From 6ba27a47bcfdb607c849fecb09c278a6dcf797fc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:42:20 +0000 Subject: import spice-0.14.0-9.el7 --- diff --git a/SOURCES/0029-display-channel-Avoid-potential-crash-from-buggy-gue.patch b/SOURCES/0029-display-channel-Avoid-potential-crash-from-buggy-gue.patch new file mode 100644 index 0000000..8e2f8dd --- /dev/null +++ b/SOURCES/0029-display-channel-Avoid-potential-crash-from-buggy-gue.patch @@ -0,0 +1,34 @@ +From bf968572d1f7a0052df2615b69b361b0ec652a29 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 17 Jun 2019 17:12:17 +0100 +Subject: [PATCH spice-server] display-channel: Avoid potential crash from + buggy guest driver + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1582137. + +Signed-off-by: Frediano Ziglio +Acked-by: Snir Sheriber +--- + server/display-channel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/server/display-channel.c b/server/display-channel.c +index 071c01409..7ddd44c14 100644 +--- a/server/display-channel.c ++++ b/server/display-channel.c +@@ -2032,7 +2032,11 @@ void display_channel_update(DisplayChannel *display, + SpiceRect rect; + RedSurface *surface; + +- spice_return_if_fail(display_channel_validate_surface(display, surface_id)); ++ // Check that the request is valid, the surface_id comes directly from the guest ++ if (!display_channel_validate_surface(display, surface_id)) { ++ // just return, display_channel_validate_surface already logged a warning ++ return; ++ } + + red_get_rect_ptr(&rect, area); + display_channel_draw(display, &rect, surface_id); +-- +2.20.1 + diff --git a/SOURCES/0030-red-channel-client-Allows-to-change-timeout-for-late.patch b/SOURCES/0030-red-channel-client-Allows-to-change-timeout-for-late.patch new file mode 100644 index 0000000..55a14a0 --- /dev/null +++ b/SOURCES/0030-red-channel-client-Allows-to-change-timeout-for-late.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 14 Nov 2019 15:18:29 +0000 +Subject: [PATCH 1/2] red-channel-client: Allows to change timeout for + latency_monitor + +This is a preparatory patch. +The "latency_monitor" feature allows to measure the latency of a +specific channel client. +Currently the measure is attempted every PING_TEST_TIMEOUT_MS which +is a constant. +To be able to use a different frequency allows to change this for every +channel client. +This feature will be also used to create some traffic on the connection +to allows some sort of keep-alive to overcome some proxy implementation +which requires some TCP data traffic. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1719736. + +Signed-off-by: Frediano Ziglio +--- + server/red-channel-client.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/server/red-channel-client.c b/server/red-channel-client.c +index a707dbcb..3cc6a709 100644 +--- a/server/red-channel-client.c ++++ b/server/red-channel-client.c +@@ -78,6 +78,7 @@ typedef struct RedChannelClientLatencyMonitor { + QosPingState state; + uint64_t last_pong_time; + SpiceTimer *timer; ++ uint32_t timeout; + uint32_t id; + bool tcp_nodelay; + bool warmup_was_sent; +@@ -262,8 +263,8 @@ static void red_channel_client_restart_ping_timer(RedChannelClient *rcc) + } + passed = (spice_get_monotonic_time_ns() - rcc->priv->latency_monitor.last_pong_time) / NSEC_PER_MILLISEC; + timeout = PING_TEST_IDLE_NET_TIMEOUT_MS; +- if (passed < PING_TEST_TIMEOUT_MS) { +- timeout += PING_TEST_TIMEOUT_MS - passed; ++ if (passed < rcc->priv->latency_monitor.timeout) { ++ timeout += rcc->priv->latency_monitor.timeout - passed; + } + + red_channel_client_start_ping_timer(rcc, timeout); +@@ -811,6 +812,7 @@ void red_channel_client_start_connectivity_monitoring(RedChannelClient *rcc, uin + red_channel_client_start_ping_timer(rcc, PING_TEST_IDLE_NET_TIMEOUT_MS); + } + rcc->priv->latency_monitor.roundtrip = -1; ++ rcc->priv->latency_monitor.timeout = PING_TEST_TIMEOUT_MS; + } + if (rcc->priv->connectivity_monitor.timer == NULL) { + rcc->priv->connectivity_monitor.state = CONNECTIVITY_STATE_CONNECTED; +@@ -956,6 +958,7 @@ static gboolean red_channel_client_initable_init(GInitable *initable, + PING_TEST_IDLE_NET_TIMEOUT_MS); + } + self->priv->latency_monitor.roundtrip = -1; ++ self->priv->latency_monitor.timeout = PING_TEST_TIMEOUT_MS; + } + + red_channel_add_client(self->priv->channel, self); +@@ -1394,7 +1397,7 @@ static void red_channel_client_handle_pong(RedChannelClient *rcc, SpiceMsgPing * + + rcc->priv->latency_monitor.last_pong_time = now; + rcc->priv->latency_monitor.state = PING_STATE_NONE; +- red_channel_client_start_ping_timer(rcc, PING_TEST_TIMEOUT_MS); ++ red_channel_client_start_ping_timer(rcc, rcc->priv->latency_monitor.timeout); + } + + static void red_channel_client_handle_migrate_flush_mark(RedChannelClient *rcc) diff --git a/SOURCES/0031-red-channel-client-Always-enable-latency-monitor-to-.patch b/SOURCES/0031-red-channel-client-Always-enable-latency-monitor-to-.patch new file mode 100644 index 0000000..8cfa01c --- /dev/null +++ b/SOURCES/0031-red-channel-client-Always-enable-latency-monitor-to-.patch @@ -0,0 +1,68 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 14 Nov 2019 15:18:29 +0000 +Subject: [PATCH 2/2] red-channel-client: Always enable latency monitor to keep + tcp connection alive + +Create some traffic on the connection to avoid potential timeout +on some proxies implementation which require some TCP data traffic. +The timeout used by default is quite big (5 minutes) to reduce network +traffic. +In case connectivity monitoring is enabled or latency monitor is +requested the timeout is reduced to the old default. + +Signed-off-by: Frediano Ziglio +--- + server/red-channel-client.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/server/red-channel-client.c b/server/red-channel-client.c +index 3cc6a70..7be382e 100644 +--- a/server/red-channel-client.c ++++ b/server/red-channel-client.c +@@ -210,6 +210,7 @@ enum { + }; + + #define PING_TEST_TIMEOUT_MS (MSEC_PER_SEC * 15) ++#define PING_TEST_LONG_TIMEOUT_MS (MSEC_PER_SEC * 60 * 5) + #define PING_TEST_IDLE_NET_TIMEOUT_MS (MSEC_PER_SEC / 10) + + typedef struct RedEmptyMsgPipeItem { +@@ -808,11 +809,13 @@ void red_channel_client_start_connectivity_monitoring(RedChannelClient *rcc, uin + if (rcc->priv->latency_monitor.timer == NULL) { + rcc->priv->latency_monitor.timer = core->timer_add( + core, red_channel_client_ping_timer, rcc); +- if (!red_client_during_migrate_at_target(rcc->priv->client)) { +- red_channel_client_start_ping_timer(rcc, PING_TEST_IDLE_NET_TIMEOUT_MS); +- } + rcc->priv->latency_monitor.roundtrip = -1; +- rcc->priv->latency_monitor.timeout = PING_TEST_TIMEOUT_MS; ++ } else { ++ red_channel_client_cancel_ping_timer(rcc); ++ } ++ rcc->priv->latency_monitor.timeout = PING_TEST_TIMEOUT_MS; ++ if (!red_client_during_migrate_at_target(rcc->priv->client)) { ++ red_channel_client_start_ping_timer(rcc, PING_TEST_IDLE_NET_TIMEOUT_MS); + } + if (rcc->priv->connectivity_monitor.timer == NULL) { + rcc->priv->connectivity_monitor.state = CONNECTIVITY_STATE_CONNECTED; +@@ -948,8 +951,7 @@ static gboolean red_channel_client_initable_init(GInitable *initable, + red_channel_client_event, + self); + +- if (self->priv->monitor_latency +- && reds_stream_get_family(self->priv->stream) != AF_UNIX) { ++ if (reds_stream_get_family(self->priv->stream) != AF_UNIX) { + self->priv->latency_monitor.timer = + core->timer_add(core, red_channel_client_ping_timer, self); + +@@ -958,7 +960,8 @@ static gboolean red_channel_client_initable_init(GInitable *initable, + PING_TEST_IDLE_NET_TIMEOUT_MS); + } + self->priv->latency_monitor.roundtrip = -1; +- self->priv->latency_monitor.timeout = PING_TEST_TIMEOUT_MS; ++ self->priv->latency_monitor.timeout = ++ self->priv->monitor_latency ? PING_TEST_TIMEOUT_MS : PING_TEST_LONG_TIMEOUT_MS; + } + + red_channel_add_client(self->priv->channel, self); diff --git a/SPECS/spice.spec b/SPECS/spice.spec index e75c578..8a52c50 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.14.0 -Release: 7%{?dist} +Release: 9%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -34,6 +34,9 @@ Patch25: 0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch Patch26: 0026-Fix-flexible-array-buffer-overflow.patch Patch27: 0027-dcc-Fix-QUIC-fallback-in-get_compression_for_bitmap.patch Patch28: 0028-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +Patch29: 0029-display-channel-Avoid-potential-crash-from-buggy-gue.patch +Patch30: 0030-red-channel-client-Allows-to-change-timeout-for-late.patch +Patch31: 0031-red-channel-client-Always-enable-latency-monitor-to-.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} @@ -126,6 +129,14 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog +* Wed Dec 04 2019 Frediano Ziglio - 0.14.0-9 +- Always enable latency monitor to keep tcp connection alive + Resolves: rhbz#1719736 + +* Thu Jun 20 2019 Frediano Ziglio - 0.14.0-8 +- Avoid potential crash from buggy guest driver + Resolves: rhbz#1582137 + * Tue Dec 18 2018 Christophe Fergeau - 0.14.0-7 - Fix off-by-one error during guest-to-host memory address conversion Resolves: CVE-2019-3813