING_TIGHT; + return tight_send_framebuffer_update(vs, x, y, w, h); + } + + int vnc_tight_png_send_framebuffer_update(VncState *vs, int x, int y, + int w, int h) + { +- vs->tight.type = VNC_ENCODING_TIGHT_PNG; ++ vs->tight->type = VNC_ENCODING_TIGHT_PNG; + return tight_send_framebuffer_update(vs, x, y, w, h); + } + + void vnc_tight_clear(VncState *vs) + { + int i; +- for (i=0; itight.stream); i++) { +- if (vs->tight.stream[i].opaque) { +- deflateEnd(&vs->tight.stream[i]); ++ for (i = 0; i < ARRAY_SIZE(vs->tight->stream); i++) { ++ if (vs->tight->stream[i].opaque) { ++ deflateEnd(&vs->tight->stream[i]); + } + } + +- buffer_free(&vs->tight.tight); +- buffer_free(&vs->tight.zlib); +- buffer_free(&vs->tight.gradient); ++ buffer_free(&vs->tight->tight); ++ buffer_free(&vs->tight->zlib); ++ buffer_free(&vs->tight->gradient); + #ifdef CONFIG_VNC_JPEG +- buffer_free(&vs->tight.jpeg); ++ buffer_free(&vs->tight->jpeg); + #endif + #ifdef CONFIG_VNC_PNG +- buffer_free(&vs->tight.png); ++ buffer_free(&vs->tight->png); + #endif + } +diff --git a/ui/vnc-enc-zlib.c b/ui/vnc-enc-zlib.c +index d1b97f2516..5c31fe5771 100644 +--- a/ui/vnc-enc-zlib.c ++++ b/ui/vnc-enc-zlib.c +@@ -75,7 +75,8 @@ static int vnc_zlib_stop(VncState *vs) + zstream->zalloc = vnc_zlib_zalloc; + zstream->zfree = vnc_zlib_zfree; + +- err = deflateInit2(zstream, vs->tight.compression, Z_DEFLATED, MAX_WBITS, ++ err = deflateInit2(zstream, vs->tight->compression, Z_DEFLATED, ++ MAX_WBITS, + MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY); + + if (err != Z_OK) { +@@ -83,16 +84,16 @@ static int vnc_zlib_stop(VncState *vs) + return -1; + } + +- vs->zlib.level = vs->tight.compression; ++ vs->zlib.level = vs->tight->compression; + zstream->opaque = vs; + } + +- if (vs->tight.compression != vs->zlib.level) { +- if (deflateParams(zstream, vs->tight.compression, ++ if (vs->tight->compression != vs->zlib.level) { ++ if (deflateParams(zstream, vs->tight->compression, + Z_DEFAULT_STRATEGY) != Z_OK) { + return -1; + } +- vs->zlib.level = vs->tight.compression; ++ vs->zlib.level = vs->tight->compression; + } + + // reserve memory in output buffer +diff --git a/ui/vnc-enc-zrle-template.c b/ui/vnc-enc-zrle-template.c +index 70ae624ee9..6687f8cb0e 100644 +--- a/ui/vnc-enc-zrle-template.c ++++ b/ui/vnc-enc-zrle-template.c +@@ -96,7 +96,7 @@ static void ZRLE_ENCODE(VncState *vs, int x, int y, int w, int h, + static void ZRLE_ENCODE_TILE(VncState *vs, ZRLE_PIXEL *data, int w, int h, + int zywrle_level) + { +- VncPalette *palette = &vs->zrle.palette; ++ VncPalette *palette = &vs->zrle->palette; + + int runs = 0; + int single_pixels = 0; +diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c +index ed3b48465d..c85758fe2e 100644 +--- a/ui/vnc-enc-zrle.c ++++ b/ui/vnc-enc-zrle.c +@@ -36,18 +36,18 @@ static const int bits_per_packed_pixel[] = { + + static void vnc_zrle_start(VncState *vs) + { +- buffer_reset(&vs->zrle.zrle); ++ buffer_reset(&vs->zrle->zrle); + + /* make the output buffer be the zlib buffer, so we can compress it later */ +- vs->zrle.tmp = vs->output; +- vs->output = vs->zrle.zrle; ++ vs->zrle->tmp = vs->output; ++ vs->output = vs->zrle->zrle; + } + + static void vnc_zrle_stop(VncState *vs) + { + /* switch back to normal output/zlib buffers */ +- vs->zrle.zrle = vs->output; +- vs->output = vs->zrle.tmp; ++ vs->zrle->zrle = vs->output; ++ vs->output = vs->zrle->tmp; + } + + static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h, +@@ -55,24 +55,24 @@ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h, + { + Buffer tmp; + +- buffer_reset(&vs->zrle.fb); +- buffer_reserve(&vs->zrle.fb, w * h * bpp + bpp); ++ buffer_reset(&vs->zrle->fb); ++ buffer_reserve(&vs->zrle->fb, w * h * bpp + bpp); + + tmp = vs->output; +- vs->output = vs->zrle.fb; ++ vs->output = vs->zrle->fb; + + vnc_raw_send_framebuffer_update(vs, x, y, w, h); + +- vs->zrle.fb = vs->output; ++ vs->zrle->fb = vs->output; + vs->output = tmp; +- return vs->zrle.fb.buffer; ++ return vs->zrle->fb.buffer; + } + + static int zrle_compress_data(VncState *vs, int level) + { +- z_streamp zstream = &vs->zrle.stream; ++ z_streamp zstream = &vs->zrle->stream; + +- buffer_reset(&vs->zrle.zlib); ++ buffer_reset(&vs->zrle->zlib); + + if (zstream->opaque != vs) { + int err; +@@ -92,13 +92,13 @@ static int zrle_compress_data(VncState *vs, int level) + } + + /* reserve memory in output buffer */ +- buffer_reserve(&vs->zrle.zlib, vs->zrle.zrle.offset + 64); ++ buffer_reserve(&vs->zrle->zlib, vs->zrle->zrle.offset + 64); + + /* set pointers */ +- zstream->next_in = vs->zrle.zrle.buffer; +- zstream->avail_in = vs->zrle.zrle.offset; +- zstream->next_out = vs->zrle.zlib.buffer + vs->zrle.zlib.offset; +- zstream->avail_out = vs->zrle.zlib.capacity - vs->zrle.zlib.offset; ++ zstream->next_in = vs->zrle->zrle.buffer; ++ zstream->avail_in = vs->zrle->zrle.offset; ++ zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset; ++ zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset; + zstream->data_type = Z_BINARY; + + /* start encoding */ +@@ -107,8 +107,8 @@ static int zrle_compress_data(VncState *vs, int level) + return -1; + } + +- vs->zrle.zlib.offset = vs->zrle.zlib.capacity - zstream->avail_out; +- return vs->zrle.zlib.offset; ++ vs->zrle->zlib.offset = vs->zrle->zlib.capacity - zstream->avail_out; ++ return vs->zrle->zlib.offset; + } + + /* Try to work out whether to use RLE and/or a palette. We do this by +@@ -259,14 +259,14 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y, + size_t bytes; + int zywrle_level; + +- if (vs->zrle.type == VNC_ENCODING_ZYWRLE) { +- if (!vs->vd->lossy || vs->tight.quality == (uint8_t)-1 +- || vs->tight.quality == 9) { ++ if (vs->zrle->type == VNC_ENCODING_ZYWRLE) { ++ if (!vs->vd->lossy || vs->tight->quality == (uint8_t)-1 ++ || vs->tight->quality == 9) { + zywrle_level = 0; +- vs->zrle.type = VNC_ENCODING_ZRLE; +- } else if (vs->tight.quality < 3) { ++ vs->zrle->type = VNC_ENCODING_ZRLE; ++ } else if (vs->tight->quality < 3) { + zywrle_level = 3; +- } else if (vs->tight.quality < 6) { ++ } else if (vs->tight->quality < 6) { + zywrle_level = 2; + } else { + zywrle_level = 1; +@@ -337,30 +337,30 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y, + + vnc_zrle_stop(vs); + bytes = zrle_compress_data(vs, Z_DEFAULT_COMPRESSION); +- vnc_framebuffer_update(vs, x, y, w, h, vs->zrle.type); ++ vnc_framebuffer_update(vs, x, y, w, h, vs->zrle->type); + vnc_write_u32(vs, bytes); +- vnc_write(vs, vs->zrle.zlib.buffer, vs->zrle.zlib.offset); ++ vnc_write(vs, vs->zrle->zlib.buffer, vs->zrle->zlib.offset); + return 1; + } + + int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + { +- vs->zrle.type = VNC_ENCODING_ZRLE; ++ vs->zrle->type = VNC_ENCODING_ZRLE; + return zrle_send_framebuffer_update(vs, x, y, w, h); + } + + int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + { +- vs->zrle.type = VNC_ENCODING_ZYWRLE; ++ vs->zrle->type = VNC_ENCODING_ZYWRLE; + return zrle_send_framebuffer_update(vs, x, y, w, h); + } + + void vnc_zrle_clear(VncState *vs) + { +- if (vs->zrle.stream.opaque) { +- deflateEnd(&vs->zrle.stream); ++ if (vs->zrle->stream.opaque) { ++ deflateEnd(&vs->zrle->stream); + } +- buffer_free(&vs->zrle.zrle); +- buffer_free(&vs->zrle.fb); +- buffer_free(&vs->zrle.zlib); ++ buffer_free(&vs->zrle->zrle); ++ buffer_free(&vs->zrle->fb); ++ buffer_free(&vs->zrle->zlib); + } +diff --git a/ui/vnc.c b/ui/vnc.c +index 99b1ab14a5..0acdd3870f 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -1141,6 +1141,8 @@ void vnc_disconnect_finish(VncState *vs) + g_free(vs->lossy_rect[i]); + } + g_free(vs->lossy_rect); ++ g_free(vs->zrle); ++ g_free(vs->tight); + g_free(vs); + } + +@@ -2003,8 +2005,8 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) + + vs->features = 0; + vs->vnc_encoding = 0; +- vs->tight.compression = 9; +- vs->tight.quality = -1; /* Lossless by default */ ++ vs->tight->compression = 9; ++ vs->tight->quality = -1; /* Lossless by default */ + vs->absolute = -1; + + /* +@@ -2069,11 +2071,11 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) + vs->features |= VNC_FEATURE_LED_STATE_MASK; + break; + case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9: +- vs->tight.compression = (enc & 0x0F); ++ vs->tight->compression = (enc & 0x0F); + break; + case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9: + if (vs->vd->lossy) { +- vs->tight.quality = (enc & 0x0F); ++ vs->tight->quality = (enc & 0x0F); + } + break; + default: +@@ -2906,6 +2908,8 @@ static void vnc_connect(VncDisplay *vd, int csock, int skipauth, bool websocket) + int i; + + vs->csock = csock; ++ vs->zrle = g_new0(VncZrle, 1); ++ vs->tight = g_new0(VncTight, 1); + + if (skipauth) { + vs->auth = VNC_AUTH_NONE; +diff --git a/ui/vnc.h b/ui/vnc.h +index f9c5f89950..99af25748a 100644 +--- a/ui/vnc.h ++++ b/ui/vnc.h +@@ -346,10 +346,10 @@ struct VncState + /* Encoding specific, if you add something here, don't forget to + * update vnc_async_encoding_start() + */ +- VncTight tight; ++ VncTight *tight; + VncZlib zlib; + VncHextile hextile; +- VncZrle zrle; ++ VncZrle *zrle; + VncZywrle zywrle; + + Notifier mouse_mode_notifier; +-- +2.18.2 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index d6cc5f7..59407b6 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -14,7 +14,7 @@ %global have_usbredir 0 %endif -%ifnarch s390 s390x %{arm} +%ifnarch s390 s390x %global have_librdma 1 %global have_tcmalloc 1 %endif @@ -41,9 +41,6 @@ %ifarch aarch64 %global kvm_target aarch64 %endif -%ifarch %{arm} - %global kvm_target arm -%endif #Versions of various parts: @@ -79,13 +76,13 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 173%{?dist}.3 +Release: 175%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY Group: Development/Tools URL: http://www.qemu.org/ -ExclusiveArch: x86_64 %{arm} +ExclusiveArch: x86_64 Requires: seabios-bin >= 1.7.2.2-5 Requires: sgabios-bin Requires: seavgabios-bin @@ -4028,14 +4025,20 @@ Patch1983: kvm-tcp_emu-Fix-oob-access.patch Patch1984: kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch # For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] Patch1985: kvm-slirp-use-correct-size-while-emulating-commands.patch -# For bz#1798970 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z] -Patch1986: kvm-util-add-slirp_fmt-helpers.patch -# For bz#1798970 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z] -Patch1987: kvm-tcp_emu-fix-unsafe-snprintf-usages.patch -# For bz#1822235 - Add support for newer glusterfs [rhel-7.8.z] -Patch1988: kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch -# For bz#1822235 - Add support for newer glusterfs [rhel-7.8.z] -Patch1989: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9] +Patch1986: kvm-util-add-slirp_fmt-helpers2.patch +# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9] +Patch1987: kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch +# For bz#1791679 - QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7] +Patch1988: kvm-slirp-disable-tcp_emu.patch +# For bz#1802215 - Add support for newer glusterfs +Patch1989: kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch +# For bz#1802215 - Add support for newer glusterfs +Patch1990: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +# For bz#1618503 - qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7] +Patch1991: kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch +# For bz#1810408 - CVE-2019-20382 qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-7] +Patch1992: kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch BuildRequires: zlib-devel @@ -6203,6 +6206,9 @@ tar -xf %{SOURCE21} %patch1987 -p1 %patch1988 -p1 %patch1989 -p1 +%patch1990 -p1 +%patch1991 -p1 +%patch1992 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6648,17 +6654,26 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog -* Tue Apr 14 2020 Miroslav Rezanina - 1.5.3-173.el7_8.3 -- kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch [bz#1822235] -- kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch [bz#1822235] -- Resolves: bz#1822235 - (Add support for newer glusterfs [rhel-7.8.z]) - -* Wed Mar 04 2020 Miroslav Rezanina - 1.5.3-173.el7_8.1 -- kvm-util-add-slirp_fmt-helpers.patch [bz#1798970] -- kvm-tcp_emu-fix-unsafe-snprintf-usages.patch [bz#1798970] -- Resolves: bz#1798970 - (CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z]) +* Mon Jun 01 2020 Jon Maloy - 1.5.3-175.el7 +- kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch [bz#1810408] +- Resolves: bz#1810408 + (CVE-2019-20382 qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-7]) + +* Thu Mar 19 2020 Miroslav Rezanina - 1.5.3-174.el7 +- kvm-util-add-slirp_fmt-helpers2.patch [bz#1800515] +- kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch [bz#1800515] +- kvm-slirp-disable-tcp_emu.patch [bz#1791679] +- kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch [bz#1802215] +- kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch [bz#1802215] +- kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503] +- Resolves: bz#1618503 + (qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7]) +- Resolves: bz#1791679 + (QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7]) +- Resolves: bz#1800515 + (CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9]) +- Resolves: bz#1802215 + (Add support for newer glusterfs) * Thu Jan 23 2020 Miroslav Rezanina - 1.5.3-173.el7 - kvm-tcp_emu-Fix-oob-access.patch [bz#1791560]