From ef34be9e7289f9dbeb655f4f36f68dade476bbc6 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Aug 09 2016 00:05:39 +0000 Subject: Rebase to qemu 2.7.0-rc2 * kvm_stat was moved to the kernel tree * trace-events renamed to trace-events-all * several new pxe roms added --- diff --git a/0001-spice-F24-spice-has-backported-gl-support.patch b/0001-spice-F24-spice-has-backported-gl-support.patch deleted file mode 100644 index 0895003..0000000 --- a/0001-spice-F24-spice-has-backported-gl-support.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Pavel Grunt -Date: Fri, 11 Mar 2016 14:40:59 +0100 -Subject: [PATCH] spice: F24 spice has backported gl support - -Not for upstream, this just adjusts the version check to work with -f24 backported spice gl support ---- - include/ui/spice-display.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h -index 30ccfe3..00e4a0b 100644 ---- a/include/ui/spice-display.h -+++ b/include/ui/spice-display.h -@@ -25,7 +25,7 @@ - #include "sysemu/sysemu.h" - - #if defined(CONFIG_OPENGL_DMABUF) --# if SPICE_SERVER_VERSION >= 0x000d01 /* release 0.13.1 */ -+# if SPICE_SERVER_VERSION >= 0x000c07 /* release 0.12.7 */ - # define HAVE_SPICE_GL 1 - # include "ui/egl-helpers.h" - # include "ui/egl-context.h" diff --git a/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch b/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch deleted file mode 100644 index e78c973..0000000 --- a/0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Cole Robinson -Date: Thu, 5 May 2016 19:39:38 -0400 -Subject: [PATCH] ui: gtk: fix crash when terminal inner-border is NULL - -VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90) -code checks for the condition too so I assume it's not just a bug - -Fixes a crash on Fedora 24 with gtk 3.20 ---- - ui/gtk.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/ui/gtk.c b/ui/gtk.c -index f372a6d..9876d89 100644 ---- a/ui/gtk.c -+++ b/ui/gtk.c -@@ -340,10 +340,12 @@ static void gd_update_geometry_hints(VirtualConsole *vc) - geo.min_height = geo.height_inc * VC_TERM_Y_MIN; - mask |= GDK_HINT_MIN_SIZE; - gtk_widget_style_get(vc->vte.terminal, "inner-border", &ib, NULL); -- geo.base_width += ib->left + ib->right; -- geo.base_height += ib->top + ib->bottom; -- geo.min_width += ib->left + ib->right; -- geo.min_height += ib->top + ib->bottom; -+ if (ib) { -+ geo.base_width += ib->left + ib->right; -+ geo.base_height += ib->top + ib->bottom; -+ geo.min_width += ib->left + ib->right; -+ geo.min_height += ib->top + ib->bottom; -+ } - geo_widget = vc->vte.terminal; - #endif - } diff --git a/0003-ui-sdl2-Release-grab-before-opening-console-window.patch b/0003-ui-sdl2-Release-grab-before-opening-console-window.patch deleted file mode 100644 index 2f86e27..0000000 --- a/0003-ui-sdl2-Release-grab-before-opening-console-window.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Cole Robinson -Date: Fri, 6 May 2016 12:36:46 -0400 -Subject: [PATCH] ui: sdl2: Release grab before opening console window - -sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire -rapidly in succession: - - https://bugzilla.libsdl.org/show_bug.cgi?id=3287 - -It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an -odd or even number of times, thus determining whether the action -succeeds or fails. - -Opening monitor/serial windows is doubly broken, since it will often -lock the UI trying to grab the pointer: - - 0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0 - 0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0 - 0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593 - -We can work around that hang by ungrabbing the pointer before launching -a new window. This roughly matches what our sdl1 code does ---- - ui/sdl2.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ui/sdl2.c b/ui/sdl2.c -index d042442..909038f 100644 ---- a/ui/sdl2.c -+++ b/ui/sdl2.c -@@ -357,6 +357,10 @@ static void handle_keydown(SDL_Event *ev) - case SDL_SCANCODE_7: - case SDL_SCANCODE_8: - case SDL_SCANCODE_9: -+ if (gui_grab) { -+ sdl_grab_end(scon); -+ } -+ - win = ev->key.keysym.scancode - SDL_SCANCODE_1; - if (win < sdl2_num_outputs) { - sdl2_console[win].hidden = !sdl2_console[win].hidden; diff --git a/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch b/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch deleted file mode 100644 index b51d5b6..0000000 --- a/0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Cole Robinson -Date: Wed, 18 May 2016 11:44:33 -0400 -Subject: [PATCH] ui: spice: Exit if gl=on EGL init fails - -The user explicitly requested spice GL, so if we know it isn't -going to work we should exit - -Signed-off-by: Cole Robinson ---- - ui/spice-core.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/ui/spice-core.c b/ui/spice-core.c -index 61db3c1..da05054 100644 ---- a/ui/spice-core.c -+++ b/ui/spice-core.c -@@ -833,9 +833,11 @@ void qemu_spice_init(void) - "incompatible with -spice port/tls-port"); - exit(1); - } -- if (egl_rendernode_init() == 0) { -- display_opengl = 1; -+ if (egl_rendernode_init() != 0) { -+ error_report("Failed to initialize EGL render node for SPICE GL"); -+ exit(1); - } -+ display_opengl = 1; - } - #endif - } diff --git a/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch b/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch deleted file mode 100644 index a7f68c4..0000000 --- a/0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 3 Feb 2016 13:55:00 +0100 -Subject: [PATCH] spice/gl: add & use qemu_spice_gl_monitor_config -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -Reviewed-by: Marc-André Lureau -(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0) ---- - include/ui/spice-display.h | 1 + - ui/spice-display.c | 30 ++++++++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - -diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h -index 00e4a0b..3c679e8 100644 ---- a/include/ui/spice-display.h -+++ b/include/ui/spice-display.h -@@ -71,6 +71,7 @@ typedef struct QXLCookie { - QXLRect area; - int redraw; - } render; -+ void *data; - } u; - } QXLCookie; - -diff --git a/ui/spice-display.c b/ui/spice-display.c -index 242ab5f..2a77a54 100644 ---- a/ui/spice-display.c -+++ b/ui/spice-display.c -@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token) - qemu_bh_schedule(ssd->gl_unblock_bh); - break; - } -+ case QXL_COOKIE_TYPE_IO: -+ if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) { -+ g_free(cookie->u.data); -+ } -+ break; - #endif - default: - /* should never be called, used in qxl native mode only */ -@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = { - - #ifdef HAVE_SPICE_GL - -+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd, -+ int x, int y, int w, int h) -+{ -+ QXLMonitorsConfig *config; -+ QXLCookie *cookie; -+ -+ config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead)); -+ config->count = 1; -+ config->max_allowed = 1; -+ config->heads[0].x = x; -+ config->heads[0].y = y; -+ config->heads[0].width = w; -+ config->heads[0].height = h; -+ cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO, -+ QXL_IO_MONITORS_CONFIG_ASYNC); -+ cookie->u.data = config; -+ -+ spice_qxl_monitors_config_async(&ssd->qxl, -+ (uintptr_t)config, -+ MEMSLOT_GROUP_HOST, -+ (uintptr_t)cookie); -+} -+ - static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block) - { - uint64_t timeout; -@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl, - surface_width(ssd->ds), - surface_height(ssd->ds), - stride, fourcc, y_0_top); -+ -+ qemu_spice_gl_monitor_config(ssd, x, y, w, h); - } - - static void qemu_spice_gl_update(DisplayChangeListener *dcl, diff --git a/0006-i386-kvmvapic-initialise-imm32-variable.patch b/0006-i386-kvmvapic-initialise-imm32-variable.patch deleted file mode 100644 index 67175b2..0000000 --- a/0006-i386-kvmvapic-initialise-imm32-variable.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 7 Apr 2016 12:50:08 +0530 -Subject: [PATCH] i386: kvmvapic: initialise imm32 variable - -When processing Task Priorty Register(TPR) access, it could leak -automatic stack variable 'imm32' in patch_instruction(). -Initialise the variable to avoid it. - -Reported by: Donghai Zdh -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini - -(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0) ---- - hw/i386/kvmvapic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c69f374..ff1e31a 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) - CPUX86State *env = &cpu->env; - VAPICHandlers *handlers; - uint8_t opcode[2]; -- uint32_t imm32; -+ uint32_t imm32 = 0; - target_ulong current_pc = 0; - target_ulong current_cs_base = 0; - int current_flags = 0; diff --git a/0007-esp-check-command-buffer-length-before-write-CVE-201.patch b/0007-esp-check-command-buffer-length-before-write-CVE-201.patch deleted file mode 100644 index c4dc4ca..0000000 --- a/0007-esp-check-command-buffer-length-before-write-CVE-201.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:30 +0530 -Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. While -writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check -was missing to validate input length. Add check to avoid OOB write -access. - -Fixes CVE-2016-4439. - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) ---- - hw/scsi/esp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 8961be2..01497e6 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- s->cmdbuf[s->cmdlen++] = val & 0xff; -+ if (s->cmdlen < TI_BUFSZ) { -+ s->cmdbuf[s->cmdlen++] = val & 0xff; -+ } else { -+ trace_esp_error_fifo_overrun(); -+ } - } else if (s->ti_size == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { diff --git a/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch b/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch deleted file mode 100644 index a9ffaee..0000000 --- a/0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:31 +0530 -Subject: [PATCH] esp: check dma length before reading scsi - command(CVE-2016-4441) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() uses DMA to read scsi commands into this buffer. -Add check to validate DMA length against buffer size to avoid any -overrun. - -Fixes CVE-2016-4441. - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90) ---- - hw/scsi/esp.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 01497e6..591c817 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) - } - } - --static uint32_t get_cmd(ESPState *s, uint8_t *buf) -+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - { - uint32_t dmalen; - int target; -@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) - dmalen = s->rregs[ESP_TCLO]; - dmalen |= s->rregs[ESP_TCMID] << 8; - dmalen |= s->rregs[ESP_TCHI] << 16; -+ if (dmalen > buflen) { -+ return 0; -+ } - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) - s->dma_cb = handle_satn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) - do_cmd(s, buf); - } -@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) - s->dma_cb = handle_s_without_atn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) { - do_busid_cmd(s, buf, 0); - } -@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) - s->dma_cb = handle_satn_stop; - return; - } -- s->cmdlen = get_cmd(s, s->cmdbuf); -+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); - if (s->cmdlen) { - trace_esp_handle_satn_stop(s->cmdlen); - s->do_cmd = 1; diff --git a/0009-vga-add-sr_vbe-register-set.patch b/0009-vga-add-sr_vbe-register-set.patch deleted file mode 100644 index 8494fc8..0000000 --- a/0009-vga-add-sr_vbe-register-set.patch +++ /dev/null @@ -1,233 +0,0 @@ -From: Gerd Hoffmann -Date: Tue, 17 May 2016 10:54:54 +0200 -Subject: [PATCH] vga: add sr_vbe register set - -Commit "fd3c136 vga: make sure vga register setup for vbe stays intact -(CVE-2016-3712)." causes a regression. The win7 installer is unhappy -because it can't freely modify vga registers any more while in vbe mode. - -This patch introduces a new sr_vbe register set. The vbe_update_vgaregs -will fill sr_vbe[] instead of sr[]. Normal vga register reads and -writes go to sr[]. Any sr register read access happens through a new -sr() helper function which will read from sr_vbe[] with vbe active and -from sr[] otherwise. - -This way we can allow guests update sr[] registers as they want, without -allowing them disrupt vbe video modes that way. - -Cc: qemu-stable@nongnu.org -Reported-by: Thomas Lamprecht -Signed-off-by: Gerd Hoffmann -Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com -(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd) ---- - hw/display/vga.c | 50 ++++++++++++++++++++++++++++---------------------- - hw/display/vga_int.h | 1 + - 2 files changed, 29 insertions(+), 22 deletions(-) - -diff --git a/hw/display/vga.c b/hw/display/vga.c -index 4a55ec6..9ebc54f 100644 ---- a/hw/display/vga.c -+++ b/hw/display/vga.c -@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s) - return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; - } - -+static inline uint8_t sr(VGACommonState *s, int idx) -+{ -+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx]; -+} -+ - static void vga_update_memory_access(VGACommonState *s) - { - hwaddr base, offset, size; -@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s) - s->has_chain4_alias = false; - s->plane_updated = 0xf; - } -- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == -- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == -+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - offset = 0; - switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { - case 0: -@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s) - ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); - vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; - -- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; -+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; - clock_sel = (s->msr >> 2) & 3; - dots = (s->msr & 1) ? 8 : 9; - -@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) - printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); - #endif - s->sr[s->sr_index] = val & sr_mask[s->sr_index]; -- vbe_update_vgaregs(s); - if (s->sr_index == VGA_SEQ_CLOCK_MODE) { - s->update_retrace_info(s); - } -@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s) - - if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { - shift_control = 0; -- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ - } else { - shift_control = 2; - /* set chain 4 mode */ -- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; - /* activate all planes */ -- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; - } - s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | - (shift_control << 5); -@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) - break; - } - -- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - /* chain 4 mode : simplest access */ - assert(addr < s->vram_size); - ret = s->vram_ptr[addr]; -@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - break; - } - -- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - /* chain 4 mode : simplest access */ - plane = addr & 3; - mask = (1 << plane); -- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { -+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { - assert(addr < s->vram_size); - s->vram_ptr[addr] = val; - #ifdef DEBUG_VGA_MEM -@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - /* odd/even mode (aka text mode mapping) */ - plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); - mask = (1 << plane); -- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { -+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { - addr = ((addr & ~1) << 1) | plane; - if (addr >= s->vram_size) { - return; -@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - - do_write: - /* mask data according to sr[2] */ -- mask = s->sr[VGA_SEQ_PLANE_WRITE]; -+ mask = sr(s, VGA_SEQ_PLANE_WRITE); - s->plane_updated |= mask; /* only used to detect font change */ - write_mask = mask16[mask]; - if (addr * sizeof(uint32_t) >= s->vram_size) { -@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight - /* total width & height */ - cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; - cwidth = 8; -- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { -+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { - cwidth = 9; - } -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { - cwidth = 16; /* NOTE: no 18 pixel wide */ - } - width = (s->cr[VGA_CRTC_H_DISP] + 1); -@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update) - int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); - - /* compute font data address (in plane 2) */ -- v = s->sr[VGA_SEQ_CHARACTER_MAP]; -+ v = sr(s, VGA_SEQ_CHARACTER_MAP); - offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; - if (offset != s->font_offsets[0]) { - s->font_offsets[0] = offset; -@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - } - - if (shift_control == 0) { -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - disp_width <<= 1; - } - } else if (shift_control == 1) { -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - disp_width <<= 1; - } - } -@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - - if (shift_control == 0) { - full_update |= update_palette16(s); -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - v = VGA_DRAW_LINE4D2; - } else { - v = VGA_DRAW_LINE4; -@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - bits = 4; - } else if (shift_control == 1) { - full_update |= update_palette16(s); -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - v = VGA_DRAW_LINE2D2; - } else { - v = VGA_DRAW_LINE2; -@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - #if 0 - printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", - width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], -- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); -+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); - #endif - addr1 = (s->start_addr * 4); - bwidth = (width * bits + 7) / 8; -@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s) - { - s->sr_index = 0; - memset(s->sr, '\0', sizeof(s->sr)); -+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); - s->gr_index = 0; - memset(s->gr, '\0', sizeof(s->gr)); - s->ar_index = 0; -@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) - /* total width & height */ - cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; - cw = 8; -- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { -+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { - cw = 9; - } -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { - cw = 16; /* NOTE: no 18 pixel wide */ - } - width = (s->cr[VGA_CRTC_H_DISP] + 1); -@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id) - - /* force refresh */ - s->graphic_mode = -1; -+ vbe_update_vgaregs(s); - return 0; - } - -diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h -index bdb43a5..3ce5544 100644 ---- a/hw/display/vga_int.h -+++ b/hw/display/vga_int.h -@@ -98,6 +98,7 @@ typedef struct VGACommonState { - MemoryRegion chain4_alias; - uint8_t sr_index; - uint8_t sr[256]; -+ uint8_t sr_vbe[256]; - uint8_t gr_index; - uint8_t gr[256]; - uint8_t ar_index; diff --git a/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch b/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch deleted file mode 100644 index 0663a06..0000000 --- a/0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Cole Robinson -Date: Thu, 26 May 2016 09:55:21 -0400 -Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM - -If you try to gic-version=host with TCG on a KVM aarch64 host, -qemu segfaults, since host requires KVM APIs. - -Explicitly reject gic-version=host if KVM is not enabled - -https://bugzilla.redhat.com/show_bug.cgi?id=1339977 -(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e) ---- - hw/arm/virt.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/arm/virt.c b/hw/arm/virt.c -index 56d35c7..a535285 100644 ---- a/hw/arm/virt.c -+++ b/hw/arm/virt.c -@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine) - * KVM is not available yet - */ - if (!gic_version) { -+ if (!kvm_enabled()) { -+ error_report("gic-version=host requires KVM"); -+ exit(1); -+ } -+ - gic_version = kvm_arm_vgic_probe(); - if (!gic_version) { - error_report("Unable to determine GIC version supported by host"); -- error_printf("KVM acceleration is probably not supported\n"); - exit(1); - } - } diff --git a/0011-net-mipsnet-check-packet-length-against-buffer.patch b/0011-net-mipsnet-check-packet-length-against-buffer.patch deleted file mode 100644 index 3e2aac7..0000000 --- a/0011-net-mipsnet-check-packet-length-against-buffer.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 7 Apr 2016 15:56:02 +0530 -Subject: [PATCH] net: mipsnet: check packet length against buffer - -When receiving packets over MIPSnet network device, it uses -receive buffer of size 1514 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported by: Oleksandr Bazhaniuk -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang - -(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f) ---- - hw/net/mipsnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c -index 740cd98..cf8b823 100644 ---- a/hw/net/mipsnet.c -+++ b/hw/net/mipsnet.c -@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si - if (!mipsnet_can_receive(nc)) - return 0; - -+ if (size >= sizeof(s->rx_buffer)) { -+ return 0; -+ } - s->busy = 1; - - /* Just accept everything. */ diff --git a/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch deleted file mode 100644 index 9e4c4d7..0000000 --- a/0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: Prasad J Pandit -Date: Mon, 23 May 2016 16:18:05 +0530 -Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size - (CVE-2016-4952) - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the ring buffer size to an arbitrary -value leading to OOB access issue. Add check to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> -Reviewed-by: Shmulik Ladkani -Reviewed-by: Dmitry Fleytman -Signed-off-by: Paolo Bonzini -(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff) ---- - hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index e690b4e..e1d6d06 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static void -+static int - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -+ return -1; -+ } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - --static void -+static int - pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - { - int i; - uint32_t len_log2; - uint32_t ring_size; - -+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ return -1; -+ } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; - len_log2 = pvscsi_log2(ring_size - 1); - -@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - - static void -@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - - pvscsi_dbg_dump_tx_rings_config(rc); -- pvscsi_ring_init_data(&s->rings, rc); -+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } -+ - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; - } -@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) - } - - if (s->rings_info_valid) { -- pvscsi_ring_init_msg(&s->rings, rc); -+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } - s->msg_ring_info_valid = TRUE; - } - return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); diff --git a/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch b/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch deleted file mode 100644 index 40d736d..0000000 --- a/0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 24 May 2016 13:37:44 +0530 -Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests - -The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically -looks for requests and fetches them. A loop doing that in -mptsas_fetch_requests() could run infinitely if 's->state' was -not operational. Move check to avoid such a loop. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd) ---- - hw/scsi/mptsas.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 499c146..be88e16 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s) - hwaddr addr; - int size; - -- if (s->state != MPI_IOC_STATE_OPERATIONAL) { -- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); -- return; -- } -- - /* Read the message header from the guest first. */ - addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post); - pci_dma_read(pci, addr, req, sizeof(hdr)); -@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque) - { - MPTSASState *s = opaque; - -+ if (s->state != MPI_IOC_STATE_OPERATIONAL) { -+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); -+ return; -+ } - while (!MPTSAS_FIFO_EMPTY(s, request_post)) { - mptsas_fetch_request(s); - } diff --git a/0014-scsi-megasas-use-appropriate-property-buffer-size.patch b/0014-scsi-megasas-use-appropriate-property-buffer-size.patch deleted file mode 100644 index b38c361..0000000 --- a/0014-scsi-megasas-use-appropriate-property-buffer-size.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 25 May 2016 16:01:29 +0530 -Subject: [PATCH] scsi: megasas: use appropriate property buffer size - -When setting MegaRAID SAS controller properties via MegaRAID -Firmware Interface(MFI) commands, a user supplied size parameter -is used to set property value. Use appropriate size value to avoid -OOB access issues. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731) ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index a63a581..dcbd3e1 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) - dcmd_size); - return MFI_STAT_INVALID_PARAMETER; - } -- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); -+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); - trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); - return MFI_STAT_OK; - } diff --git a/0015-scsi-megasas-initialise-local-configuration-data-buf.patch b/0015-scsi-megasas-initialise-local-configuration-data-buf.patch deleted file mode 100644 index fb33b43..0000000 --- a/0015-scsi-megasas-initialise-local-configuration-data-buf.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 25 May 2016 17:41:44 +0530 -Subject: [PATCH] scsi: megasas: initialise local configuration data buffer - -When reading MegaRAID SAS controller configuration via MegaRAID -Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read -uses an uninitialised local data buffer. Initialise this buffer -to avoid stack information leakage. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf) ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index dcbd3e1..bf642d4 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) - - static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) - { -- uint8_t data[4096]; -+ uint8_t data[4096] = { 0 }; - struct mfi_config_data *info; - int num_pd_disks = 0, array_offset, ld_offset; - BusChild *kid; diff --git a/0016-scsi-megasas-check-read_queue_head-index-value.patch b/0016-scsi-megasas-check-read_queue_head-index-value.patch deleted file mode 100644 index 6dae842..0000000 --- a/0016-scsi-megasas-check-read_queue_head-index-value.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 25 May 2016 17:55:10 +0530 -Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value - -While doing MegaRAID SAS controller command frame lookup, routine -'megasas_lookup_frame' uses 'read_queue_head' value as an index -into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value -within array bounds to avoid any OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> -Reviewed-by: Alexander Graf -Signed-off-by: Paolo Bonzini -(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2) ---- - hw/scsi/megasas.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index bf642d4..cc66d36 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) - pa_hi = le32_to_cpu(initq->pi_addr_hi); - s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; - s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); -+ s->reply_queue_head %= MEGASAS_MAX_FRAMES; - s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); -+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES; - flags = le32_to_cpu(initq->flags); - if (flags & MFI_QUEUE_FLAG_CONTEXT64) { - s->flags |= MEGASAS_MASK_USE_QUEUE64; diff --git a/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch deleted file mode 100644 index d200db7..0000000 --- a/0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:18 +0200 -Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Sanity checks are applied when the fifo is enabled by the guest -(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest -changes the fifo registers afterwards. Move the checks to -vmsvga_fifo_length so they are done each time qemu is about to read -from the fifo. - -Fixes: CVE-2016-4454 -Cc: qemu-stable@nongnu.org -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com -(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8) ---- - hw/display/vmware_vga.c | 28 +++++++++++++++------------- - 1 file changed, 15 insertions(+), 13 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 0c63fa8..63a7c05 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - if (!s->config || !s->enable) { - return 0; - } -+ -+ /* Check range and alignment. */ -+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -+ return 0; -+ } -+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -+ return 0; -+ } -+ if (CMD(max) > SVGA_FIFO_SIZE) { -+ return 0; -+ } -+ if (CMD(max) < CMD(min) + 10 * 1024) { -+ return 0; -+ } -+ - num = CMD(next_cmd) - CMD(stop); - if (num < 0) { - num += CMD(max) - CMD(min); -@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) - case SVGA_REG_CONFIG_DONE: - if (value) { - s->fifo = (uint32_t *) s->fifo_ptr; -- /* Check range and alignment. */ -- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -- break; -- } -- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -- break; -- } -- if (CMD(max) > SVGA_FIFO_SIZE) { -- break; -- } -- if (CMD(max) < CMD(min) + 10 * 1024) { -- break; -- } - vga_dirty_log_stop(&s->vga); - } - s->config = !!value; diff --git a/0018-vmsvga-add-more-fifo-checks.patch b/0018-vmsvga-add-more-fifo-checks.patch deleted file mode 100644 index 16ef5f0..0000000 --- a/0018-vmsvga-add-more-fifo-checks.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:19 +0200 -Subject: [PATCH] vmsvga: add more fifo checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Make sure all fifo ptrs are within range. - -Fixes: CVE-2016-4454 -Cc: qemu-stable@nongnu.org -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com -(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e) ---- - hw/display/vmware_vga.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 63a7c05..a26e62e 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { - return 0; - } -- if (CMD(max) > SVGA_FIFO_SIZE) { -+ if (CMD(max) > SVGA_FIFO_SIZE || -+ CMD(min) >= SVGA_FIFO_SIZE || -+ CMD(stop) >= SVGA_FIFO_SIZE || -+ CMD(next_cmd) >= SVGA_FIFO_SIZE) { - return 0; - } - if (CMD(max) < CMD(min) + 10 * 1024) { diff --git a/0019-vmsvga-shadow-fifo-registers.patch b/0019-vmsvga-shadow-fifo-registers.patch deleted file mode 100644 index 54b6416..0000000 --- a/0019-vmsvga-shadow-fifo-registers.patch +++ /dev/null @@ -1,143 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:20 +0200 -Subject: [PATCH] vmsvga: shadow fifo registers - -The fifo is normal ram. So kvm vcpu threads and qemu iothread can -access the fifo in parallel without syncronization. Which in turn -implies we can't use the fifo pointers in-place because the guest -can try changing them underneath us. So add shadows for them, to -make sure the guest can't modify them after we've applied sanity -checks. - -Fixes: CVE-2016-4454 -Cc: qemu-stable@nongnu.org -Cc: P J P -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com -(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2) ---- - hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++------------------------- - 1 file changed, 28 insertions(+), 29 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index a26e62e..de2567b 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -66,17 +66,11 @@ struct vmsvga_state_s { - uint8_t *fifo_ptr; - unsigned int fifo_size; - -- union { -- uint32_t *fifo; -- struct QEMU_PACKED { -- uint32_t min; -- uint32_t max; -- uint32_t next_cmd; -- uint32_t stop; -- /* Add registers here when adding capabilities. */ -- uint32_t fifo[0]; -- } *cmd; -- }; -+ uint32_t *fifo; -+ uint32_t fifo_min; -+ uint32_t fifo_max; -+ uint32_t fifo_next; -+ uint32_t fifo_stop; - - #define REDRAW_FIFO_LEN 512 - struct vmsvga_rect_s { -@@ -198,7 +192,7 @@ enum { - */ - SVGA_FIFO_MIN = 0, - SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ -- SVGA_FIFO_NEXT_CMD, -+ SVGA_FIFO_NEXT, - SVGA_FIFO_STOP, - - /* -@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, - } - #endif - --#define CMD(f) le32_to_cpu(s->cmd->f) -- - static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - { - int num; -@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - return 0; - } - -+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); -+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); -+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); -+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); -+ - /* Check range and alignment. */ -- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { - return 0; - } -- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -+ if (s->fifo_min < sizeof(uint32_t) * 4) { - return 0; - } -- if (CMD(max) > SVGA_FIFO_SIZE || -- CMD(min) >= SVGA_FIFO_SIZE || -- CMD(stop) >= SVGA_FIFO_SIZE || -- CMD(next_cmd) >= SVGA_FIFO_SIZE) { -+ if (s->fifo_max > SVGA_FIFO_SIZE || -+ s->fifo_min >= SVGA_FIFO_SIZE || -+ s->fifo_stop >= SVGA_FIFO_SIZE || -+ s->fifo_next >= SVGA_FIFO_SIZE) { - return 0; - } -- if (CMD(max) < CMD(min) + 10 * 1024) { -+ if (s->fifo_max < s->fifo_min + 10 * 1024) { - return 0; - } - -- num = CMD(next_cmd) - CMD(stop); -+ num = s->fifo_next - s->fifo_stop; - if (num < 0) { -- num += CMD(max) - CMD(min); -+ num += s->fifo_max - s->fifo_min; - } - return num >> 2; - } - - static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) - { -- uint32_t cmd = s->fifo[CMD(stop) >> 2]; -+ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; - -- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); -- if (CMD(stop) >= CMD(max)) { -- s->cmd->stop = s->cmd->min; -+ s->fifo_stop += 4; -+ if (s->fifo_stop >= s->fifo_max) { -+ s->fifo_stop = s->fifo_min; - } -+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); - return cmd; - } - -@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - len = vmsvga_fifo_length(s); - while (len > 0) { - /* May need to go back to the start of the command if incomplete */ -- cmd_start = s->cmd->stop; -+ cmd_start = s->fifo_stop; - - switch (cmd = vmsvga_fifo_read(s)) { - case SVGA_CMD_UPDATE: -@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - break; - - rewind: -- s->cmd->stop = cmd_start; -+ s->fifo_stop = cmd_start; -+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); - break; - } - } diff --git a/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch deleted file mode 100644 index 37dd5e6..0000000 --- a/0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:21 +0200 -Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -vmsvga_fifo_run is called in regular intervals (on each display update) -and will resume where it left off. So we can simply exit the loop, -without having to worry about how processing will continue. - -Fixes: CVE-2016-4453 -Cc: qemu-stable@nongnu.org -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com -(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2) ---- - hw/display/vmware_vga.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index de2567b..e51a05e 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) - static void vmsvga_fifo_run(struct vmsvga_state_s *s) - { - uint32_t cmd, colour; -- int args, len; -+ int args, len, maxloop = 1024; - int x, y, dx, dy, width, height; - struct vmsvga_cursor_definition_s cursor; - uint32_t cmd_start; - - len = vmsvga_fifo_length(s); -- while (len > 0) { -+ while (len > 0 && --maxloop > 0) { - /* May need to go back to the start of the command if incomplete */ - cmd_start = s->fifo_stop; - diff --git a/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch deleted file mode 100644 index 80c8c37..0000000 --- a/0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Peter Lieven -Date: Tue, 24 May 2016 10:59:28 +0200 -Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb - -at least in the path via virtio-blk the maximum size is not -restricted. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Peter Lieven -Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> -Signed-off-by: Paolo Bonzini -(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196) ---- - block/iscsi.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/block/iscsi.c b/block/iscsi.c -index 302baf8..172e6cf 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs, - return &acb->common; - } - -+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) { -+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)", -+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE); -+ qemu_aio_unref(acb); -+ return NULL; -+ } -+ - acb->task = malloc(sizeof(struct scsi_task)); - if (acb->task == NULL) { - error_report("iSCSI: Failed to allocate task for scsi command. %s", diff --git a/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch b/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch deleted file mode 100644 index eba1a41..0000000 --- a/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 31 May 2016 23:23:27 +0530 -Subject: [PATCH] scsi: esp: check buffer length before reading scsi command - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi -command into a buffer. Add check to validate command length against -buffer size to avoid any overrun. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a) ---- - hw/scsi/esp.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 591c817..c2f6f8f 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -+ if (dmalen > TI_BUFSZ) { -+ return 0; -+ } - memcpy(buf, s->ti_buf, dmalen); - buf[0] = buf[2] >> 5; - } diff --git a/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch b/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch deleted file mode 100644 index bd8f5da..0000000 --- a/0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 14 Jun 2016 15:10:24 +0200 -Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase - -The FIFO contains two bytes; hence the write ptr should be two bytes ahead -of the read pointer. - -Signed-off-by: Paolo Bonzini -(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e) ---- - hw/scsi/esp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index c2f6f8f..6407844 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -222,7 +222,7 @@ static void write_response(ESPState *s) - } else { - s->ti_size = 2; - s->ti_rptr = 0; -- s->ti_wptr = 0; -+ s->ti_wptr = 2; - s->rregs[ESP_RFLAGS] = 2; - } - esp_raise_irq(s); diff --git a/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch b/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch deleted file mode 100644 index e88d722..0000000 --- a/0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Paolo Bonzini -Date: Wed, 15 Jun 2016 14:29:33 +0200 -Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd - -Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma -has the same code that handle_ti contains after the call to esp_do_dma; -but the code in handle_ti is never reached because it is in an "else if". -Remove the else and also the pointless return. - -esp_do_dma also has a partially dead assignment of the to_device -variable. Sink it to the point where it's actually used. - -Finally, assert that the other caller of esp_do_dma (esp_transfer_data) -only transfers data and not a command. This is true because get_cmd -cancels the old request synchronously before its caller handle_satn_stop -sets do_cmd to 1. - -Reviewed-by: Laszlo Ersek -Signed-off-by: Paolo Bonzini -(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f) ---- - hw/scsi/esp.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 6407844..68d3e4d 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s) - uint32_t len; - int to_device; - -- to_device = (s->ti_size < 0); - len = s->dma_left; - if (s->do_cmd) { - trace_esp_do_dma(s->cmdlen, len); - s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); -- s->ti_size = 0; -- s->cmdlen = 0; -- s->do_cmd = 0; -- do_cmd(s, s->cmdbuf); - return; - } - if (s->async_len == 0) { -@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s) - if (len > s->async_len) { - len = s->async_len; - } -+ to_device = (s->ti_size < 0); - if (to_device) { - s->dma_memory_read(s->dma_opaque, s->async_buf, len); - } else { -@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len) - { - ESPState *s = req->hba_private; - -+ assert(!s->do_cmd); - trace_esp_transfer_data(s->dma_left, s->ti_size); - s->async_len = len; - s->async_buf = scsi_req_get_buf(req); -@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s) - s->dma_left = minlen; - s->rregs[ESP_RSTAT] &= ~STAT_TC; - esp_do_dma(s); -- } else if (s->do_cmd) { -+ } -+ if (s->do_cmd) { - trace_esp_handle_ti_cmd(s->cmdlen); - s->ti_size = 0; - s->cmdlen = 0; - s->do_cmd = 0; - do_cmd(s, s->cmdbuf); -- return; - } - } - diff --git a/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch deleted file mode 100644 index e999e83..0000000 --- a/0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 16 Jun 2016 00:22:35 +0200 -Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size - -While doing DMA read into ESP command buffer 's->cmdbuf', it could -write past the 's->cmdbuf' area, if it was transferring more than 16 -bytes. Increase the command buffer size to 32, which is maximum when -'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini -(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11) ---- - hw/scsi/esp.c | 6 ++++-- - include/hw/scsi/esp.h | 3 ++- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 68d3e4d..b4601ad 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s) - len = s->dma_left; - if (s->do_cmd) { - trace_esp_do_dma(s->cmdlen, len); -+ assert (s->cmdlen <= sizeof(s->cmdbuf) && -+ len <= sizeof(s->cmdbuf) - s->cmdlen); - s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); - return; - } -@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s) - s->dma_counter = dmalen; - - if (s->do_cmd) -- minlen = (dmalen < 32) ? dmalen : 32; -+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; - else if (s->ti_size < 0) - minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; - else -@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- if (s->cmdlen < TI_BUFSZ) { -+ if (s->cmdlen < ESP_CMDBUF_SZ) { - s->cmdbuf[s->cmdlen++] = val & 0xff; - } else { - trace_esp_error_fifo_overrun(); -diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h -index 6c79527..d2c4886 100644 ---- a/include/hw/scsi/esp.h -+++ b/include/hw/scsi/esp.h -@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, - - #define ESP_REGS 16 - #define TI_BUFSZ 16 -+#define ESP_CMDBUF_SZ 32 - - typedef struct ESPState ESPState; - -@@ -31,7 +32,7 @@ struct ESPState { - SCSIBus bus; - SCSIDevice *current_dev; - SCSIRequest *current_req; -- uint8_t cmdbuf[TI_BUFSZ]; -+ uint8_t cmdbuf[ESP_CMDBUF_SZ]; - uint32_t cmdlen; - uint32_t do_cmd; - diff --git a/0026-scsi-megasas-null-terminate-bios-version-buffer.patch b/0026-scsi-megasas-null-terminate-bios-version-buffer.patch deleted file mode 100644 index 9a2f6f3..0000000 --- a/0026-scsi-megasas-null-terminate-bios-version-buffer.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 7 Jun 2016 16:44:03 +0530 -Subject: [PATCH] scsi: megasas: null terminate bios version buffer - -While reading information via 'megasas_ctrl_get_info' routine, -a local bios version buffer isn't null terminated. Add the -terminating null byte to avoid any OOB access. - -Reported-by: Li Qiang -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini -(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6) ---- - hw/scsi/megasas.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index cc66d36..a9ffc32 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - - ptr = memory_region_get_ram_ptr(&pci_dev->rom); - memcpy(biosver, ptr + 0x41, 31); -+ biosver[31] = 0; - memcpy(info.image_component[1].name, "BIOS", 4); - memcpy(info.image_component[1].version, biosver, - strlen((const char *)biosver)); diff --git a/0027-sdl2-skip-init-without-outputs.patch b/0027-sdl2-skip-init-without-outputs.patch deleted file mode 100644 index 17c7b15..0000000 --- a/0027-sdl2-skip-init-without-outputs.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 1 Jun 2016 16:08:36 +0200 -Subject: [PATCH] sdl2: skip init without outputs - -Signed-off-by: Gerd Hoffmann -Tested-by: Cole Robinson -Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com -(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24) ---- - ui/sdl2.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ui/sdl2.c b/ui/sdl2.c -index 909038f..30d2a3c 100644 ---- a/ui/sdl2.c -+++ b/ui/sdl2.c -@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame) - } - } - sdl2_num_outputs = i; -+ if (sdl2_num_outputs == 0) { -+ return; -+ } - sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs); - for (i = 0; i < sdl2_num_outputs; i++) { - QemuConsole *con = qemu_console_lookup_by_index(i); diff --git a/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch b/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch new file mode 100644 index 0000000..46367ab --- /dev/null +++ b/for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch @@ -0,0 +1,12 @@ +diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h +index e4f424a..20d1cd6 100644 +--- a/include/hw/virtio/virtio-gpu.h ++++ b/include/hw/virtio/virtio-gpu.h +@@ -19,6 +19,7 @@ + #include "ui/console.h" + #include "hw/virtio/virtio.h" + #include "hw/pci/pci.h" ++#include "qemu/log.h" + + #include "standard-headers/linux/virtio_gpu.h" + #define TYPE_VIRTIO_GPU "virtio-gpu-device" diff --git a/qemu.spec b/qemu.spec index 45d56c6..b919992 100644 --- a/qemu.spec +++ b/qemu.spec @@ -50,7 +50,7 @@ %undefine _hardened_build # Release candidate version tracking -# global rcver rc5 +%global rcver rc2 %if 0%{?rcver:1} %global rcrel .%{rcver} %global rcstr -%{rcver} @@ -59,8 +59,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.6.0 -Release: 6%{?rcrel}%{?dist} +Version: 2.7.0 +Release: 0.1%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -92,58 +92,8 @@ Source20: kvm.conf # /etc/sysctl.d/50-kvm-s390x.conf Source21: 50-kvm-s390x.conf -# Adjust spice gl version check to expect F24 backported version -# Not for upstream, f24 only -Patch0001: 0001-spice-F24-spice-has-backported-gl-support.patch -# Fix gtk UI crash when switching to monitor (bz #1333424) -Patch0002: 0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch -# Fix sdl2 UI lockup lockup when switching to monitor -Patch0003: 0003-ui-sdl2-Release-grab-before-opening-console-window.patch -# Explicitly error if spice GL setup fails -Patch0004: 0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch -# Fix monitor resizing with virgl (bz #1337564) -Patch0005: 0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch -# CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904) -Patch0006: 0006-i386-kvmvapic-initialise-imm32-variable.patch -# CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503) -Patch0007: 0007-esp-check-command-buffer-length-before-write-CVE-201.patch -# CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506) -Patch0008: 0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch -# Fix regression installing windows 7 with qxl/vga (bz #1339267) -Patch0009: 0009-vga-add-sr_vbe-register-set.patch -# Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977) -Patch0010: 0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch -# CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083) -Patch0011: 0011-net-mipsnet-check-packet-length-against-buffer.patch -# CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue -Patch0012: 0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch -# CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) -Patch0013: 0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch -# CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) -Patch0014: 0014-scsi-megasas-use-appropriate-property-buffer-size.patch -# CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) -Patch0015: 0015-scsi-megasas-initialise-local-configuration-data-buf.patch -# CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) -Patch0016: 0016-scsi-megasas-check-read_queue_head-index-value.patch -# CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) -Patch0017: 0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch -Patch0018: 0018-vmsvga-add-more-fifo-checks.patch -Patch0019: 0019-vmsvga-shadow-fifo-registers.patch -# CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) -Patch0020: 0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch -# CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) -Patch0021: 0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch -# CVE-2016-5238: scsi: esp: OOB write (bz #1341932) -Patch0022: 0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch -Patch0023: 0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch -Patch0024: 0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch -# CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) -Patch0025: 0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch -# CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) -Patch0026: 0026-scsi-megasas-null-terminate-bios-version-buffer.patch -# Fix crash with -nodefaults -sdl (bz #1340931) -Patch0027: 0027-sdl2-skip-init-without-outputs.patch - +# Build fix, posted upstream +Patch0001: for-2.7-virtio-gpu-fix-missing-log.h-include-file.patch # documentation deps BuildRequires: texi2html @@ -371,15 +321,6 @@ Requires: qemu-%{kvm_package} = %{epoch}:%{version}-%{release} This is a meta-package that provides a qemu-system- package for native architectures where kvm can be enabled. For example, in an x86 system, this will install qemu-system-x86 - - -%package kvm-tools -Summary: KVM debugging and diagnostics tools -Group: Development/Tools - -%description kvm-tools -This package contains some diagnostics and debugging tools for KVM, -such as kvm_stat. %endif @@ -783,6 +724,7 @@ pushd build-dynamic --localstatedir=%{_localstatedir} \ --libexecdir=%{_libexecdir} \ --with-pkgversion=%{name}-%{version}-%{release} \ + --tls-priority=@QEMU,SYSTEM \ --disable-strip \ %ifnarch aarch64 --extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now" \ @@ -906,7 +848,6 @@ install -m 0644 %{_sourcedir}/50-kvm-s390x.conf %{buildroot}%{_sysconfdir}/sysct # Install kvm specific bits %if %{have_kvm} mkdir -p %{buildroot}%{_bindir}/ -install -m 0755 scripts/kvm/kvm_stat %{buildroot}%{_bindir}/ install -m 0644 %{_sourcedir}/80-kvm.rules %{buildroot}%{_udevdir} %endif @@ -984,6 +925,9 @@ pxe_link ne2k_pci 10ec8029 pxe_link pcnet 10222000 pxe_link rtl8139 10ec8139 pxe_link virtio 1af41000 +pxe_link eepro100 80861209 +pxe_link e1000e 808610d3 +pxe_link vmxnet3 15ad07b0 rom_link() { ln -s $1 %{buildroot}%{_datadir}/%{name}/$2 @@ -1079,6 +1023,7 @@ done %global archs_skip_tests s390 %global archs_ignore_test_failures 0 +pushd build-dynamic %ifnarch %{archs_skip_tests} # Check the binary runs (see eg RHBZ#998722). @@ -1108,6 +1053,7 @@ hostqemu=x86_64-softmmu/qemu-system-x86_64 if test -f "$hostqemu"; then qemu-sanity-check --qemu=$hostqemu ||: ; fi %endif # archs_skip_tests +popd %if %{have_kvm} @@ -1179,7 +1125,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/qemu-icon.bmp %{_datadir}/%{name}/qemu_logo_no_text.svg %{_datadir}/%{name}/keymaps/ -%{_datadir}/%{name}/trace-events +%{_datadir}/%{name}/trace-events-all %{_mandir}/man1/qemu.1* %{_mandir}/man1/virtfs-proxy-helper.1* %{_bindir}/virtfs-proxy-helper @@ -1223,9 +1169,6 @@ getent passwd qemu >/dev/null || \ %if %{have_kvm} %files kvm # Deliberately empty - -%files kvm-tools -%{_bindir}/kvm_stat %endif @@ -1429,6 +1372,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/bios-256k.bin %{_datadir}/%{name}/sgabios.bin %{_datadir}/%{name}/linuxboot.bin +%{_datadir}/%{name}/linuxboot_dma.bin %{_datadir}/%{name}/multiboot.bin %{_datadir}/%{name}/kvmvapic.bin %{_datadir}/%{name}/vgabios.bin @@ -1439,14 +1383,20 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/vgabios-virtio.bin %{_datadir}/%{name}/pxe-e1000.rom %{_datadir}/%{name}/efi-e1000.rom -%{_datadir}/%{name}/pxe-virtio.rom -%{_datadir}/%{name}/efi-virtio.rom +%{_datadir}/%{name}/pxe-e1000e.rom +%{_datadir}/%{name}/efi-e1000e.rom +%{_datadir}/%{name}/pxe-eepro100.rom +%{_datadir}/%{name}/efi-eepro100.rom +%{_datadir}/%{name}/pxe-ne2k_pci.rom +%{_datadir}/%{name}/efi-ne2k_pci.rom %{_datadir}/%{name}/pxe-pcnet.rom %{_datadir}/%{name}/efi-pcnet.rom %{_datadir}/%{name}/pxe-rtl8139.rom %{_datadir}/%{name}/efi-rtl8139.rom -%{_datadir}/%{name}/pxe-ne2k_pci.rom -%{_datadir}/%{name}/efi-ne2k_pci.rom +%{_datadir}/%{name}/pxe-virtio.rom +%{_datadir}/%{name}/efi-virtio.rom +%{_datadir}/%{name}/pxe-vmxnet3.rom +%{_datadir}/%{name}/efi-vmxnet3.rom %ifarch %{ix86} x86_64 %{?kvm_files:} %endif @@ -1595,6 +1545,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Wed Aug 03 2016 Cole Robinson - 2:2.7.0-0.1.rc2 +- Rebase to qemu 2.7.0-rc2 + * Sat Jul 23 2016 Richard W.M. Jones - 2:2.6.0-6 - Rebuild to attempt to fix '2:qemu-system-xtensa-2.6.0-5.fc25.x86_64 requires libxenctrl.so.4.6()(64bit)'