diff --git a/SOURCES/kvm-Allow-mismatched-virtio-config-len.patch b/SOURCES/kvm-Allow-mismatched-virtio-config-len.patch
new file mode 100644
index 0000000..8e05351
--- /dev/null
+++ b/SOURCES/kvm-Allow-mismatched-virtio-config-len.patch
@@ -0,0 +1,73 @@
+From 88fd47b4c3a1a272d7e21ba0e7358e0a4e9ecf88 Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Mon, 30 Jun 2014 11:10:01 +0200
+Subject: [PATCH] Allow mismatched virtio config-len
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1404126601-23992-2-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 59407
+O-Subject: [RHEL-7.0.z qemu-kvm PATCH 1/1] Allow mismatched virtio config-len
+Bugzilla: 1095782
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
+
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+
+Commit 'virtio: validate config_len on load' restricted config_len
+loaded from the wire to match the config_len that the device had.
+
+Unfortunately, there are cases where this isn't true, the one
+we found it on was the wce addition in virtio-blk.
+
+Allow mismatched config-lengths:
+ *) If the version on the wire is shorter then fine
+ *) If the version on the wire is longer, load what we have space
+ for and skip the rest.
+
+(This is mst@redhat.com's rework of what I originally posted)
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 2f5732e9648fcddc8759a8fd25c0b41a38352be6)
+---
+ hw/virtio/virtio.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 16 +++++++++++-----
+ 1 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 44309c2..132b5af 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -886,12 +886,18 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ return -1;
+ }
+ config_len = qemu_get_be32(f);
+- if (config_len != vdev->config_len) {
+- error_report("Unexpected config length 0x%x. Expected 0x%zx",
+- config_len, vdev->config_len);
+- return -1;
++
++ /*
++ * There are cases where the incoming config can be bigger or smaller
++ * than what we have; so load what we have space for, and skip
++ * any excess that's in the stream.
++ */
++ qemu_get_buffer(f, vdev->config, MIN(config_len, vdev->config_len));
++
++ while (config_len > vdev->config_len) {
++ qemu_get_byte(f);
++ config_len--;
+ }
+- qemu_get_buffer(f, vdev->config, vdev->config_len);
+
+ num = qemu_get_be32(f);
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch b/SOURCES/kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch
new file mode 100644
index 0000000..f8afbca
--- /dev/null
+++ b/SOURCES/kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch
@@ -0,0 +1,85 @@
+From 118493a7515526d7adc52b1ca1b667db1458e98c Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Thu, 8 May 2014 11:27:33 +0200
+Subject: [PATCH 21/30] Count used RAMBlock pages for migration_dirty_pages
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1399548453-9181-2-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 58746
+O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 1/1] Count used RAMBlock pages for migration_dirty_pages
+Bugzilla: 1110189
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+
+This is a fix for a bug triggered by a migration after hot unplugging
+a few virtio-net NICs, that caused migration never to converge, because
+'migration_dirty_pages' is incorrectly initialised.
+
+'migration_dirty_pages' is used as a tally of the number of outstanding
+dirty pages, to give the migration code an idea of how much more data
+will need to be transferred, and thus whether it can end the iterative
+phase.
+
+It was initialised to the total size of the RAMBlock address space,
+however hotunplug can leave this space sparse, and hence
+migration_dirty_pages ended up too large.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit e30d1d8c7195848abb28a8c734a82b845b8b456a)
+---
+ arch_init.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ arch_init.c | 21 +++++++++++++++++----
+ 1 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 22f7def..b88d686 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -728,11 +728,8 @@ static void reset_ram_globals(void)
+ static int ram_save_setup(QEMUFile *f, void *opaque)
+ {
+ RAMBlock *block;
+- int64_t ram_pages = last_ram_offset() >> TARGET_PAGE_BITS;
++ int64_t ram_bitmap_pages; /* Size of bitmap in pages, including gaps */
+
+- migration_bitmap = bitmap_new(ram_pages);
+- bitmap_set(migration_bitmap, 0, ram_pages);
+- migration_dirty_pages = ram_pages;
+ mig_throttle_on = false;
+ dirty_rate_high_cnt = 0;
+
+@@ -771,6 +768,22 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
+ bytes_transferred = 0;
+ reset_ram_globals();
+
++ ram_bitmap_pages = last_ram_offset() >> TARGET_PAGE_BITS;
++ migration_bitmap = bitmap_new(ram_bitmap_pages);
++ bitmap_set(migration_bitmap, 0, ram_bitmap_pages);
++
++ /*
++ * Count the total number of pages used by ram blocks not including any
++ * gaps due to alignment or unplugs.
++ */
++ migration_dirty_pages = 0;
++ QTAILQ_FOREACH(block, &ram_list.blocks, next) {
++ uint64_t block_pages;
++
++ block_pages = block->length >> TARGET_PAGE_BITS;
++ migration_dirty_pages += block_pages;
++ }
++
+ memory_global_dirty_log_start();
+ migration_bitmap_sync();
+ qemu_mutex_unlock_iothread();
+--
+1.7.1
+
diff --git a/SOURCES/kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch b/SOURCES/kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch
new file mode 100644
index 0000000..2cb8c51
--- /dev/null
+++ b/SOURCES/kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch
@@ -0,0 +1,170 @@
+From ac978ade92aa12ae6c700b8be85a10355f728c78 Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Thu, 8 May 2014 10:58:41 +0200
+Subject: [PATCH 19/30] Init the XBZRLE.lock in ram_mig_init
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1399546722-6350-4-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 58743
+O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 3/4] Init the XBZRLE.lock in ram_mig_init
+Bugzilla: 1110191
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+
+Initialising the XBZRLE.lock earlier simplifies the lock use.
+
+Based on Markus's patch in:
+http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit d97326eec2ca1313eaf0b5cffd69af5663b5af5d)
+---
+ arch_init.c | 61 +++++++++++++++++++++++++++++++------------------------------
+ 1 file changed, 31 insertions(+), 30 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ arch_init.c | 61 ++++++++++++++++++++++++++++++-----------------------------
+ 1 files changed, 31 insertions(+), 30 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 37c9f6d..80e48f2 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -45,6 +45,7 @@
+ #include "hw/audio/pcspk.h"
+ #include "migration/page_cache.h"
+ #include "qemu/config-file.h"
++#include "qemu/error-report.h"
+ #include "qmp-commands.h"
+ #include "trace.h"
+ #include "exec/cpu-all.h"
+@@ -167,11 +168,8 @@ static struct {
+ /* Cache for XBZRLE, Protected by lock. */
+ PageCache *cache;
+ QemuMutex lock;
+-} XBZRLE = {
+- .encoded_buf = NULL,
+- .current_buf = NULL,
+- .cache = NULL,
+-};
++} XBZRLE;
++
+ /* buffer used for XBZRLE decoding */
+ static uint8_t *xbzrle_decoded_buf;
+
+@@ -187,41 +185,44 @@ static void XBZRLE_cache_unlock(void)
+ qemu_mutex_unlock(&XBZRLE.lock);
+ }
+
++/*
++ * called from qmp_migrate_set_cache_size in main thread, possibly while
++ * a migration is in progress.
++ * A running migration maybe using the cache and might finish during this
++ * call, hence changes to the cache are protected by XBZRLE.lock().
++ */
+ int64_t xbzrle_cache_resize(int64_t new_size)
+ {
+- PageCache *new_cache, *cache_to_free;
++ PageCache *new_cache;
++ int64_t ret;
+
+ if (new_size < TARGET_PAGE_SIZE) {
+ return -1;
+ }
+
+- /* no need to lock, the current thread holds qemu big lock */
++ XBZRLE_cache_lock();
++
+ if (XBZRLE.cache != NULL) {
+- /* check XBZRLE.cache again later */
+ if (pow2floor(new_size) == migrate_xbzrle_cache_size()) {
+- return pow2floor(new_size);
++ goto out_new_size;
+ }
+ new_cache = cache_init(new_size / TARGET_PAGE_SIZE,
+ TARGET_PAGE_SIZE);
+ if (!new_cache) {
+- DPRINTF("Error creating cache\n");
+- return -1;
+- }
+-
+- XBZRLE_cache_lock();
+- /* the XBZRLE.cache may have be destroyed, check it again */
+- if (XBZRLE.cache != NULL) {
+- cache_to_free = XBZRLE.cache;
+- XBZRLE.cache = new_cache;
+- } else {
+- cache_to_free = new_cache;
++ error_report("Error creating cache");
++ ret = -1;
++ goto out;
+ }
+- XBZRLE_cache_unlock();
+
+- cache_fini(cache_to_free);
++ cache_fini(XBZRLE.cache);
++ XBZRLE.cache = new_cache;
+ }
+
+- return pow2floor(new_size);
++out_new_size:
++ ret = pow2floor(new_size);
++out:
++ XBZRLE_cache_unlock();
++ return ret;
+ }
+
+ /* accounting for migration statistics */
+@@ -735,28 +736,27 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
+ dirty_rate_high_cnt = 0;
+
+ if (migrate_use_xbzrle()) {
+- qemu_mutex_lock_iothread();
++ XBZRLE_cache_lock();
+ XBZRLE.cache = cache_init(migrate_xbzrle_cache_size() /
+ TARGET_PAGE_SIZE,
+ TARGET_PAGE_SIZE);
+ if (!XBZRLE.cache) {
+- qemu_mutex_unlock_iothread();
+- DPRINTF("Error creating cache\n");
++ XBZRLE_cache_unlock();
++ error_report("Error creating cache");
+ return -1;
+ }
+- qemu_mutex_init(&XBZRLE.lock);
+- qemu_mutex_unlock_iothread();
++ XBZRLE_cache_unlock();
+
+ /* We prefer not to abort if there is no memory */
+ XBZRLE.encoded_buf = g_try_malloc0(TARGET_PAGE_SIZE);
+ if (!XBZRLE.encoded_buf) {
+- DPRINTF("Error allocating encoded_buf\n");
++ error_report("Error allocating encoded_buf");
+ return -1;
+ }
+
+ XBZRLE.current_buf = g_try_malloc(TARGET_PAGE_SIZE);
+ if (!XBZRLE.current_buf) {
+- DPRINTF("Error allocating current_buf\n");
++ error_report("Error allocating current_buf");
+ g_free(XBZRLE.encoded_buf);
+ XBZRLE.encoded_buf = NULL;
+ return -1;
+@@ -1110,6 +1110,7 @@ static SaveVMHandlers savevm_ram_handlers = {
+
+ void ram_mig_init(void)
+ {
++ qemu_mutex_init(&XBZRLE.lock);
+ register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
+ }
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-Provide-init-function-for-ram-migration.patch b/SOURCES/kvm-Provide-init-function-for-ram-migration.patch
new file mode 100644
index 0000000..d94b29f
--- /dev/null
+++ b/SOURCES/kvm-Provide-init-function-for-ram-migration.patch
@@ -0,0 +1,113 @@
+From 8928f6a2f77e167b7602c3f3bb071641134e544e Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Thu, 8 May 2014 10:58:40 +0200
+Subject: [PATCH 18/30] Provide init function for ram migration
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1399546722-6350-3-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 58742
+O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 2/4] Provide init function for ram migration
+Bugzilla: 1110191
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+
+Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff
+to do with ram migration (currently in arch_init.c).
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 0d6ab3ab9149767eba192ec5ad659fd34e55a291)
+---
+ arch_init.c | 7 ++++++-
+ include/migration/migration.h | 2 --
+ include/sysemu/arch_init.h | 1 +
+ vl.c | 3 +--
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ arch_init.c | 7 ++++++-
+ include/migration/migration.h | 2 --
+ include/sysemu/arch_init.h | 1 +
+ vl.c | 3 +--
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 8641afa..37c9f6d 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -1099,7 +1099,7 @@ done:
+ return ret;
+ }
+
+-SaveVMHandlers savevm_ram_handlers = {
++static SaveVMHandlers savevm_ram_handlers = {
+ .save_live_setup = ram_save_setup,
+ .save_live_iterate = ram_save_iterate,
+ .save_live_complete = ram_save_complete,
+@@ -1108,6 +1108,11 @@ SaveVMHandlers savevm_ram_handlers = {
+ .cancel = ram_migration_cancel,
+ };
+
++void ram_mig_init(void)
++{
++ register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
++}
++
+ struct soundhw {
+ const char *name;
+ const char *descr;
+diff --git a/include/migration/migration.h b/include/migration/migration.h
+index 9314511..c99a67c 100644
+--- a/include/migration/migration.h
++++ b/include/migration/migration.h
+@@ -102,8 +102,6 @@ void free_xbzrle_decoded_buf(void);
+
+ void acct_update_position(QEMUFile *f, size_t size, bool zero);
+
+-extern SaveVMHandlers savevm_ram_handlers;
+-
+ uint64_t dup_mig_bytes_transferred(void);
+ uint64_t dup_mig_pages_transferred(void);
+ uint64_t skipped_mig_bytes_transferred(void);
+diff --git a/include/sysemu/arch_init.h b/include/sysemu/arch_init.h
+index be71bca..182d48d 100644
+--- a/include/sysemu/arch_init.h
++++ b/include/sysemu/arch_init.h
+@@ -29,6 +29,7 @@ extern const uint32_t arch_type;
+ void select_soundhw(const char *optarg);
+ void do_acpitable_option(const QemuOpts *opts);
+ void do_smbios_option(QemuOpts *opts);
++void ram_mig_init(void);
+ void cpudef_init(void);
+ void audio_init(void);
+ int tcg_available(void);
+diff --git a/vl.c b/vl.c
+index 51300e7..6ff06cc 100644
+--- a/vl.c
++++ b/vl.c
+@@ -4133,6 +4133,7 @@ int main(int argc, char **argv, char **envp)
+ cpu_exec_init_all();
+
+ blk_mig_init();
++ ram_mig_init();
+
+ /* open the virtual block devices */
+ if (snapshot)
+@@ -4147,8 +4148,6 @@ int main(int argc, char **argv, char **envp)
+ default_drive(default_floppy, snapshot, IF_FLOPPY, 0, FD_OPTS);
+ default_drive(default_sdcard, snapshot, IF_SD, 0, SD_OPTS);
+
+- register_savevm_live(NULL, "ram", 0, 4, &savevm_ram_handlers, NULL);
+-
+ if (nb_numa_nodes > 0) {
+ int i;
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch b/SOURCES/kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch
new file mode 100644
index 0000000..3130627
--- /dev/null
+++ b/SOURCES/kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch
@@ -0,0 +1,106 @@
+From a00bde30c0730d3434d9f4556a9cb119f3f8d68d Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Thu, 8 May 2014 10:58:42 +0200
+Subject: [PATCH 20/30] XBZRLE: Fix one XBZRLE corruption issues
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1399546722-6350-5-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 58744
+O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 4/4] XBZRLE: Fix one XBZRLE corruption issues
+Bugzilla: 1110191
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+
+From: ChenLiang <chenliang88@huawei.com>
+
+The page may not be inserted into cache after executing save_xbzrle_page.
+In case of failure to insert, the original page should be sent rather
+than the page in the cache.
+
+Signed-off-by: ChenLiang <chenliang88@huawei.com>
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 1534ee93cc6be992c05577886b24bd44c37ecff6)
+---
+ arch_init.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ arch_init.c | 25 +++++++++++++------------
+ 1 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index 80e48f2..22f7def 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -341,7 +341,7 @@ static void xbzrle_cache_zero_page(ram_addr_t current_addr)
+
+ #define ENCODING_FLAG_XBZRLE 0x1
+
+-static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
++static int save_xbzrle_page(QEMUFile *f, uint8_t **current_data,
+ ram_addr_t current_addr, RAMBlock *block,
+ ram_addr_t offset, int cont, bool last_stage)
+ {
+@@ -349,19 +349,23 @@ static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
+ uint8_t *prev_cached_page;
+
+ if (!cache_is_cached(XBZRLE.cache, current_addr)) {
++ acct_info.xbzrle_cache_miss++;
+ if (!last_stage) {
+- if (cache_insert(XBZRLE.cache, current_addr, current_data) == -1) {
++ if (cache_insert(XBZRLE.cache, current_addr, *current_data) == -1) {
+ return -1;
++ } else {
++ /* update *current_data when the page has been
++ inserted into cache */
++ *current_data = get_cached_data(XBZRLE.cache, current_addr);
+ }
+ }
+- acct_info.xbzrle_cache_miss++;
+ return -1;
+ }
+
+ prev_cached_page = get_cached_data(XBZRLE.cache, current_addr);
+
+ /* save current buffer into memory */
+- memcpy(XBZRLE.current_buf, current_data, TARGET_PAGE_SIZE);
++ memcpy(XBZRLE.current_buf, *current_data, TARGET_PAGE_SIZE);
+
+ /* XBZRLE encoding (if there is no overflow) */
+ encoded_len = xbzrle_encode_buffer(prev_cached_page, XBZRLE.current_buf,
+@@ -374,7 +378,10 @@ static int save_xbzrle_page(QEMUFile *f, uint8_t *current_data,
+ DPRINTF("Overflow\n");
+ acct_info.xbzrle_overflows++;
+ /* update data in the cache */
+- memcpy(prev_cached_page, current_data, TARGET_PAGE_SIZE);
++ if (!last_stage) {
++ memcpy(prev_cached_page, *current_data, TARGET_PAGE_SIZE);
++ *current_data = prev_cached_page;
++ }
+ return -1;
+ }
+
+@@ -599,15 +606,9 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
+ */
+ xbzrle_cache_zero_page(current_addr);
+ } else if (!ram_bulk_stage && migrate_use_xbzrle()) {
+- bytes_sent = save_xbzrle_page(f, p, current_addr, block,
++ bytes_sent = save_xbzrle_page(f, &p, current_addr, block,
+ offset, cont, last_stage);
+ if (!last_stage) {
+- /* We must send exactly what's in the xbzrle cache
+- * even if the page wasn't xbzrle compressed, so that
+- * it's right next time.
+- */
+- p = get_cached_data(XBZRLE.cache, current_addr);
+-
+ /* Can't send this cached data async, since the cache page
+ * might get updated before it gets to the wire
+ */
+--
+1.7.1
+
diff --git a/SOURCES/kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch b/SOURCES/kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch
new file mode 100644
index 0000000..261ad8f
--- /dev/null
+++ b/SOURCES/kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch
@@ -0,0 +1,158 @@
+From e30b7a4a8810a49a1b8a915a9ed174b9b254c999 Mon Sep 17 00:00:00 2001
+From: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Date: Thu, 8 May 2014 10:58:39 +0200
+Subject: [PATCH 17/30] XBZRLE: Fix qemu crash when resize the xbzrle cache
+
+RH-Author: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+Message-id: <1399546722-6350-2-git-send-email-dgilbert@redhat.com>
+Patchwork-id: 58741
+O-Subject: [RHEL7.1/RHEL7.0.z qemu-kvm PATCH 1/4] XBZRLE: Fix qemu crash when resize the xbzrle cache
+Bugzilla: 1110191
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+
+From: Gonglei <arei.gonglei@huawei.com>
+
+Resizing the xbzrle cache during migration causes qemu-crash,
+because the main-thread and migration-thread modify the xbzrle
+cache size concurrently without lock-protection.
+
+Signed-off-by: ChenLiang <chenliang88@huawei.com>
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit fd8cec932c2ddc687e2da954978954b46a926f90)
+---
+ arch_init.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 49 insertions(+), 3 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ arch_init.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/arch_init.c b/arch_init.c
+index f5d521a..8641afa 100644
+--- a/arch_init.c
++++ b/arch_init.c
+@@ -164,8 +164,9 @@ static struct {
+ uint8_t *encoded_buf;
+ /* buffer for storing page content */
+ uint8_t *current_buf;
+- /* Cache for XBZRLE */
++ /* Cache for XBZRLE, Protected by lock. */
+ PageCache *cache;
++ QemuMutex lock;
+ } XBZRLE = {
+ .encoded_buf = NULL,
+ .current_buf = NULL,
+@@ -174,16 +175,52 @@ static struct {
+ /* buffer used for XBZRLE decoding */
+ static uint8_t *xbzrle_decoded_buf;
+
++static void XBZRLE_cache_lock(void)
++{
++ if (migrate_use_xbzrle())
++ qemu_mutex_lock(&XBZRLE.lock);
++}
++
++static void XBZRLE_cache_unlock(void)
++{
++ if (migrate_use_xbzrle())
++ qemu_mutex_unlock(&XBZRLE.lock);
++}
++
+ int64_t xbzrle_cache_resize(int64_t new_size)
+ {
++ PageCache *new_cache, *cache_to_free;
++
+ if (new_size < TARGET_PAGE_SIZE) {
+ return -1;
+ }
+
++ /* no need to lock, the current thread holds qemu big lock */
+ if (XBZRLE.cache != NULL) {
+- return cache_resize(XBZRLE.cache, new_size / TARGET_PAGE_SIZE) *
+- TARGET_PAGE_SIZE;
++ /* check XBZRLE.cache again later */
++ if (pow2floor(new_size) == migrate_xbzrle_cache_size()) {
++ return pow2floor(new_size);
++ }
++ new_cache = cache_init(new_size / TARGET_PAGE_SIZE,
++ TARGET_PAGE_SIZE);
++ if (!new_cache) {
++ DPRINTF("Error creating cache\n");
++ return -1;
++ }
++
++ XBZRLE_cache_lock();
++ /* the XBZRLE.cache may have be destroyed, check it again */
++ if (XBZRLE.cache != NULL) {
++ cache_to_free = XBZRLE.cache;
++ XBZRLE.cache = new_cache;
++ } else {
++ cache_to_free = new_cache;
++ }
++ XBZRLE_cache_unlock();
++
++ cache_fini(cache_to_free);
+ }
++
+ return pow2floor(new_size);
+ }
+
+@@ -539,6 +576,8 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
+ ret = ram_control_save_page(f, block->offset,
+ offset, TARGET_PAGE_SIZE, &bytes_sent);
+
++ XBZRLE_cache_lock();
++
+ current_addr = block->offset + offset;
+ if (ret != RAM_SAVE_CONTROL_NOT_SUPP) {
+ if (ret != RAM_SAVE_CONTROL_DELAYED) {
+@@ -587,6 +626,7 @@ static int ram_save_block(QEMUFile *f, bool last_stage)
+ acct_info.norm_pages++;
+ }
+
++ XBZRLE_cache_unlock();
+ /* if page is unmodified, continue to the next */
+ if (bytes_sent > 0) {
+ last_sent_block = block;
+@@ -654,6 +694,7 @@ static void migration_end(void)
+ migration_bitmap = NULL;
+ }
+
++ XBZRLE_cache_lock();
+ if (XBZRLE.cache) {
+ cache_fini(XBZRLE.cache);
+ g_free(XBZRLE.cache);
+@@ -663,6 +704,7 @@ static void migration_end(void)
+ XBZRLE.encoded_buf = NULL;
+ XBZRLE.current_buf = NULL;
+ }
++ XBZRLE_cache_unlock();
+ }
+
+ static void ram_migration_cancel(void *opaque)
+@@ -693,13 +735,17 @@ static int ram_save_setup(QEMUFile *f, void *opaque)
+ dirty_rate_high_cnt = 0;
+
+ if (migrate_use_xbzrle()) {
++ qemu_mutex_lock_iothread();
+ XBZRLE.cache = cache_init(migrate_xbzrle_cache_size() /
+ TARGET_PAGE_SIZE,
+ TARGET_PAGE_SIZE);
+ if (!XBZRLE.cache) {
++ qemu_mutex_unlock_iothread();
+ DPRINTF("Error creating cache\n");
+ return -1;
+ }
++ qemu_mutex_init(&XBZRLE.lock);
++ qemu_mutex_unlock_iothread();
+
+ /* We prefer not to abort if there is no memory */
+ XBZRLE.encoded_buf = g_try_malloc0(TARGET_PAGE_SIZE);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch b/SOURCES/kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch
new file mode 100644
index 0000000..e1c6c3d
--- /dev/null
+++ b/SOURCES/kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch
@@ -0,0 +1,91 @@
+From 3322e336871252ea0ff22920cfb13d302b07bd11 Mon Sep 17 00:00:00 2001
+From: Gal Hammer <ghammer@redhat.com>
+Date: Sun, 16 Mar 2014 09:57:09 +0100
+Subject: [PATCH 28/30] char: restore read callback on a reattached (hotplug) chardev
+
+RH-Author: Gal Hammer <ghammer@redhat.com>
+Message-id: <1394963829-5384-1-git-send-email-ghammer@redhat.com>
+Patchwork-id: 58105
+O-Subject: [RHEL-7.0 qemu-kvm PATCH] char: restore read callback on a reattached (hotplug) chardev
+Bugzilla: 1110219
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Amit Shah <amit.shah@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=7207613
+Upstream: commit ac1b84dd1e020648db82a99260891aa982d1142c
+
+Fix a bug that was introduced in commit 386a5a1e. A removal of a device
+set the chr handlers to NULL. However when the device is plugged back,
+its read callback is not restored so data can't be transferred from the
+host to the guest (e.g. via the virtio-serial port).
+
+Signed-off-by: Gal Hammer <ghammer@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ qemu-char.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-char.c | 17 +++++++++++++++--
+ 1 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/qemu-char.c b/qemu-char.c
+index 983f686..930f3d4 100644
+--- a/qemu-char.c
++++ b/qemu-char.c
+@@ -215,7 +215,7 @@ void qemu_chr_add_handlers(CharDriverState *s,
+ s->chr_read = fd_read;
+ s->chr_event = fd_event;
+ s->handler_opaque = opaque;
+- if (s->chr_update_read_handler)
++ if (fe_open && s->chr_update_read_handler)
+ s->chr_update_read_handler(s);
+
+ if (!s->explicit_fe_open) {
+@@ -1140,13 +1140,14 @@ static void pty_chr_state(CharDriverState *chr, int connected)
+ if (!s->connected) {
+ s->connected = 1;
+ qemu_chr_be_generic_open(chr);
++ }
++ if (!chr->fd_in_tag) {
+ chr->fd_in_tag = io_add_watch_poll(s->fd, pty_chr_read_poll,
+ pty_chr_read, chr);
+ }
+ }
+ }
+
+-
+ static void pty_chr_close(struct CharDriverState *chr)
+ {
+ PtyCharDriver *s = chr->opaque;
+@@ -2514,6 +2515,17 @@ static void tcp_chr_connect(void *opaque)
+ qemu_chr_be_generic_open(chr);
+ }
+
++static void tcp_chr_update_read_handler(CharDriverState *chr)
++{
++ TCPCharDriver *s = chr->opaque;
++
++ remove_fd_in_watch(chr);
++ if (s->chan) {
++ chr->fd_in_tag = io_add_watch_poll(s->chan, tcp_chr_read_poll,
++ tcp_chr_read, chr);
++ }
++}
++
+ #define IACSET(x,a,b,c) x[0] = a; x[1] = b; x[2] = c;
+ static void tcp_chr_telnet_init(int fd)
+ {
+@@ -2669,6 +2681,7 @@ static CharDriverState *qemu_chr_open_socket_fd(int fd, bool do_nodelay,
+ chr->get_msgfd = tcp_get_msgfd;
+ chr->chr_add_client = tcp_chr_add_client;
+ chr->chr_add_watch = tcp_chr_add_watch;
++ chr->chr_update_read_handler = tcp_chr_update_read_handler;
+ /* be isn't opened until we get a connection */
+ chr->explicit_be_open = true;
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch b/SOURCES/kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch
new file mode 100644
index 0000000..8c36dc8
--- /dev/null
+++ b/SOURCES/kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch
@@ -0,0 +1,73 @@
+From 53cea58f1e2ed721356a705ec22751083f9e23b5 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:24:37 +0200
+Subject: [PATCH 12/30] hpet: fix buffer overrun on invalid state load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055633-6261-4-git-send-email-mst@redhat.com>
+Patchwork-id: 58851
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 4/5] hpet: fix buffer overrun on invalid state load
+Bugzilla: 1095706
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+CVE-2013-4527 hw/timer/hpet.c buffer overrun
+
+hpet is a VARRAY with a uint8 size but static array of 32
+
+To fix, make sure num_timers is valid using VMSTATE_VALID hook.
+
+Reported-by: Anthony Liguori <anthony@codemonkey.ws>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095706
+---
+ hw/timer/hpet.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/timer/hpet.c | 13 +++++++++++++
+ 1 files changed, 13 insertions(+), 0 deletions(-)
+
+diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
+index dd486a1..54ffa49 100644
+--- a/hw/timer/hpet.c
++++ b/hw/timer/hpet.c
+@@ -222,6 +222,18 @@ static int hpet_pre_load(void *opaque)
+ return 0;
+ }
+
++static bool hpet_validate_num_timers(void *opaque, int version_id)
++{
++ HPETState *s = opaque;
++
++ if (s->num_timers < HPET_MIN_TIMERS) {
++ return false;
++ } else if (s->num_timers > HPET_MAX_TIMERS) {
++ return false;
++ }
++ return true;
++}
++
+ static int hpet_post_load(void *opaque, int version_id)
+ {
+ HPETState *s = opaque;
+@@ -290,6 +302,7 @@ static const VMStateDescription vmstate_hpet = {
+ VMSTATE_UINT64(isr, HPETState),
+ VMSTATE_UINT64(hpet_counter, HPETState),
+ VMSTATE_UINT8_V(num_timers, HPETState, 2),
++ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
+ VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
+ vmstate_hpet_timer, HPETTimer),
+ VMSTATE_END_OF_LIST()
+--
+1.7.1
+
diff --git a/SOURCES/kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch b/SOURCES/kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
new file mode 100644
index 0000000..a9d836a
--- /dev/null
+++ b/SOURCES/kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
@@ -0,0 +1,77 @@
+From ed30bd1d0e45463cc48aeb839b4ae3c65009ce79 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:24:43 +0200
+Subject: [PATCH 13/30] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055633-6261-5-git-send-email-mst@redhat.com>
+Patchwork-id: 58852
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 5/5] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
+Bugzilla: 1095714
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+4) CVE-2013-4529
+hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
+ too large
+
+There are two issues in this file:
+1. log_max from remote can be larger than on local
+then buffer will overrun with data coming from state file.
+2. log_num can be larger then we get data corruption
+again with an overflow but not adversary controlled.
+
+Fix both issues.
+
+Reported-by: Anthony Liguori <anthony@codemonkey.ws>
+Reported-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095714
+---
+ hw/pci/pcie_aer.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/pci/pcie_aer.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
+index 1ce72ce..ab5c9c6 100644
+--- a/hw/pci/pcie_aer.c
++++ b/hw/pci/pcie_aer.c
+@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
+ }
+ };
+
++static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
++{
++ PCIEAERLog *s = opaque;
++
++ return s->log_num <= s->log_max;
++}
++
+ const VMStateDescription vmstate_pcie_aer_log = {
+ .name = "PCIE_AER_ERROR_LOG",
+ .version_id = 1,
+@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
+ .minimum_version_id_old = 1,
+ .fields = (VMStateField[]) {
+ VMSTATE_UINT16(log_num, PCIEAERLog),
+- VMSTATE_UINT16(log_max, PCIEAERLog),
++ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
++ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
+ VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
+ vmstate_pcie_aer_err, PCIEAERErr),
+ VMSTATE_END_OF_LIST()
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow-correctly-propagate-errors.patch b/SOURCES/kvm-qcow-correctly-propagate-errors.patch
new file mode 100644
index 0000000..40f9e9a
--- /dev/null
+++ b/SOURCES/kvm-qcow-correctly-propagate-errors.patch
@@ -0,0 +1,78 @@
+From 8e046eb446573101d92b41a88ebe1066a42d653c Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:43 +0200
+Subject: [PATCH 22/30] qcow: correctly propagate errors
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-2-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59096
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 1/6] qcow: correctly propagate errors
+Bugzilla: 1097229
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit b6d5066d32f9e6c3d7508c1af9ae78327a927120)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/qcow.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 12 ++++++------
+ 1 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index c470e05..b57b900 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -119,17 +119,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ if (header.version != QCOW_VERSION) {
+ char version[64];
+ snprintf(version, sizeof(version), "QCOW version %d", header.version);
+- qerror_report(QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
+- bs->device_name, "qcow", version);
++ error_set(errp, QERR_UNKNOWN_BLOCK_FORMAT_FEATURE,
++ bs->device_name, "qcow", version);
+ ret = -ENOTSUP;
+ goto fail;
+ }
+
+ if (header.size <= 1 || header.cluster_bits < 9) {
++ error_setg(errp, "invalid value in qcow header");
+ ret = -EINVAL;
+ goto fail;
+ }
+ if (header.crypt_method > QCOW_CRYPT_AES) {
++ error_setg(errp, "invalid encryption method in qcow header");
+ ret = -EINVAL;
+ goto fail;
+ }
+@@ -686,15 +688,13 @@ static int qcow_create(const char *filename, QEMUOptionParameter *options,
+
+ ret = bdrv_create_file(filename, options, &local_err);
+ if (ret < 0) {
+- qerror_report_err(local_err);
+- error_free(local_err);
++ error_propagate(errp, local_err);
+ return ret;
+ }
+
+ ret = bdrv_file_open(&qcow_bs, filename, NULL, BDRV_O_RDWR, &local_err);
+ if (ret < 0) {
+- qerror_report_err(local_err);
+- error_free(local_err);
++ error_propagate(errp, local_err);
+ return ret;
+ }
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow1-Check-maximum-cluster-size.patch b/SOURCES/kvm-qcow1-Check-maximum-cluster-size.patch
new file mode 100644
index 0000000..e006f39
--- /dev/null
+++ b/SOURCES/kvm-qcow1-Check-maximum-cluster-size.patch
@@ -0,0 +1,175 @@
+From 0867b2aac8b789d492af127b12437e526774b7cf Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:45 +0200
+Subject: [PATCH 24/30] qcow1: Check maximum cluster size
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-4-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59098
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 3/6] qcow1: Check maximum cluster size
+Bugzilla: 1097229
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Huge values for header.cluster_bits cause unbounded allocations (e.g.
+for s->cluster_cache) and crash qemu this way. Less huge values may
+survive those allocations, but can cause integer overflows later on.
+
+The only cluster sizes that qemu can create are 4k (for standalone
+images) and 512 (for images with backing files), so we can limit it
+to 64k.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+
+Conflicts:
+ tests/qemu-iotests/group
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
+---
+ block/qcow.c | 10 ++++++--
+ tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/092.out | 13 ++++++++++
+ tests/qemu-iotests/group | 1 +
+ 4 files changed, 85 insertions(+), 2 deletions(-)
+ create mode 100755 tests/qemu-iotests/092
+ create mode 100644 tests/qemu-iotests/092.out
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 10 +++++-
+ tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/092.out | 13 +++++++++
+ tests/qemu-iotests/group | 1 +
+ 4 files changed, 85 insertions(+), 2 deletions(-)
+ create mode 100755 tests/qemu-iotests/092
+ create mode 100644 tests/qemu-iotests/092.out
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 220ac04..2efe2fc 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -126,11 +126,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ goto fail;
+ }
+
+- if (header.size <= 1 || header.cluster_bits < 9) {
+- error_setg(errp, "invalid value in qcow header");
++ if (header.size <= 1) {
++ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
+ ret = -EINVAL;
+ goto fail;
+ }
++ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
++ error_setg(errp, "Cluster size must be between 512 and 64k");
++ ret = -EINVAL;
++ goto fail;
++ }
++
+ if (header.crypt_method > QCOW_CRYPT_AES) {
+ error_setg(errp, "invalid encryption method in qcow header");
+ ret = -EINVAL;
+diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
+new file mode 100755
+index 0000000..d060e6f
+--- /dev/null
++++ b/tests/qemu-iotests/092
+@@ -0,0 +1,63 @@
++#!/bin/bash
++#
++# qcow1 format input validation tests
++#
++# Copyright (C) 2014 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++# creator
++owner=kwolf@redhat.com
++
++seq=`basename $0`
++echo "QA output created by $seq"
++
++here=`pwd`
++tmp=/tmp/$$
++status=1 # failure is the default!
++
++_cleanup()
++{
++ rm -f $TEST_IMG.snap
++ _cleanup_test_img
++}
++trap "_cleanup; exit \$status" 0 1 2 3 15
++
++# get standard environment, filters and checks
++. ./common.rc
++. ./common.filter
++
++_supported_fmt qcow
++_supported_proto generic
++_supported_os Linux
++
++offset_cluster_bits=32
++
++echo
++echo "== Invalid cluster size =="
++_make_test_img 64M
++poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++
++# success, all done
++echo "*** done"
++rm -f $seq.full
++status=0
+diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
+new file mode 100644
+index 0000000..8bf8158
+--- /dev/null
++++ b/tests/qemu-iotests/092.out
+@@ -0,0 +1,13 @@
++QA output created by 092
++
++== Invalid cluster size ==
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
++no file open, try 'help open'
++*** done
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index ad96fcf..d6d4a7f 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -81,3 +81,4 @@
+ 084 img auto
+ 086 rw auto quick
+ 088 rw auto
++092 rw auto quick
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow1-Make-padding-in-the-header-explicit.patch b/SOURCES/kvm-qcow1-Make-padding-in-the-header-explicit.patch
new file mode 100644
index 0000000..c8a69b8
--- /dev/null
+++ b/SOURCES/kvm-qcow1-Make-padding-in-the-header-explicit.patch
@@ -0,0 +1,52 @@
+From 3dae291d6b66443e016123ff763e89c07119cacb Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:44 +0200
+Subject: [PATCH 23/30] qcow1: Make padding in the header explicit
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-3-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59097
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 2/6] qcow1: Make padding in the header explicit
+Bugzilla: 1097229
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+We were relying on all compilers inserting the same padding in the
+header struct that is used for the on-disk format. Let's not do that.
+Mark the struct as packed and insert an explicit padding field for
+compatibility.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
+---
+ block/qcow.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index b57b900..220ac04 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -48,9 +48,10 @@ typedef struct QCowHeader {
+ uint64_t size; /* in bytes */
+ uint8_t cluster_bits;
+ uint8_t l2_bits;
++ uint16_t padding;
+ uint32_t crypt_method;
+ uint64_t l1_table_offset;
+-} QCowHeader;
++} QEMU_PACKED QCowHeader;
+
+ #define L2_CACHE_SIZE 16
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow1-Stricter-backing-file-length-check.patch b/SOURCES/kvm-qcow1-Stricter-backing-file-length-check.patch
new file mode 100644
index 0000000..cbb569f
--- /dev/null
+++ b/SOURCES/kvm-qcow1-Stricter-backing-file-length-check.patch
@@ -0,0 +1,114 @@
+From 9e8900ff62bb5c0009ca25a98158650e39f99c47 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:48 +0200
+Subject: [PATCH 27/30] qcow1: Stricter backing file length check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-7-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59100
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 6/6] qcow1: Stricter backing file length check
+Bugzilla: 1097236
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
+of silently truncating them to 1023.
+
+Also don't rely on bdrv_pread() catching integer overflows that make len
+negative, but use unsigned variables in the first place.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+│(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
+---
+ block/qcow.c | 7 +++++--
+ tests/qemu-iotests/092 | 11 +++++++++++
+ tests/qemu-iotests/092.out | 7 +++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 7 +++++--
+ tests/qemu-iotests/092 | 11 +++++++++++
+ tests/qemu-iotests/092.out | 7 +++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 4fdc751..ad44f78 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ Error **errp)
+ {
+ BDRVQcowState *s = bs->opaque;
+- int len, i, shift, ret;
++ unsigned int len, i, shift;
++ int ret;
+ QCowHeader header;
+
+ ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
+@@ -200,7 +201,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ if (header.backing_file_offset != 0) {
+ len = header.backing_file_size;
+ if (len > 1023) {
+- len = 1023;
++ error_setg(errp, "Backing file name too long");
++ ret = -EINVAL;
++ goto fail;
+ }
+ ret = bdrv_pread(bs->file, header.backing_file_offset,
+ bs->backing_file, len);
+diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
+index ae6ca76..a8c0c9c 100755
+--- a/tests/qemu-iotests/092
++++ b/tests/qemu-iotests/092
+@@ -43,6 +43,8 @@ _supported_fmt qcow
+ _supported_proto generic
+ _supported_os Linux
+
++offset_backing_file_offset=8
++offset_backing_file_size=16
+ offset_size=24
+ offset_cluster_bits=32
+ offset_l2_bits=33
+@@ -81,6 +83,15 @@ poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
+ poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
+ { $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
++echo
++echo "== Invalid backing file length =="
++_make_test_img 64M
++poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\xff"
++poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_backing_file_size" "\x7f\xff\xff\xff"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++
+ # success, all done
+ echo "*** done"
+ rm -f $seq.full
+diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
+index ac03302..496d8f0 100644
+--- a/tests/qemu-iotests/092.out
++++ b/tests/qemu-iotests/092.out
+@@ -28,4 +28,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+ no file open, try 'help open'
+ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+ no file open, try 'help open'
++
++== Invalid backing file length ==
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
++no file open, try 'help open'
+ *** done
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch b/SOURCES/kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
new file mode 100644
index 0000000..425db79
--- /dev/null
+++ b/SOURCES/kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
@@ -0,0 +1,119 @@
+From 6cec75be66671262a640c0424d93902862f6f1e7 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:46 +0200
+Subject: [PATCH 25/30] qcow1: Validate L2 table size (CVE-2014-0222)
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-5-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59099
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 4/6] qcow1: Validate L2 table size (CVE-2014-0222)
+Bugzilla: 1097229
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Too large L2 table sizes cause unbounded allocations. Images actually
+created by qemu-img only have 512 byte or 4k L2 tables.
+
+To keep things consistent with cluster sizes, allow ranges between 512
+bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
+working, but L2 table sizes smaller than a cluster don't make a lot of
+sense).
+
+This also means that the number of bytes on the virtual disk that are
+described by the same L2 table is limited to at most 8k * 64k or 2^29,
+preventively avoiding any integer overflows.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
+---
+ block/qcow.c | 8 ++++++++
+ tests/qemu-iotests/092 | 15 +++++++++++++++
+ tests/qemu-iotests/092.out | 11 +++++++++++
+ 3 files changed, 34 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 8 ++++++++
+ tests/qemu-iotests/092 | 15 +++++++++++++++
+ tests/qemu-iotests/092.out | 11 +++++++++++
+ 3 files changed, 34 insertions(+), 0 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 2efe2fc..f266701 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -137,6 +137,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ goto fail;
+ }
+
++ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
++ * so bytes = num_entries << 3. */
++ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
++ error_setg(errp, "L2 table size must be between 512 and 64k");
++ ret = -EINVAL;
++ goto fail;
++ }
++
+ if (header.crypt_method > QCOW_CRYPT_AES) {
+ error_setg(errp, "invalid encryption method in qcow header");
+ ret = -EINVAL;
+diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
+index d060e6f..fb8bacc 100755
+--- a/tests/qemu-iotests/092
++++ b/tests/qemu-iotests/092
+@@ -44,6 +44,7 @@ _supported_proto generic
+ _supported_os Linux
+
+ offset_cluster_bits=32
++offset_l2_bits=33
+
+ echo
+ echo "== Invalid cluster size =="
+@@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+ { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
++echo
++echo "== Invalid L2 table size =="
++_make_test_img 64M
++poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++
++# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
++poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++
+ # success, all done
+ echo "*** done"
+ rm -f $seq.full
+diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
+index 8bf8158..73918b3 100644
+--- a/tests/qemu-iotests/092.out
++++ b/tests/qemu-iotests/092.out
+@@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and
+ no file open, try 'help open'
+ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+ no file open, try 'help open'
++
++== Invalid L2 table size ==
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
++no file open, try 'help open'
+ *** done
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow1-Validate-image-size-CVE-2014-0223.patch b/SOURCES/kvm-qcow1-Validate-image-size-CVE-2014-0223.patch
new file mode 100644
index 0000000..dd56cbb
--- /dev/null
+++ b/SOURCES/kvm-qcow1-Validate-image-size-CVE-2014-0223.patch
@@ -0,0 +1,118 @@
+From a193c89099b75ab17e530fb909813373f72c1ca7 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Mon, 2 Jun 2014 13:54:47 +0200
+Subject: [PATCH 26/30] qcow1: Validate image size (CVE-2014-0223)
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <1401717288-3918-6-git-send-email-kwolf@redhat.com>
+Patchwork-id: 59101
+O-Subject: [RHEL-7.1/7.0.z qemu-kvm PATCH 5/6] qcow1: Validate image size (CVE-2014-0223)
+Bugzilla: 1097236
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+A huge image size could cause s->l1_size to overflow. Make sure that
+images never require a L1 table larger than what fits in s->l1_size.
+
+This cannot only cause unbounded allocations, but also the allocation of
+a too small L1 table, resulting in out-of-bounds array accesses (both
+reads and writes).
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
+---
+ block/qcow.c | 16 ++++++++++++++--
+ tests/qemu-iotests/092 | 9 +++++++++
+ tests/qemu-iotests/092.out | 7 +++++++
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow.c | 16 ++++++++++++++--
+ tests/qemu-iotests/092 | 9 +++++++++
+ tests/qemu-iotests/092.out | 7 +++++++
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index f266701..4fdc751 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
+ int cluster_sectors;
+ int l2_bits;
+ int l2_size;
+- int l1_size;
++ unsigned int l1_size;
+ uint64_t cluster_offset_mask;
+ uint64_t l1_table_offset;
+ uint64_t *l1_table;
+@@ -164,7 +164,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+
+ /* read the level 1 table */
+ shift = s->cluster_bits + s->l2_bits;
+- s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
++ if (header.size > UINT64_MAX - (1LL << shift)) {
++ error_setg(errp, "Image too large");
++ ret = -EINVAL;
++ goto fail;
++ } else {
++ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
++ if (l1_size > INT_MAX / sizeof(uint64_t)) {
++ error_setg(errp, "Image too large");
++ ret = -EINVAL;
++ goto fail;
++ }
++ s->l1_size = l1_size;
++ }
+
+ s->l1_table_offset = header.l1_table_offset;
+ s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
+index fb8bacc..ae6ca76 100755
+--- a/tests/qemu-iotests/092
++++ b/tests/qemu-iotests/092
+@@ -43,6 +43,7 @@ _supported_fmt qcow
+ _supported_proto generic
+ _supported_os Linux
+
++offset_size=24
+ offset_cluster_bits=32
+ offset_l2_bits=33
+
+@@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
+ poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
+ { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
++echo
++echo "== Invalid size =="
++_make_test_img 64M
++poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
++{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
++{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
++
+ # success, all done
+ echo "*** done"
+ rm -f $seq.full
+diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
+index 73918b3..ac03302 100644
+--- a/tests/qemu-iotests/092.out
++++ b/tests/qemu-iotests/092.out
+@@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 an
+ no file open, try 'help open'
+ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+ no file open, try 'help open'
++
++== Invalid size ==
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++qemu-io: can't open device TEST_DIR/t.qcow: Image too large
++no file open, try 'help open'
++qemu-io: can't open device TEST_DIR/t.qcow: Image too large
++no file open, try 'help open'
+ *** done
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qcow2-Free-preallocated-zero-clusters.patch b/SOURCES/kvm-qcow2-Free-preallocated-zero-clusters.patch
new file mode 100644
index 0000000..f8ce501
--- /dev/null
+++ b/SOURCES/kvm-qcow2-Free-preallocated-zero-clusters.patch
@@ -0,0 +1,55 @@
+From 0a83451f1962265f2ac2d43c7c1cbbf1ecd77552 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Fri, 2 May 2014 16:06:20 +0200
+Subject: [PATCH 29/30] qcow2: Free preallocated zero clusters
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <1399046781-16359-2-git-send-email-mreitz@redhat.com>
+Patchwork-id: 58644
+O-Subject: [RHEL-7.0 qemu-kvm PATCH 1/2] qcow2: Free preallocated zero clusters
+Bugzilla: 1110188
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
+
+In qcow2_free_any_clusters, preallocated zero clusters should be freed
+just as normal clusters are.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 8f730dd24edd2576ecbd596de7ea4361296b129c)
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ block/qcow2-refcount.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/qcow2-refcount.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
+index 73ae4e3..429b01c 100644
+--- a/block/qcow2-refcount.c
++++ b/block/qcow2-refcount.c
+@@ -811,11 +811,13 @@ void qcow2_free_any_clusters(BlockDriverState *bs, uint64_t l2_entry,
+ }
+ break;
+ case QCOW2_CLUSTER_NORMAL:
+- qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
+- nb_clusters << s->cluster_bits, type);
++ case QCOW2_CLUSTER_ZERO:
++ if (l2_entry & L2E_OFFSET_MASK) {
++ qcow2_free_clusters(bs, l2_entry & L2E_OFFSET_MASK,
++ nb_clusters << s->cluster_bits, type);
++ }
+ break;
+ case QCOW2_CLUSTER_UNALLOCATED:
+- case QCOW2_CLUSTER_ZERO:
+ break;
+ default:
+ abort();
+--
+1.7.1
+
diff --git a/SOURCES/kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch b/SOURCES/kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch
new file mode 100644
index 0000000..e749c6d
--- /dev/null
+++ b/SOURCES/kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch
@@ -0,0 +1,145 @@
+From f5484ed380fdff9c3d6895b72f4a05c312ee37ea Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Fri, 2 May 2014 16:06:21 +0200
+Subject: [PATCH 30/30] qemu-iotests: Discard preallocated zero clusters
+
+RH-Author: Max Reitz <mreitz@redhat.com>
+Message-id: <1399046781-16359-3-git-send-email-mreitz@redhat.com>
+Patchwork-id: 58645
+O-Subject: [RHEL-7.0 qemu-kvm PATCH 2/2] qemu-iotests: Discard preallocated zero clusters
+Bugzilla: 1110188
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Jeffrey Cody <jcody@redhat.com>
+
+Add a new test case for discarding preallocated zero clusters; doing
+this should not result in any leaks.
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 975a93c082452db9aa1397a797ca8f13ba367393)
+
+Conflicts:
+ tests/qemu-iotests/group
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+---
+ tests/qemu-iotests/066 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/066.out | 13 ++++++++++
+ tests/qemu-iotests/group | 1 +
+ 3 files changed, 77 insertions(+)
+ create mode 100755 tests/qemu-iotests/066
+ create mode 100644 tests/qemu-iotests/066.out
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ tests/qemu-iotests/066 | 63 ++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/066.out | 13 +++++++++
+ tests/qemu-iotests/group | 1 +
+ 3 files changed, 77 insertions(+), 0 deletions(-)
+ create mode 100755 tests/qemu-iotests/066
+ create mode 100644 tests/qemu-iotests/066.out
+
+diff --git a/tests/qemu-iotests/066 b/tests/qemu-iotests/066
+new file mode 100755
+index 0000000..1c2452b
+--- /dev/null
++++ b/tests/qemu-iotests/066
+@@ -0,0 +1,63 @@
++#!/bin/bash
++#
++# Test case for discarding preallocated zero clusters in qcow2
++#
++# Copyright (C) 2013 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++# creator
++owner=mreitz@redhat.com
++
++seq="$(basename $0)"
++echo "QA output created by $seq"
++
++here="$PWD"
++tmp=/tmp/$$
++status=1 # failure is the default!
++
++_cleanup()
++{
++ _cleanup_test_img
++}
++trap "_cleanup; exit \$status" 0 1 2 3 15
++
++# get standard environment, filters and checks
++. ./common.rc
++. ./common.filter
++
++# This tests qocw2-specific low-level functionality
++_supported_fmt qcow2
++_supported_proto generic
++_supported_os Linux
++
++IMGOPTS="compat=1.1"
++IMG_SIZE=64M
++
++echo
++echo "=== Testing snapshotting an image with zero clusters ==="
++echo
++_make_test_img $IMG_SIZE
++# Write some normal clusters, zero them (creating preallocated zero clusters)
++# and discard those
++$QEMU_IO -c "write 0 256k" -c "write -z 0 256k" -c "discard 0 256k" "$TEST_IMG" \
++ | _filter_qemu_io
++# Check the image (there shouldn't be any leaks)
++_check_test_img
++
++# success, all done
++echo "*** done"
++rm -f $seq.full
++status=0
+diff --git a/tests/qemu-iotests/066.out b/tests/qemu-iotests/066.out
+new file mode 100644
+index 0000000..9139780
+--- /dev/null
++++ b/tests/qemu-iotests/066.out
+@@ -0,0 +1,13 @@
++QA output created by 066
++
++=== Testing snapshotting an image with zero clusters ===
++
++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
++wrote 262144/262144 bytes at offset 0
++256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++wrote 262144/262144 bytes at offset 0
++256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++discard 262144/262144 bytes at offset 0
++256 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
++No errors were found on the image.
++*** done
+diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
+index d6d4a7f..e588404 100644
+--- a/tests/qemu-iotests/group
++++ b/tests/qemu-iotests/group
+@@ -68,6 +68,7 @@
+ 063 rw auto
+ 064 rw auto
+ 065 rw auto
++066 rw auto
+ 067 rw auto
+ 068 rw auto
+ 070 rw auto
+--
+1.7.1
+
diff --git a/SOURCES/kvm-skip-system-call-when-msi-route-is-unchanged.patch b/SOURCES/kvm-skip-system-call-when-msi-route-is-unchanged.patch
new file mode 100644
index 0000000..70ce125
--- /dev/null
+++ b/SOURCES/kvm-skip-system-call-when-msi-route-is-unchanged.patch
@@ -0,0 +1,51 @@
+From 00a2c1d4f4dff271a314f0e9eb3b4c873b1a06c1 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Mon, 19 May 2014 09:57:40 +0200
+Subject: [PATCH 2/2] kvm: skip system call when msi route is unchanged
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400493448-29146-3-git-send-email-mst@redhat.com>
+Patchwork-id: 58949
+O-Subject: [PATCH qemu-kvm RHEL7.1 2/2] kvm: skip system call when msi route is unchanged
+Bugzilla: 1110693
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+
+Some guests do a large number of mask/unmask
+calls which currently trigger expensive route update
+system calls.
+Detect that route in unchanged and skip the system call.
+
+Reported-by: "Zhanghaoyu (A)" <haoyu.zhang@huawei.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+(cherry picked from commit 40509f7f52672fe41c2cce895e187352fc09f53a)
+---
+ kvm-all.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ kvm-all.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index 592301a..f7f621b 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -1008,6 +1008,10 @@ static int kvm_update_routing_entry(KVMState *s,
+ continue;
+ }
+
++ if(!memcmp(entry, new_entry, sizeof *entry)) {
++ return 0;
++ }
++
+ *entry = *new_entry;
+
+ kvm_irqchip_commit_routes(s);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-usb-fix-up-post-load-checks.patch b/SOURCES/kvm-usb-fix-up-post-load-checks.patch
new file mode 100644
index 0000000..ca14310
--- /dev/null
+++ b/SOURCES/kvm-usb-fix-up-post-load-checks.patch
@@ -0,0 +1,64 @@
+From f01e8ceed912ea31bf22046197fd18b82e554e48 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Thu, 15 May 2014 09:52:52 +0200
+Subject: [PATCH 16/30] usb: fix up post load checks
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400144747-16304-1-git-send-email-mst@redhat.com>
+Patchwork-id: 58906
+O-Subject: [PATCH qemu-kvm RHEL7.0.z] usb: fix up post load checks
+Bugzilla: 1096828
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+Correct post load checks:
+1. dev->setup_len == sizeof(dev->data_buf)
+ seems fine, no need to fail migration
+2. When state is DATA, passing index > len
+ will cause memcpy with negative length,
+ resulting in heap overflow
+
+First of the issues was reported by dgilbert.
+
+Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e)
+Note: in maintainer's tree
+ git://github.com/juanquintela/qemu.git tags/migration/20140515,
+ pull request sent
+
+CVE-2014-3461
+
+Bugzilla: 1096828
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7459773
+Tested: lightly on developer's box
+---
+ hw/usb/bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/bus.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index 9766b7f..f4eeb5e 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
+ }
+ if (dev->setup_index < 0 ||
+ dev->setup_len < 0 ||
+- dev->setup_index >= sizeof(dev->data_buf) ||
+- dev->setup_len >= sizeof(dev->data_buf)) {
++ dev->setup_index > dev->setup_len ||
++ dev->setup_len > sizeof(dev->data_buf)) {
+ return -EINVAL;
+ }
+ return 0;
+--
+1.7.1
+
diff --git a/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch b/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch
new file mode 100644
index 0000000..74a41d4
--- /dev/null
+++ b/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch
@@ -0,0 +1,62 @@
+From bbe33dbd43e6b562459624adb801f9b35d0f5211 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:26:17 +0200
+Subject: [PATCH 15/30] usb: sanity check setup_index+setup_len in post_load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055942-6418-2-git-send-email-mst@redhat.com>
+Patchwork-id: 58854
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 2/2] usb: sanity check setup_index+setup_len in post_load
+Bugzilla: 1095746
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE-2013-4541
+
+s->setup_len and s->setup_index are fed into usb_packet_copy as
+size/offset into s->data_buf, it's possible for invalid state to exploit
+this to load arbitrary data.
+
+setup_len and setup_index should be checked to make sure
+they are not negative.
+
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
+
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Tested: lightly on developer's box
+Bugzilla: 1095743
+
+Note: the fix isn't complete upstream. there's a separate bugzilla to
+fix more issues upstream and in rhel.
+---
+ hw/usb/bus.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/bus.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index e0c3a77..9766b7f 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
+ } else {
+ dev->attached = 1;
+ }
+- if (dev->setup_index >= sizeof(dev->data_buf) ||
++ if (dev->setup_index < 0 ||
++ dev->setup_len < 0 ||
++ dev->setup_index >= sizeof(dev->data_buf) ||
+ dev->setup_len >= sizeof(dev->data_buf)) {
+ return -EINVAL;
+ }
+--
+1.7.1
+
diff --git a/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch b/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch
new file mode 100644
index 0000000..190ec3d
--- /dev/null
+++ b/SOURCES/kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch
@@ -0,0 +1,49 @@
+From 586e92b335a98dcfbb4a797eb744753038da4374 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:26:14 +0200
+Subject: [PATCH 14/30] usb: sanity check setup_index+setup_len in post_load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055942-6418-1-git-send-email-mst@redhat.com>
+Patchwork-id: 58853
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 1/2] usb: sanity check setup_index+setup_len in post_load
+Bugzilla: 1095746
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit c60174e847082ab9f70720f86509a3353f816fad)
+
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Tested: lightly on developer's box
+Bugzilla: 1095743
+---
+ hw/usb/bus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/usb/bus.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index fe6bd13..e0c3a77 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -49,6 +49,10 @@ static int usb_device_post_load(void *opaque, int version_id)
+ } else {
+ dev->attached = 1;
+ }
++ if (dev->setup_index >= sizeof(dev->data_buf) ||
++ dev->setup_len >= sizeof(dev->data_buf)) {
++ return -EINVAL;
++ }
+ return 0;
+ }
+
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-allow-mapping-up-to-max-queue-size.patch b/SOURCES/kvm-virtio-allow-mapping-up-to-max-queue-size.patch
new file mode 100644
index 0000000..415209d
--- /dev/null
+++ b/SOURCES/kvm-virtio-allow-mapping-up-to-max-queue-size.patch
@@ -0,0 +1,54 @@
+From 7a967f4dd36ab8cba940bacda4c893829affcd8d Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:11:59 +0200
+Subject: [PATCH 09/30] virtio: allow mapping up to max queue size
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054952-6106-2-git-send-email-mst@redhat.com>
+Patchwork-id: 58847
+O-Subject: [PATCH qemu-kvm RHEL7.0 2/2] virtio: allow mapping up to max queue size
+Bugzilla: 1095765
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so
+it's OK if the value read is VIRTQUEUE_MAX_SIZE.
+
+Not a big problem in practice as people don't use
+such big queues, but it's inelegant.
+
+Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream status: 937251408051e0489f78e4db3c92e045b147b38b
+(in maintainer's tree, PULL request sent)
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095765
+---
+ hw/virtio/virtio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 2667390..44309c2 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -423,7 +423,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
+ unsigned int i;
+ hwaddr len;
+
+- if (num_sg >= VIRTQUEUE_MAX_SIZE) {
++ if (num_sg > VIRTQUEUE_MAX_SIZE) {
+ error_report("virtio: map attempt out of bounds: %zd > %d",
+ num_sg, VIRTQUEUE_MAX_SIZE);
+ exit(1);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch b/SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch
new file mode 100644
index 0000000..d605897
--- /dev/null
+++ b/SOURCES/kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch
@@ -0,0 +1,61 @@
+From d1ada486bbdecd785762a192eae716a3484d4f16 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:52 +0200
+Subject: [PATCH 05/30] virtio: avoid buffer overrun on incoming migration
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-10-git-send-email-mst@redhat.com>
+Patchwork-id: 58843
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: avoid buffer overrun on incoming migration
+Bugzilla: 1095737
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+CVE-2013-6399
+
+vdev->queue_sel is read from the wire, and later used in the
+emulation code as an index into vdev->vq[]. If the value of
+vdev->queue_sel exceeds the length of vdev->vq[], currently
+allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
+operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
+the buffer with arbitrary data originating from the source.
+
+Fix this by failing migration if the value from the wire exceeds
+VIRTIO_PCI_QUEUE_MAX.
+
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095737
+---
+ hw/virtio/virtio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 070d64e..9600a12 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -867,6 +867,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ qemu_get_8s(f, &vdev->status);
+ qemu_get_8s(f, &vdev->isr);
+ qemu_get_be16s(f, &vdev->queue_sel);
++ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
++ return -1;
++ }
+ qemu_get_be32s(f, &features);
+
+ if (virtio_set_features(vdev, features) < 0) {
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch b/SOURCES/kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
new file mode 100644
index 0000000..7958f3d
--- /dev/null
+++ b/SOURCES/kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
@@ -0,0 +1,80 @@
+From fbae1c1a80fc0c1495c86695f5f48ee1003c2a1a Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:39 +0200
+Subject: [PATCH 01/30] virtio-net: fix buffer overflow on invalid state load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-1-git-send-email-mst@redhat.com>
+Patchwork-id: 58839
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: fix buffer overflow on invalid state load
+Bugzilla: 1095677
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+CVE-2013-4148 QEMU 1.0 integer conversion in
+virtio_net_load()@hw/net/virtio-net.c
+
+Deals with loading a corrupted savevm image.
+
+> n->mac_table.in_use = qemu_get_be32(f);
+
+in_use is int so it can get negative when assigned 32bit unsigned value.
+
+> /* MAC_TABLE_ENTRIES may be different from the saved image */
+> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
+
+passing this check ^^^
+
+> qemu_get_buffer(f, n->mac_table.macs,
+> n->mac_table.in_use * ETH_ALEN);
+
+with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
+positive and bigger than mac_table.macs. For example 0x81000000
+satisfies this condition when ETH_ALEN is 6.
+
+Fix it by making the value unsigned.
+For consistency, change first_multi as well.
+
+Note: all call sites were audited to confirm that
+making them unsigned didn't cause any issues:
+it turns out we actually never do math on them,
+so it's easy to validate because both values are
+always <= MAC_TABLE_ENTRIES.
+
+Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
+
+Bugzilla: 1095677
+Tested: on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+---
+ include/hw/virtio/virtio-net.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/hw/virtio/virtio-net.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
+index 75723a8..a02fc50 100644
+--- a/include/hw/virtio/virtio-net.h
++++ b/include/hw/virtio/virtio-net.h
+@@ -174,8 +174,8 @@ typedef struct VirtIONet {
+ uint8_t nobcast;
+ uint8_t vhost_started;
+ struct {
+- int in_use;
+- int first_multi;
++ uint32_t in_use;
++ uint32_t first_multi;
+ uint8_t multi_overflow;
+ uint8_t uni_overflow;
+ uint8_t *macs;
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch b/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
new file mode 100644
index 0000000..21e157d
--- /dev/null
+++ b/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
@@ -0,0 +1,77 @@
+From 2b6768100640ef4b0387f42391f5e9e82cf67284 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:45 +0200
+Subject: [PATCH 03/30] virtio-net: out-of-bounds buffer write on invalid state load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-3-git-send-email-mst@redhat.com>
+Patchwork-id: 58841
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: out-of-bounds buffer write on invalid state load
+Bugzilla: 1095689
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+
+CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
+virtio_net_load()@hw/net/virtio-net.c
+
+This code is in hw/net/virtio-net.c:
+
+ if (n->max_queues > 1) {
+ if (n->max_queues != qemu_get_be16(f)) {
+ error_report("virtio-net: different max_queues ");
+ return -1;
+ }
+
+ n->curr_queues = qemu_get_be16(f);
+ for (i = 1; i < n->curr_queues; i++) {
+ n->vqs[i].tx_waiting = qemu_get_be32(f);
+ }
+ }
+
+Number of vqs is max_queues, so if we get invalid input here,
+for example if max_queues = 2, curr_queues = 3, we get
+write beyond end of the buffer, with data that comes from
+wire.
+
+This might be used to corrupt qemu memory in hard to predict ways.
+Since we have lots of function pointers around, RCE might be possible.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla: 1095689
+---
+ hw/net/virtio-net.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/net/virtio-net.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index f6ed241..f72be9f 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1334,6 +1334,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
+ }
+
+ n->curr_queues = qemu_get_be16(f);
++ if (n->curr_queues > n->max_queues) {
++ error_report("virtio-net: curr_queues %x > max_queues %x",
++ n->curr_queues, n->max_queues);
++ return -1;
++ }
+ for (i = 1; i < n->curr_queues; i++) {
+ n->vqs[i].tx_waiting = qemu_get_be32(f);
+ }
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch b/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch
new file mode 100644
index 0000000..9100648
--- /dev/null
+++ b/SOURCES/kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch
@@ -0,0 +1,76 @@
+From a3f3310a41ed5af1c701fea5dd7892dd9409e7d8 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:42 +0200
+Subject: [PATCH 02/30] virtio-net: out-of-bounds buffer write on load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-2-git-send-email-mst@redhat.com>
+Patchwork-id: 58840
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-net: out-of-bounds buffer write on load
+Bugzilla: 1095684
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
+virtio_net_load()@hw/net/virtio-net.c
+
+> } else if (n->mac_table.in_use) {
+> uint8_t *buf = g_malloc0(n->mac_table.in_use);
+
+We are allocating buffer of size n->mac_table.in_use
+
+> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
+
+and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
+ETH_ALEN bytes, corrupting memory.
+
+If adversary controls state then memory written there is controlled
+by adversary.
+
+Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
+
+Bugzilla: 1095684
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+---
+ hw/net/virtio-net.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/net/virtio-net.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 2d559e0..f6ed241 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1273,10 +1273,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
+ if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
+ qemu_get_buffer(f, n->mac_table.macs,
+ n->mac_table.in_use * ETH_ALEN);
+- } else if (n->mac_table.in_use) {
+- uint8_t *buf = g_malloc0(n->mac_table.in_use);
+- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
+- g_free(buf);
++ } else {
++ int64_t i;
++
++ /* Overflow detected - can happen if source has a larger MAC table.
++ * We simply set overflow flag so there's no need to maintain the
++ * table of addresses, discard them all.
++ * Note: 64 bit math to avoid integer overflow.
++ */
++ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
++ qemu_get_byte(f);
++ }
+ n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
+ n->mac_table.in_use = 0;
+ }
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch b/SOURCES/kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
new file mode 100644
index 0000000..4283207
--- /dev/null
+++ b/SOURCES/kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
@@ -0,0 +1,74 @@
+From 246b73b5e55eedcc30a213a685a46ad2f117862e Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:49 +0200
+Subject: [PATCH 04/30] virtio: out-of-bounds buffer write on invalid state load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-4-git-send-email-mst@redhat.com>
+Patchwork-id: 58842
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: out-of-bounds buffer write on invalid state load
+Bugzilla: 1095694
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+
+CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
+virtio_load@hw/virtio/virtio.c
+
+So we have this code since way back when:
+
+ num = qemu_get_be32(f);
+
+ for (i = 0; i < num; i++) {
+ vdev->vq[i].vring.num = qemu_get_be32(f);
+
+array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
+on invalid input this will write beyond end of buffer.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla: 1095694
+---
+ hw/virtio/virtio.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index b5bb0b6..070d64e 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -851,7 +851,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
+
+ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ {
+- int num, i, ret;
++ int i, ret;
++ uint32_t num;
+ uint32_t features;
+ uint32_t supported_features;
+ BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
+@@ -879,6 +880,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+
+ num = qemu_get_be32(f);
+
++ if (num > VIRTIO_PCI_QUEUE_MAX) {
++ error_report("Invalid number of PCI queues: 0x%x", num);
++ return -1;
++ }
++
+ for (i = 0; i < num; i++) {
+ vdev->vq[i].vring.num = qemu_get_be32(f);
+ vdev->vq[i].pa = qemu_get_be64(f);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch b/SOURCES/kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
new file mode 100644
index 0000000..c0b9dda
--- /dev/null
+++ b/SOURCES/kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
@@ -0,0 +1,88 @@
+From 1900368b14d425fdfe1b084892d7e2b86ba64903 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:55 +0200
+Subject: [PATCH 06/30] virtio-scsi: fix buffer overrun on invalid state load
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-11-git-send-email-mst@redhat.com>
+Patchwork-id: 58844
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio-scsi: fix buffer overrun on invalid state load
+Bugzilla: 1095741
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+CVE-2013-4542
+
+hw/scsi/scsi-bus.c invokes load_request.
+
+ virtio_scsi_load_request does:
+ qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+
+this probably can make elem invalid, for example,
+make in_num or out_num huge, then:
+
+ virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
+
+will do:
+
+ if (req->elem.out_num > 1) {
+ qemu_sgl_init_external(req, &req->elem.out_sg[1],
+ &req->elem.out_addr[1],
+ req->elem.out_num - 1);
+ } else {
+ qemu_sgl_init_external(req, &req->elem.in_sg[1],
+ &req->elem.in_addr[1],
+ req->elem.in_num - 1);
+ }
+
+and this will access out of array bounds.
+
+Note: this adds security checks within assert calls since
+SCSIBusInfo's load_request cannot fail.
+For now simply disable builds with NDEBUG - there seems
+to be little value in supporting these.
+
+Cc: Andreas Färber <afaerber@suse.de>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095741
+---
+ hw/scsi/virtio-scsi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/scsi/virtio-scsi.c | 9 +++++++++
+ 1 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 57541b4..7cf3e4b 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -145,6 +145,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
+ qemu_get_be32s(f, &n);
+ assert(n < vs->conf.num_queues);
+ qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
++ /* TODO: add a way for SCSIBusInfo's load_request to fail,
++ * and fail migration instead of asserting here.
++ * When we do, we might be able to re-enable NDEBUG below.
++ */
++#ifdef NDEBUG
++#error building with NDEBUG is not supported
++#endif
++ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
++ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
+ virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
+
+ scsi_req_ref(sreq);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-validate-config_len-on-load.patch b/SOURCES/kvm-virtio-validate-config_len-on-load.patch
new file mode 100644
index 0000000..010d822
--- /dev/null
+++ b/SOURCES/kvm-virtio-validate-config_len-on-load.patch
@@ -0,0 +1,69 @@
+From 3a5fadc2341be9efd129aed5cd04ebdba2cdc36d Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:07:58 +0200
+Subject: [PATCH 07/30] virtio: validate config_len on load
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054498-4366-17-git-send-email-mst@redhat.com>
+Patchwork-id: 58845
+O-Subject: [PATCH qemu-kvm RHEL7.0] virtio: validate config_len on load
+Bugzilla: 1095782
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+RH-Acked-by: Vlad Yasevich <vyasevic@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+
+Malformed input can have config_len in migration stream
+exceed the array size allocated on destination, the
+result will be heap overflow.
+
+To fix, that config_len matches on both sides.
+
+CVE-2014-0182
+
+Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095782
+---
+ hw/virtio/virtio.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 9600a12..686dfbb 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -852,6 +852,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
+ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ {
+ int i, ret;
++ int32_t config_len;
+ uint32_t num;
+ uint32_t features;
+ uint32_t supported_features;
+@@ -878,7 +879,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ features, supported_features);
+ return -1;
+ }
+- vdev->config_len = qemu_get_be32(f);
++ config_len = qemu_get_be32(f);
++ if (config_len != vdev->config_len) {
++ error_report("Unexpected config length 0x%x. Expected 0x%zx",
++ config_len, vdev->config_len);
++ return -1;
++ }
+ qemu_get_buffer(f, vdev->config, vdev->config_len);
+
+ num = qemu_get_be32(f);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-virtio-validate-num_sg-when-mapping.patch b/SOURCES/kvm-virtio-validate-num_sg-when-mapping.patch
new file mode 100644
index 0000000..3d2fb95
--- /dev/null
+++ b/SOURCES/kvm-virtio-validate-num_sg-when-mapping.patch
@@ -0,0 +1,62 @@
+From 24625e2c2eb6e259b621c7ff11671977fa705578 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:11:56 +0200
+Subject: [PATCH 08/30] virtio: validate num_sg when mapping
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400054952-6106-1-git-send-email-mst@redhat.com>
+Patchwork-id: 58846
+O-Subject: [PATCH qemu-kvm RHEL7.0 1/2] virtio: validate num_sg when mapping
+Bugzilla: 1095765
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+RH-Acked-by: Amos Kong <akong@redhat.com>
+
+CVE-2013-4535
+CVE-2013-4536
+
+Both virtio-block and virtio-serial read,
+VirtQueueElements are read in as buffers, and passed to
+virtqueue_map_sg(), where num_sg is taken from the wire and can force
+writes to indicies beyond VIRTQUEUE_MAX_SIZE.
+
+To fix, validate num_sg.
+
+Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
+
+Tested: lightly on developer's box
+Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7450401
+Bugzilla:1095765
+---
+ hw/virtio/virtio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 686dfbb..2667390 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -423,6 +423,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
+ unsigned int i;
+ hwaddr len;
+
++ if (num_sg >= VIRTQUEUE_MAX_SIZE) {
++ error_report("virtio: map attempt out of bounds: %zd > %d",
++ num_sg, VIRTQUEUE_MAX_SIZE);
++ exit(1);
++ }
++
+ for (i = 0; i < num_sg; i++) {
+ len = sg[i].iov_len;
+ sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
+--
+1.7.1
+
diff --git a/SOURCES/kvm-vmstate-add-VMSTATE_VALIDATE.patch b/SOURCES/kvm-vmstate-add-VMSTATE_VALIDATE.patch
new file mode 100644
index 0000000..1c5da7e
--- /dev/null
+++ b/SOURCES/kvm-vmstate-add-VMSTATE_VALIDATE.patch
@@ -0,0 +1,51 @@
+From 1886b0146de0847ff5f81e5d89ba3893bbab63fc Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:24:33 +0200
+Subject: [PATCH 11/30] vmstate: add VMSTATE_VALIDATE
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055633-6261-3-git-send-email-mst@redhat.com>
+Patchwork-id: 58850
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 3/5] vmstate: add VMSTATE_VALIDATE
+Bugzilla: 1095706
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
+---
+ include/migration/vmstate.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/migration/vmstate.h | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
+index 95d1ce6..f2652e6 100644
+--- a/include/migration/vmstate.h
++++ b/include/migration/vmstate.h
+@@ -202,6 +202,14 @@ extern const VMStateInfo vmstate_info_bitmap;
+ .offset = vmstate_offset_value(_state, _field, _type), \
+ }
+
++/* Validate state using a boolean predicate. */
++#define VMSTATE_VALIDATE(_name, _test) { \
++ .name = (_name), \
++ .field_exists = (_test), \
++ .flags = VMS_ARRAY | VMS_MUST_EXIST, \
++ .num = 0, /* 0 elements: no data, only run _test */ \
++}
++
+ #define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \
+ .name = (stringify(_field)), \
+ .version_id = (_version), \
+--
+1.7.1
+
diff --git a/SOURCES/kvm-vmstate-add-VMS_MUST_EXIST.patch b/SOURCES/kvm-vmstate-add-VMS_MUST_EXIST.patch
new file mode 100644
index 0000000..a32264c
--- /dev/null
+++ b/SOURCES/kvm-vmstate-add-VMS_MUST_EXIST.patch
@@ -0,0 +1,76 @@
+From 939cbb6cf8128369e0ca2ec21b33d2fc40699142 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Wed, 14 May 2014 08:24:29 +0200
+Subject: [PATCH 10/30] vmstate: add VMS_MUST_EXIST
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400055633-6261-2-git-send-email-mst@redhat.com>
+Patchwork-id: 58849
+O-Subject: [PATCH qemu-kvm RHEL7.0.z 2/5] vmstate: add VMS_MUST_EXIST
+Bugzilla: 1095706
+RH-Acked-by: Dr. David Alan Gilbert (git) <dgilbert@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Juan Quintela <quintela@redhat.com>
+
+Can be used to verify a required field exists or validate
+state in some other way.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
+---
+ include/migration/vmstate.h | 1 +
+ savevm.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/migration/vmstate.h | 1 +
+ savevm.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
+index 11d93e1..95d1ce6 100644
+--- a/include/migration/vmstate.h
++++ b/include/migration/vmstate.h
+@@ -98,6 +98,7 @@ enum VMStateFlags {
+ VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */
+ VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/
+ VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/
++ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */
+ };
+
+ typedef struct {
+diff --git a/savevm.c b/savevm.c
+index 6efbb75..5d1b563 100644
+--- a/savevm.c
++++ b/savevm.c
+@@ -1740,6 +1740,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
+ return ret;
+ }
+ }
++ } else if (field->flags & VMS_MUST_EXIST) {
++ fprintf(stderr, "Input validation failed: %s/%s\n",
++ vmsd->name, field->name);
++ return -1;
+ }
+ field++;
+ }
+@@ -1800,6 +1804,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
+ field->info->put(f, addr, size);
+ }
+ }
++ } else {
++ if (field->flags & VMS_MUST_EXIST) {
++ fprintf(stderr, "Output state validation failed: %s/%s\n",
++ vmsd->name, field->name);
++ assert(!(field->flags & VMS_MUST_EXIST));
++ }
+ }
+ field++;
+ }
+--
+1.7.1
+
diff --git a/SOURCES/kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch b/SOURCES/kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch
new file mode 100644
index 0000000..8876661
--- /dev/null
+++ b/SOURCES/kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch
@@ -0,0 +1,110 @@
+From c878c42b892a18de84888766f14107005b4c4466 Mon Sep 17 00:00:00 2001
+From: Michael S. Tsirkin <mst@redhat.com>
+Date: Mon, 19 May 2014 09:57:37 +0200
+Subject: [PATCH 1/2] kvm: zero-initialize KVM_SET_GSI_ROUTING input
+
+RH-Author: Michael S. Tsirkin <mst@redhat.com>
+Message-id: <1400493448-29146-2-git-send-email-mst@redhat.com>
+Patchwork-id: 58948
+O-Subject: [PATCH qemu-kvm RHEL7.1 1/2] kvm: zero-initialize KVM_SET_GSI_ROUTING input
+Bugzilla: 1110693
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Marcel Apfelbaum <marcel.a@redhat.com>
+RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>
+
+kvm_add_routing_entry makes an attempt to
+zero-initialize any new routing entry.
+However, it fails to initialize padding
+within the u field of the structure
+kvm_irq_routing_entry.
+
+Other functions like kvm_irqchip_update_msi_route
+also fail to initialize the padding field in
+kvm_irq_routing_entry.
+
+It's better to just make sure all input is initialized.
+
+Once it is, we can also drop complex field by field assignment and just
+do the simple *a = *b to update a route entry.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+(cherry picked from commit 0fbc20740342713f282b118b4a446c4c43df3f4a)
+---
+ kvm-all.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ kvm-all.c | 19 +++++++------------
+ 1 files changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/kvm-all.c b/kvm-all.c
+index adc0a8e..592301a 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -988,11 +988,8 @@ static void kvm_add_routing_entry(KVMState *s,
+ }
+ n = s->irq_routes->nr++;
+ new = &s->irq_routes->entries[n];
+- memset(new, 0, sizeof(*new));
+- new->gsi = entry->gsi;
+- new->type = entry->type;
+- new->flags = entry->flags;
+- new->u = entry->u;
++
++ *new = *entry;
+
+ set_gsi(s, entry->gsi);
+
+@@ -1011,9 +1008,7 @@ static int kvm_update_routing_entry(KVMState *s,
+ continue;
+ }
+
+- entry->type = new_entry->type;
+- entry->flags = new_entry->flags;
+- entry->u = new_entry->u;
++ *entry = *new_entry;
+
+ kvm_irqchip_commit_routes(s);
+
+@@ -1025,7 +1020,7 @@ static int kvm_update_routing_entry(KVMState *s,
+
+ void kvm_irqchip_add_irq_route(KVMState *s, int irq, int irqchip, int pin)
+ {
+- struct kvm_irq_routing_entry e;
++ struct kvm_irq_routing_entry e = {};
+
+ assert(pin < s->gsi_count);
+
+@@ -1138,7 +1133,7 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg)
+ return virq;
+ }
+
+- route = g_malloc(sizeof(KVMMSIRoute));
++ route = g_malloc0(sizeof(KVMMSIRoute));
+ route->kroute.gsi = virq;
+ route->kroute.type = KVM_IRQ_ROUTING_MSI;
+ route->kroute.flags = 0;
+@@ -1159,7 +1154,7 @@ int kvm_irqchip_send_msi(KVMState *s, MSIMessage msg)
+
+ int kvm_irqchip_add_msi_route(KVMState *s, MSIMessage msg)
+ {
+- struct kvm_irq_routing_entry kroute;
++ struct kvm_irq_routing_entry kroute = {};
+ int virq;
+
+ if (!kvm_gsi_routing_enabled()) {
+@@ -1185,7 +1180,7 @@ int kvm_irqchip_add_msi_route(KVMState *s, MSIMessage msg)
+
+ int kvm_irqchip_update_msi_route(KVMState *s, int virq, MSIMessage msg)
+ {
+- struct kvm_irq_routing_entry kroute;
++ struct kvm_irq_routing_entry kroute = {};
+
+ if (!kvm_irqchip_in_kernel()) {
+ return -ENOSYS;
+--
+1.7.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 310a600..6dd3fe0 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -73,7 +73,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a FAST! processor emulator
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 60%{?dist}_0.2
+Release: 60%{?dist}.5
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -2228,6 +2228,72 @@ Patch1089: kvm-uhci-UNfix-irq-routing-for-RHEL-6-machtypes-RHEL-onl.patch
Patch1090: kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch
# For bz#1094820 - Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.
Patch1091: kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch
+# For bz#1095677 - CVE-2013-4148 qemu-kvm: qemu: virtio-net: buffer overflow on invalid state load [rhel-7.0.z]
+Patch1092: kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
+# For bz#1095684 - CVE-2013-4149 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on load [rhel-7.0.z]
+Patch1093: kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch
+# For bz#1095689 - CVE-2013-4150 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on invalid state load [rhel-7.0.z]
+Patch1094: kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
+# For bz#1095694 - CVE-2013-4151 qemu-kvm: qemu: virtio: out-of-bounds buffer write on invalid state load [rhel-7.0.z]
+Patch1095: kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
+# For bz#1095737 - CVE-2013-6399 qemu-kvm: qemu: virtio: buffer overrun on incoming migration [rhel-7.0.z]
+Patch1096: kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch
+# For bz#1095741 - CVE-2013-4542 qemu-kvm: qemu: virtio-scsi: buffer overrun on invalid state load [rhel-7.0.z]
+Patch1097: kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
+# For bz#1095782 - CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z]
+Patch1098: kvm-virtio-validate-config_len-on-load.patch
+# For bz#1095765 - CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z]
+Patch1099: kvm-virtio-validate-num_sg-when-mapping.patch
+# For bz#1095765 - CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z]
+Patch1100: kvm-virtio-allow-mapping-up-to-max-queue-size.patch
+# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
+Patch1101: kvm-vmstate-add-VMS_MUST_EXIST.patch
+# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
+Patch1102: kvm-vmstate-add-VMSTATE_VALIDATE.patch
+# For bz#1095706 - CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z]
+Patch1103: kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch
+# For bz#1095714 - CVE-2013-4529 qemu-kvm: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load [rhel-7.0.z]
+Patch1104: kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
+# For bz#1095746 - CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z]
+Patch1105: kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch
+# For bz#1095746 - CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z]
+Patch1106: kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch
+# For bz#1096828 - CVE-2014-3461 qemu-kvm: Qemu: usb: fix up post load checks [rhel-7.0.z]
+Patch1107: kvm-usb-fix-up-post-load-checks.patch
+# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
+Patch1108: kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch
+# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
+Patch1109: kvm-Provide-init-function-for-ram-migration.patch
+# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
+Patch1110: kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch
+# For bz#1110191 - Reduce the migrate cache size during migration causes qemu segment fault
+Patch1111: kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch
+# For bz#1110189 - migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics
+Patch1112: kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch
+# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
+Patch1113: kvm-qcow-correctly-propagate-errors.patch
+# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
+Patch1114: kvm-qcow1-Make-padding-in-the-header-explicit.patch
+# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
+Patch1115: kvm-qcow1-Check-maximum-cluster-size.patch
+# For bz#1097229 - CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z]
+Patch1116: kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
+# For bz#1097236 - CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z]
+Patch1117: kvm-qcow1-Validate-image-size-CVE-2014-0223.patch
+# For bz#1097236 - CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z]
+Patch1118: kvm-qcow1-Stricter-backing-file-length-check.patch
+# For bz#1110219 - Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again
+Patch1119: kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch
+# For bz#1110188 - qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)
+Patch1120: kvm-qcow2-Free-preallocated-zero-clusters.patch
+# For bz#1110188 - qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)
+Patch1121: kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch
+# For bz#1110693 - 2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput
+Patch1122: kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch
+# For bz#1110693 - 2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput
+Patch1123: kvm-skip-system-call-when-msi-route-is-unchanged.patch
+# For bz#1095782 - CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z]
+Patch1124: kvm-Allow-mismatched-virtio-config-len.patch
BuildRequires: zlib-devel
@@ -3521,6 +3587,39 @@ cp %{SOURCE18} pc-bios # keep "make check" happy
%patch1089 -p1
%patch1090 -p1
%patch1091 -p1
+%patch1092 -p1
+%patch1093 -p1
+%patch1094 -p1
+%patch1095 -p1
+%patch1096 -p1
+%patch1097 -p1
+%patch1098 -p1
+%patch1099 -p1
+%patch1100 -p1
+%patch1101 -p1
+%patch1102 -p1
+%patch1103 -p1
+%patch1104 -p1
+%patch1105 -p1
+%patch1106 -p1
+%patch1107 -p1
+%patch1108 -p1
+%patch1109 -p1
+%patch1110 -p1
+%patch1111 -p1
+%patch1112 -p1
+%patch1113 -p1
+%patch1114 -p1
+%patch1115 -p1
+%patch1116 -p1
+%patch1117 -p1
+%patch1118 -p1
+%patch1119 -p1
+%patch1120 -p1
+%patch1121 -p1
+%patch1122 -p1
+%patch1123 -p1
+%patch1124 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -3937,6 +4036,85 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_libdir}/pkgconfig/libcacard.pc
%changelog
+* Wed Jul 02 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.5
+- kvm-Allow-mismatched-virtio-config-len.patch [bz#1095782]
+- Resolves: bz#1095782
+ (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z])
+
+* Wed Jun 18 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.4
+- kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch [bz#1110693]
+- kvm-skip-system-call-when-msi-route-is-unchanged.patch [bz#1110693]
+- Resolves: bz#1110693
+ (2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput)
+
+* Tue Jun 17 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.3
+- kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch [bz#1095677]
+- kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch [bz#1095684]
+- kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch [bz#1095689]
+- kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch [bz#1095694]
+- kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch [bz#1095737]
+- kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095741]
+- kvm-virtio-validate-config_len-on-load.patch [bz#1095782]
+- kvm-virtio-validate-num_sg-when-mapping.patch [bz#1095765]
+- kvm-virtio-allow-mapping-up-to-max-queue-size.patch [bz#1095765]
+- kvm-vmstate-add-VMS_MUST_EXIST.patch [bz#1095706]
+- kvm-vmstate-add-VMSTATE_VALIDATE.patch [bz#1095706]
+- kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095706]
+- kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch [bz#1095714]
+- kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch [bz#1095746]
+- kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch [bz#1095746]
+- kvm-usb-fix-up-post-load-checks.patch [bz#1096828]
+- kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch [bz#1110191]
+- kvm-Provide-init-function-for-ram-migration.patch [bz#1110191]
+- kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch [bz#1110191]
+- kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch [bz#1110191]
+- kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch [bz#1110189]
+- kvm-qcow-correctly-propagate-errors.patch [bz#1097229]
+- kvm-qcow1-Make-padding-in-the-header-explicit.patch [bz#1097229]
+- kvm-qcow1-Check-maximum-cluster-size.patch [bz#1097229]
+- kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch [bz#1097229]
+- kvm-qcow1-Validate-image-size-CVE-2014-0223.patch [bz#1097236]
+- kvm-qcow1-Stricter-backing-file-length-check.patch [bz#1097236]
+- kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch [bz#1110219]
+- kvm-qcow2-Free-preallocated-zero-clusters.patch [bz#1110188]
+- kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch [bz#1110188]
+- Resolves: bz#1095677
+ (CVE-2013-4148 qemu-kvm: qemu: virtio-net: buffer overflow on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095684
+ (CVE-2013-4149 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on load [rhel-7.0.z])
+- Resolves: bz#1095689
+ (CVE-2013-4150 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095694
+ (CVE-2013-4151 qemu-kvm: qemu: virtio: out-of-bounds buffer write on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095706
+ (CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095714
+ (CVE-2013-4529 qemu-kvm: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095737
+ (CVE-2013-6399 qemu-kvm: qemu: virtio: buffer overrun on incoming migration [rhel-7.0.z])
+- Resolves: bz#1095741
+ (CVE-2013-4542 qemu-kvm: qemu: virtio-scsi: buffer overrun on invalid state load [rhel-7.0.z])
+- Resolves: bz#1095746
+ (CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.0.z])
+- Resolves: bz#1095765
+ (CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.0.z])
+- Resolves: bz#1095782
+ (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.0.z])
+- Resolves: bz#1096828
+ (CVE-2014-3461 qemu-kvm: Qemu: usb: fix up post load checks [rhel-7.0.z])
+- Resolves: bz#1097229
+ (CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.0.z])
+- Resolves: bz#1097236
+ (CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.0.z])
+- Resolves: bz#1110188
+ (qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi))
+- Resolves: bz#1110189
+ (migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics)
+- Resolves: bz#1110191
+ (Reduce the migrate cache size during migration causes qemu segment fault)
+- Resolves: bz#1110219
+ (Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again)
+
* Wed May 07 2014 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-60.el7_0.2
- kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch [bz#1094820]
- Resolves: bz#1094820