import stable-4 build files
commit
9525982417
|
@ -0,0 +1,3 @@
|
|||
[submodule "qemu"]
|
||||
path = qemu
|
||||
url = ../mirror_qemu
|
|
@ -0,0 +1,54 @@
|
|||
# also update debian/changelog
|
||||
KVMVER=2.7.1
|
||||
KVMPKGREL=4
|
||||
|
||||
KVMPACKAGE = pve-qemu-kvm
|
||||
KVMSRC = qemu
|
||||
BUILDSRC = $(KVMSRC).tmp
|
||||
|
||||
SRCDIR := qemu
|
||||
|
||||
ARCH := $(shell dpkg-architecture -qDEB_BUILD_ARCH)
|
||||
GITVERSION := $(shell git rev-parse master)
|
||||
|
||||
DEB = ${KVMPACKAGE}_${KVMVER}-${KVMPKGREL}_${ARCH}.deb
|
||||
DEB_DBG = ${KVMPACKAGE}-dbg_${KVMVER}-${KVMPKGREL}_${ARCH}.deb
|
||||
DEBS = $(DEB) $(DEB_DBG)
|
||||
|
||||
|
||||
all: $(DEBS)
|
||||
|
||||
.PHONY: submodule
|
||||
submodule:
|
||||
test -f "${SRCDIR}/debian/changelog" || git submodule update --init
|
||||
|
||||
.PHONY: deb kvm
|
||||
deb kvm: $(DEBS)
|
||||
$(DEB_DBG): $(DEB)
|
||||
$(DEB): | submodule
|
||||
rm -f *.deb
|
||||
rm -rf $(BUILDSRC)
|
||||
mkdir $(BUILDSRC)
|
||||
cp -a $(KVMSRC)/* $(BUILDSRC)/
|
||||
tar -C $(BUILDSRC) -xJf efi-roms-1182.tar.xz
|
||||
cp -a debian $(BUILDSRC)/debian
|
||||
echo "git clone git://git.proxmox.com/git/pve-qemu-kvm.git\\ngit checkout $(GITVERSION)" > $(BUILDSRC)/debian/SOURCE
|
||||
# set package version
|
||||
sed -i 's/^pkgversion="".*/pkgversion="${KVMPACKAGE}_${KVMVER}-${KVMPKGREL}"/' $(BUILDSRC)/configure
|
||||
cd $(BUILDSRC); dpkg-buildpackage -b -rfakeroot -us -uc
|
||||
lintian $(DEBS) || true
|
||||
|
||||
.PHONY: upload
|
||||
upload: $(DEBS)
|
||||
tar cf - $(DEBS) | ssh repoman@repo.proxmox.com upload --produce pve --dist jessie
|
||||
|
||||
.PHONY: distclean
|
||||
distclean: clean
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf $(BUILDSRC) $(KVMPACKAGE)_* $(DEBS) *.buildinfo
|
||||
|
||||
.PHONY: dinstall
|
||||
dinstall: $(DEBS)
|
||||
dpkg -i $(DEBS)
|
|
@ -0,0 +1,116 @@
|
|||
Efficient VM backup for qemu
|
||||
|
||||
=Requirements=
|
||||
|
||||
* Backup to a single archive file
|
||||
* Backup needs to contain all data to restore VM (full backup)
|
||||
* Do not depend on storage type or image format
|
||||
* Avoid use of temporary storage
|
||||
* store sparse images efficiently
|
||||
|
||||
=Introduction=
|
||||
|
||||
Most VM backup solutions use some kind of snapshot to get a consistent
|
||||
VM view at a specific point in time. For example, we previously used
|
||||
LVM to create a snapshot of all used VM images, which are then copied
|
||||
into a tar file.
|
||||
|
||||
That basically means that any data written during backup involve
|
||||
considerable overhead. For LVM we get the following steps:
|
||||
|
||||
1.) read original data (VM write)
|
||||
2.) write original data into snapshot (VM write)
|
||||
3.) write new data (VM write)
|
||||
4.) read data from snapshot (backup)
|
||||
5.) write data from snapshot into tar file (backup)
|
||||
|
||||
Another approach to backup VM images is to create a new qcow2 image
|
||||
which use the old image as base. During backup, writes are redirected
|
||||
to the new image, so the old image represents a 'snapshot'. After
|
||||
backup, data need to be copied back from new image into the old
|
||||
one (commit). So a simple write during backup triggers the following
|
||||
steps:
|
||||
|
||||
1.) write new data to new image (VM write)
|
||||
2.) read data from old image (backup)
|
||||
3.) write data from old image into tar file (backup)
|
||||
|
||||
4.) read data from new image (commit)
|
||||
5.) write data to old image (commit)
|
||||
|
||||
This is in fact the same overhead as before. Other tools like qemu
|
||||
livebackup produces similar overhead (2 reads, 3 writes).
|
||||
|
||||
Some storage types/formats supports internal snapshots using some kind
|
||||
of reference counting (rados, sheepdog, dm-thin, qcow2). It would be possible
|
||||
to use that for backups, but for now we want to be storage-independent.
|
||||
|
||||
=Make it more efficient=
|
||||
|
||||
The be more efficient, we simply need to avoid unnecessary steps. The
|
||||
following steps are always required:
|
||||
|
||||
1.) read old data before it gets overwritten
|
||||
2.) write that data into the backup archive
|
||||
3.) write new data (VM write)
|
||||
|
||||
As you can see, this involves only one read, and two writes.
|
||||
|
||||
To make that work, our backup archive need to be able to store image
|
||||
data 'out of order'. It is important to notice that this will not work
|
||||
with traditional archive formats like tar.
|
||||
|
||||
During backup we simply intercept writes, then read existing data and
|
||||
store that directly into the archive. After that we can continue the
|
||||
write.
|
||||
|
||||
==Advantages==
|
||||
|
||||
* very good performance (1 read, 2 writes)
|
||||
* works on any storage type and image format.
|
||||
* avoid usage of temporary storage
|
||||
* we can define a new and simple archive format, which is able to
|
||||
store sparse files efficiently.
|
||||
|
||||
Note: Storing sparse files is a mess with existing archive
|
||||
formats. For example, tar requires information about holes at the
|
||||
beginning of the archive.
|
||||
|
||||
==Disadvantages==
|
||||
|
||||
* we need to define a new archive format
|
||||
|
||||
Note: Most existing archive formats are optimized to store small files
|
||||
including file attributes. We simply do not need that for VM archives.
|
||||
|
||||
* archive contains data 'out of order'
|
||||
|
||||
If you want to access image data in sequential order, you need to
|
||||
re-order archive data. It would be possible to to that on the fly,
|
||||
using temporary files.
|
||||
|
||||
Fortunately, a normal restore/extract works perfectly with 'out of
|
||||
order' data, because the target files are seekable.
|
||||
|
||||
* slow backup storage can slow down VM during backup
|
||||
|
||||
It is important to note that we only do sequential writes to the
|
||||
backup storage. Furthermore one can compress the backup stream. IMHO,
|
||||
it is better to slow down the VM a bit. All other solutions creates
|
||||
large amounts of temporary data during backup.
|
||||
|
||||
=Archive format requirements=
|
||||
|
||||
The basic requirement for such new format is that we can store image
|
||||
date 'out of order'. It is also very likely that we have less than 256
|
||||
drives/images per VM, and we want to be able to store VM configuration
|
||||
files.
|
||||
|
||||
We have defined a very simply format with those properties, see:
|
||||
|
||||
https://git.proxmox.com/?p=pve-qemu-kvm.git;a=blob;f=vma_spec.txt;
|
||||
|
||||
Please let us know if you know an existing format which provides the
|
||||
same functionality.
|
||||
|
||||
|
Binary file not shown.
After Width: | Height: | Size: 48 KiB |
Binary file not shown.
|
@ -0,0 +1,11 @@
|
|||
The OVMF images were built through the edk2 github repository.
|
||||
|
||||
git clone https://github.com/tianocore/edk2
|
||||
|
||||
set up the build environment
|
||||
|
||||
copy the Logo.bmp to ./edk2/MdeModulePkg/Logo/
|
||||
|
||||
call ./edk2/OvmfPkg/build.sh -a X64 -b RELEASE
|
||||
|
||||
The license is under ./edk2/OvmfPkg/License.txt
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
5
|
|
@ -0,0 +1,25 @@
|
|||
Source: pve-qemu-kvm
|
||||
Section: admin
|
||||
Priority: extra
|
||||
Maintainer: Proxmox Support Team <support@proxmox.com>
|
||||
Build-Depends: debhelper (>= 5), autotools-dev, libpci-dev, quilt, texinfo, texi2html, libgnutls28-dev, libsdl1.2-dev, check, libaio-dev, uuid-dev, librbd-dev (>= 0.48), libiscsi-dev (>= 1.12.0), libspice-protocol-dev (>= 0.12.5), pve-libspice-server-dev (>= 0.12.5-1), libusbredirparser-dev (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0-dev (>= 1.0.17-1), xfslibs-dev, libnuma-dev, libjemalloc-dev, libjpeg-dev, libacl1-dev
|
||||
Standards-Version: 3.7.2
|
||||
|
||||
Package: pve-qemu-kvm
|
||||
Architecture: any
|
||||
Depends: iproute2, bridge-utils, python, libsdl1.2debian, libaio1, libuuid1, ceph-common (>= 0.48), libiscsi4 (>= 1.12.0) | libiscsi7, pve-libspice-server1 (>= 0.12.5-1), ${shlibs:Depends}, ${misc:Depends}, libusbredirparser1 (>= 0.6-2), glusterfs-common (>= 3.5.2-1), libusb-1.0-0 (>= 1.0.17-1), numactl, libjemalloc1, libjpeg62-turbo
|
||||
Conflicts: qemu, qemu-kvm, qemu-utils, kvm, pve-kvm, pve-qemu-kvm-2.6.18
|
||||
Provides: qemu-utils
|
||||
Replaces: pve-kvm, pve-qemu-kvm-2.6.18, qemu-utils
|
||||
Description: Full virtualization on x86 hardware
|
||||
Using KVM, one can run multiple virtual PCs, each running unmodified Linux or
|
||||
Windows images. Each virtual machine has private virtualized hardware: a
|
||||
network card, disk, graphics adapter, etc.
|
||||
|
||||
Package: pve-qemu-kvm-dbg
|
||||
Architecture: any
|
||||
Section: debug
|
||||
Depends: pve-qemu-kvm (= ${binary:Version})
|
||||
Description: pve qemu debugging symbols
|
||||
This package contains the debugging symbols for pve-qemu-kvm.
|
||||
|
|
@ -0,0 +1,92 @@
|
|||
This package was debianized by the proxmox support team <support@proxmox.com>
|
||||
|
||||
|
||||
It was downloaded from
|
||||
|
||||
git://git.kernel.org/pub/scm/virt/kvm/qemu-kvm.git
|
||||
|
||||
Upstream Author: Fabrice Bellard <fabrice.bellard@free.fr>
|
||||
|
||||
Upstream Maintainers: Avi Kivity <avi@redhat.com>
|
||||
Anthony Liguori <aliguori@us.ibm.com>
|
||||
|
||||
Copyright: Copyright (C) 2006 Qumranet, Inc.
|
||||
Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Fabrice Bellard
|
||||
|
||||
License:
|
||||
|
||||
QEMU as a whole is released under the GNU General Public License version 2.
|
||||
On Debian systems, the complete text of the GNU General Public License
|
||||
version 2 can be found in the file /usr/share/common-licenses/GPL-2.
|
||||
|
||||
Parts of QEMU have specific licenses which are compatible with the
|
||||
GNU General Public License. Hence each source file contains its own
|
||||
licensing information.
|
||||
|
||||
In particular, the QEMU virtual CPU core library (libqemu.a) is
|
||||
released under the GNU Lesser General Public License version 2 or later.
|
||||
On Debian systems, the complete text of the GNU Lesser General Public
|
||||
License can be found in the file /usr/share/common-licenses/LGPL.
|
||||
|
||||
Some hardware device emulation sources and other QEMU functionality are
|
||||
released under the BSD license, including:
|
||||
* aes, bsd-user, sd, slirp, sys-queue
|
||||
|
||||
Some hardware device emulation sources and other QEMU functionality are
|
||||
released under the MIT/X11 (BSD-like) license, including:
|
||||
* sdl, host-utils, vnc, keymaps, ioport, usb, hw/*, net, acl, block,
|
||||
kqemu, monitor, curses, readline, vl, savevm, osdep, audio, tcg,
|
||||
qemu-malloc, qemu-img
|
||||
|
||||
The following points clarify the QEMU license:
|
||||
1) QEMU as a whole is released under the GNU General Public License
|
||||
2) Parts of QEMU have specific licenses which are compatible with the
|
||||
GNU General Public License. Hence each source file contains its own
|
||||
licensing information.
|
||||
In particular, the QEMU virtual CPU core library (libqemu.a) is
|
||||
released under the GNU Lesser General Public License. Many hardware
|
||||
device emulation sources are released under the BSD license.
|
||||
3) The Tiny Code Generator (TCG) is released under the BSD license
|
||||
(see license headers in files).
|
||||
4) QEMU is a trademark of Fabrice Bellard.
|
||||
-- Fabrice Bellard.
|
||||
|
||||
BIOS sources in QEMU:
|
||||
bios.bin: Copyright (C) 2002 MandrakeSoft S.A. and others. This file
|
||||
is licensed under the GNU LGPL, version 2, or (at your option) any later
|
||||
version.
|
||||
Homepage: http://sourceforge.net/projects/bochs
|
||||
|
||||
vgabios.bin and vgabios-cirrus.bin: (C) 2003 the LGPL VGABios
|
||||
developers Team. These files are licensed under the GNU LGPL, version 2,
|
||||
or (at your option) any later version.
|
||||
Homepage: http://savannah.nongnu.org/projects/vgabios
|
||||
|
||||
BSD license:
|
||||
|
||||
Copyright (c) The Regents of the University of California.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
3. Neither the name of the University nor the names of its contributors
|
||||
may be used to endorse or promote products derived from this software
|
||||
without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||||
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGE.
|
|
@ -0,0 +1 @@
|
|||
debian/SOURCE
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
switch=$(/sbin/ip route list | awk '/^default / { print $NF }')
|
||||
/sbin/ifconfig $1 0.0.0.0 promisc up
|
||||
/sbin/brctl addif ${switch} $1
|
33
debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
vendored
Normal file
33
debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
|||
From 603c472d61c354c30bc898b0e9ff1914302cbca9 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Mon, 4 Jul 2016 15:02:26 +0200
|
||||
Subject: [PATCH 1/3] Revert "target-i386: disable LINT0 after reset"
|
||||
|
||||
This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
|
||||
---
|
||||
hw/intc/apic_common.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
|
||||
index 14ac43c..1ed0511 100644
|
||||
--- a/hw/intc/apic_common.c
|
||||
+++ b/hw/intc/apic_common.c
|
||||
@@ -246,6 +246,15 @@ static void apic_reset_common(DeviceState *dev)
|
||||
info->vapic_base_update(s);
|
||||
|
||||
apic_init_reset(dev);
|
||||
+
|
||||
+ if (bsp) {
|
||||
+ /*
|
||||
+ * LINT0 delivery mode on CPU #0 is set to ExtInt at initialization
|
||||
+ * time typically by BIOS, so PIC interrupt can be delivered to the
|
||||
+ * processor when local APIC is enabled.
|
||||
+ */
|
||||
+ s->lvt[APIC_LVT_LINT0] = 0x700;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* This function is only used for old state version 1 and 2 */
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,100 @@
|
|||
From 391a9e6fd8c6cf615f2ffe44bb85245df52cc2b6 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 9 Feb 2017 14:02:20 +0100
|
||||
Subject: [PATCH 1/2] cirrus: fix patterncopy checks
|
||||
|
||||
The blit_region_is_unsafe checks don't work correctly for the
|
||||
patterncopy source. It's a fixed-sized region, which doesn't
|
||||
depend on cirrus_blt_{width,height}. So go do the check in
|
||||
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
|
||||
it doesn't need to verify the source. Also handle the case where we
|
||||
blit from cirrus_bitbuf correctly.
|
||||
|
||||
This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
|
||||
|
||||
Security impact: I think for the most part error on the safe side this
|
||||
time, refusing blits which should have been allowed.
|
||||
|
||||
Only exception is placing the blit source at the end of the video ram,
|
||||
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
|
||||
even in that case I'm not fully sure this actually allows read access to
|
||||
host memory. To trick the commit 5858dd18 security checks one has to
|
||||
pick very small cirrus_blt_{width,height} values, which in turn implies
|
||||
only a fraction of the blit source will actually be used.
|
||||
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
|
||||
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 16f27e8..6bd13fc 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
}
|
||||
}
|
||||
|
||||
-static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
- const uint8_t * src)
|
||||
+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
{
|
||||
+ uint32_t patternsize;
|
||||
uint8_t *dst;
|
||||
+ uint8_t *src;
|
||||
|
||||
dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
- if (blit_is_unsafe(s, false, true)) {
|
||||
+ if (videosrc) {
|
||||
+ switch (s->vga.get_bpp(&s->vga)) {
|
||||
+ case 8:
|
||||
+ patternsize = 64;
|
||||
+ break;
|
||||
+ case 15:
|
||||
+ case 16:
|
||||
+ patternsize = 128;
|
||||
+ break;
|
||||
+ case 24:
|
||||
+ case 32:
|
||||
+ default:
|
||||
+ patternsize = 256;
|
||||
+ break;
|
||||
+ }
|
||||
+ s->cirrus_blt_srcaddr &= ~(patternsize - 1);
|
||||
+ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
|
||||
+ } else {
|
||||
+ src = s->cirrus_bltbuf;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & ~7));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, true);
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
|
||||
if (s->cirrus_srccounter > 0) {
|
||||
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
|
||||
- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
|
||||
+ cirrus_bitblt_common_patterncopy(s, false);
|
||||
the_end:
|
||||
s->cirrus_srccounter = 0;
|
||||
cirrus_bitblt_reset(s);
|
||||
--
|
||||
2.1.4
|
||||
|
51
debian/patches/extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
vendored
Normal file
51
debian/patches/extra/0001-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
vendored
Normal file
|
@ -0,0 +1,51 @@
|
|||
From b3ce5aeaacdd0cec5bab1d83ee24bae73b0dd506 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Wed, 25 Jan 2017 14:48:57 +0100
|
||||
Subject: [PATCH 1/4] cirrus: handle negative pitch in
|
||||
cirrus_invalidate_region()
|
||||
|
||||
cirrus_invalidate_region() calls memory_region_set_dirty()
|
||||
on a per-line basis, always ranging from off_begin to
|
||||
off_begin+bytesperline. With a negative pitch off_begin
|
||||
marks the top most used address and thus we need to do an
|
||||
initial shift backwards by a line for negative pitches of
|
||||
backward blits, otherwise the first iteration covers the
|
||||
line going from the start offset forwards instead of
|
||||
backwards.
|
||||
Additionally since the start address is inclusive, if we
|
||||
shift by a full `bytesperline` we move to the first address
|
||||
*not* included in the blit, so we only shift by one less
|
||||
than bytesperline.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
|
||||
|
||||
[ kraxel: codestyle fixes ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 379910d..0f05e45 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
int off_cur;
|
||||
int off_cur_end;
|
||||
|
||||
+ if (off_pitch < 0) {
|
||||
+ off_begin -= bytesperline - 1;
|
||||
+ }
|
||||
+
|
||||
for (y = 0; y < lines; y++) {
|
||||
off_cur = off_begin;
|
||||
off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
|
||||
+ assert(off_cur_end >= off_cur);
|
||||
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
|
||||
off_begin += off_pitch;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
72
debian/patches/extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
vendored
Normal file
72
debian/patches/extra/0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
vendored
Normal file
|
@ -0,0 +1,72 @@
|
|||
From f5dc8e6b503fda1ed87c0f4f53c6d2c76a584872 Mon Sep 17 00:00:00 2001
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Mon, 9 Jan 2017 13:35:20 -0700
|
||||
Subject: [PATCH 1/5] display: cirrus: ignore source pitch value as needed in
|
||||
blit_is_unsafe
|
||||
|
||||
Commit 4299b90 added a check which is too broad, given that the source
|
||||
pitch value is not required to be initialized for solid fill operations.
|
||||
This patch refines the blit_is_unsafe() check to ignore source pitch in
|
||||
that case. After applying the above commit as a security patch, we
|
||||
noticed the SLES 11 SP4 guest gui failed to initialize properly.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
Message-id: 20170109203520.5619-1-brogers@suse.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index bdb092e..379910d 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
+ if (dst_only) {
|
||||
+ return false;
|
||||
+ }
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
--
|
||||
2.1.4
|
||||
|
101
debian/patches/extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
vendored
Normal file
101
debian/patches/extra/0002-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
vendored
Normal file
|
@ -0,0 +1,101 @@
|
|||
From cba280fe94eaed53952e2997cac1ee2bed6cfdee Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Fri, 10 Feb 2017 08:34:03 +0100
|
||||
Subject: [PATCH 2/2] Revert "cirrus: allow zero source pitch in pattern fill
|
||||
rops"
|
||||
|
||||
This reverts commit cf9c099a7694eb47ded529e1ed40ee8789f32d31.
|
||||
|
||||
Conflicts:
|
||||
hw/display/cirrus_vga.c
|
||||
---
|
||||
hw/display/cirrus_vga.c | 29 +++++++++--------------------
|
||||
1 file changed, 9 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 6bd13fc..92e7951 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
+ if (!pitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
- bool zero_src_pitch_ok)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
- int32_t check_pitch;
|
||||
-
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
return true;
|
||||
}
|
||||
|
||||
- if (!s->cirrus_blt_dstpitch) {
|
||||
- return true;
|
||||
- }
|
||||
-
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
@@ -314,14 +310,8 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
-
|
||||
- check_pitch = s->cirrus_blt_srcpitch;
|
||||
- if (!zero_src_pitch_ok && !check_pitch) {
|
||||
- check_pitch = s->cirrus_blt_width;
|
||||
- }
|
||||
-
|
||||
- if (blit_region_is_unsafe(s, check_pitch,
|
||||
- s->cirrus_blt_srcaddr)) {
|
||||
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
+ s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -715,9 +705,8 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
src = s->cirrus_bltbuf;
|
||||
}
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true))
|
||||
return 0;
|
||||
- }
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
@@ -734,7 +723,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -834,7 +823,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false, false))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
--
|
||||
2.1.4
|
||||
|
102
debian/patches/extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
vendored
Normal file
102
debian/patches/extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
vendored
Normal file
|
@ -0,0 +1,102 @@
|
|||
From cf9c099a7694eb47ded529e1ed40ee8789f32d31 Mon Sep 17 00:00:00 2001
|
||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Tue, 24 Jan 2017 16:35:38 +0100
|
||||
Subject: [PATCH 2/4] cirrus: allow zero source pitch in pattern fill rops
|
||||
|
||||
The rops used by cirrus_bitblt_common_patterncopy only use
|
||||
the destination pitch, so the source pitch shoul allowed to
|
||||
be zero and the blit with used for the range check around the
|
||||
source address.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
|
||||
1 file changed, 19 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 0f05e45..98f089e 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
- if (!pitch) {
|
||||
- return true;
|
||||
- }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
+ bool zero_src_pitch_ok)
|
||||
{
|
||||
+ int32_t check_pitch;
|
||||
+
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
return true;
|
||||
}
|
||||
|
||||
+ if (!s->cirrus_blt_dstpitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
+
|
||||
+ check_pitch = s->cirrus_blt_srcpitch;
|
||||
+ if (!zero_src_pitch_ok && !check_pitch) {
|
||||
+ check_pitch = s->cirrus_blt_width;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_region_is_unsafe(s, check_pitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true)) {
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 1313d27fc347633d0cf6fc2ff8cbe17a740dd658 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Thu, 11 Aug 2016 00:42:20 +0530
|
||||
Subject: [PATCH 2/3] net: vmxnet: initialise local tx descriptor
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 90f6943..92f6af9 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,104 @@
|
|||
From a173829e6ebd8b2d7f29028f106173ba067c8b8c Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 11:09:56 +0100
|
||||
Subject: [PATCH 3/4] cirrus: fix blit address mask handling
|
||||
|
||||
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
|
||||
right after assigning them, in cirrus_bitblt_start(), instead of having
|
||||
this all over the place in the cirrus code, and missing a few places.
|
||||
|
||||
Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
|
||||
---
|
||||
hw/display/cirrus_vga.c | 25 ++++++++++++-------------
|
||||
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 98f089e..7db6409 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
}
|
||||
if (dst_only) {
|
||||
@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, check_pitch,
|
||||
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_srcaddr)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
{
|
||||
uint8_t *dst;
|
||||
|
||||
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s,
|
||||
- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
|
||||
- s->cirrus_addr_mask));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
+ (s->cirrus_blt_srcaddr & ~7));
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
if (notify)
|
||||
graphic_hw_update(s->vga.con);
|
||||
|
||||
- (*s->cirrus_rop) (s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
- s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
|
||||
@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
} else {
|
||||
/* at least one scan line */
|
||||
do {
|
||||
- (*s->cirrus_rop)(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
|
||||
s->cirrus_blt_width, 1);
|
||||
@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
|
||||
s->cirrus_blt_modeext = s->vga.gr[0x33];
|
||||
blt_rop = s->vga.gr[0x32];
|
||||
|
||||
+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
|
||||
+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
|
||||
+
|
||||
#ifdef DEBUG_BITBLT
|
||||
printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
|
||||
blt_rop,
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 2705772316ff905f3ed08871c602fca1c636f332 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Lieven <pl@kamp.de>
|
||||
Date: Thu, 30 Jun 2016 11:49:40 +0200
|
||||
Subject: [PATCH 3/3] net: limit allocation in nc_sendv_compat
|
||||
|
||||
we only need to allocate enough memory to hold the packet. This might be
|
||||
less than NET_BUFSIZE. Additionally fail early if the packet is larger
|
||||
than NET_BUFSIZE.
|
||||
|
||||
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||||
---
|
||||
net/net.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/net.c b/net/net.c
|
||||
index c94d93d..2ac46a6 100644
|
||||
--- a/net/net.c
|
||||
+++ b/net/net.c
|
||||
@@ -690,9 +690,13 @@ static ssize_t nc_sendv_compat(NetClientState *nc, const struct iovec *iov,
|
||||
buffer = iov[0].iov_base;
|
||||
offset = iov[0].iov_len;
|
||||
} else {
|
||||
- buf = g_new(uint8_t, NET_BUFSIZE);
|
||||
+ offset = iov_size(iov, iovcnt);
|
||||
+ if (offset > NET_BUFSIZE) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ buf = g_malloc(offset);
|
||||
buffer = buf;
|
||||
- offset = iov_to_buf(iov, iovcnt, 0, buf, NET_BUFSIZE);
|
||||
+ offset = iov_to_buf(iov, iovcnt, 0, buf, offset);
|
||||
}
|
||||
|
||||
if (flags & QEMU_NET_PACKET_FLAG_RAW && nc->info->receive_raw) {
|
||||
--
|
||||
2.1.4
|
||||
|
61
debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
vendored
Normal file
61
debian/patches/extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
vendored
Normal file
|
@ -0,0 +1,61 @@
|
|||
From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 31 Jan 2017 17:54:15 +0530
|
||||
Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block
|
||||
transfer
|
||||
|
||||
In SDHCI device emulation the transfer mode register value
|
||||
is used during multi block transfer to check if block count
|
||||
register is enabled and should be updated. Transfer mode
|
||||
register could be set such that, block count register would
|
||||
not be updated, thus leading to an infinite loop. Add check
|
||||
to avoid it.
|
||||
|
||||
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/sd/sdhci.c | 13 +++++++------
|
||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 01fbf22..35f953a 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
|
||||
uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
|
||||
|
||||
+ if (!(s->trnmod & SDHC_TRNS_MULTI)
|
||||
+ || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN)
|
||||
+ || !s->blkcnt) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
|
||||
* possible stop at page boundary if initial address is not page aligned,
|
||||
* allow them to work properly */
|
||||
@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque)
|
||||
if (s->trnmod & SDHC_TRNS_DMA) {
|
||||
switch (SDHC_DMA_TYPE(s->hostctl)) {
|
||||
case SDHC_CTRL_SDMA:
|
||||
- if ((s->trnmod & SDHC_TRNS_MULTI) &&
|
||||
- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
|
||||
sdhci_sdma_transfer_single_block(s);
|
||||
} else {
|
||||
@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
|
||||
if (!(s->capareg & SDHC_CAN_DO_DMA)) {
|
||||
value &= ~SDHC_TRNS_DMA;
|
||||
}
|
||||
- MASKED_WRITE(s->trnmod, mask, value);
|
||||
+ MASKED_WRITE(s->trnmod, mask, value & 0x0037);
|
||||
MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
|
||||
|
||||
/* Writing to the upper byte of CMDREG triggers SD command generation */
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
From e3ff618899e53791fdff5dbd3f8fa889a2ed7b1d Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 1 Feb 2017 09:35:01 +0100
|
||||
Subject: [PATCH 4/4] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Message-id: 5887254f.863a240a.2c122.5500@mx.google.com
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 7db6409..16f27e8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
{
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max > s->vga.vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
--
|
||||
2.1.4
|
||||
|
42
debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
vendored
Normal file
42
debian/patches/extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
vendored
Normal file
|
@ -0,0 +1,42 @@
|
|||
From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 31 Jan 2017 17:54:16 +0530
|
||||
Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single
|
||||
block transfer
|
||||
|
||||
In SDHCI device emulation the 'Block count enable' bit
|
||||
of the Transfer Mode register is only relevant in multi block
|
||||
transfers. We need not check it in single block transfers.
|
||||
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/sd/sdhci.c | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 35f953a..85cac42 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
}
|
||||
|
||||
/* single block SDMA transfer */
|
||||
-
|
||||
static void sdhci_sdma_transfer_single_block(SDHCIState *s)
|
||||
{
|
||||
int n;
|
||||
@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
|
||||
sdbus_write_data(&s->sdbus, s->fifo_buffer[n]);
|
||||
}
|
||||
}
|
||||
-
|
||||
- if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
|
||||
- s->blkcnt--;
|
||||
- }
|
||||
+ s->blkcnt--;
|
||||
|
||||
sdhci_end_transfer(s);
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
44
debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
vendored
Normal file
44
debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Dec 2016 12:31:56 +0530
|
||||
Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
|
||||
|
||||
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
|
||||
command, retrieves the maximum capabilities size to fill in the
|
||||
response object. It continues to fill in capabilities even if
|
||||
retrieved 'max_size' is zero(0), thus resulting in OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20161214070156.23368-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
|
||||
Notes:
|
||||
CVE-2016-10028
|
||||
|
||||
hw/display/virtio-gpu-3d.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index d98b140..cdd03a4 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
||||
|
||||
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
|
||||
&max_size);
|
||||
- resp = g_malloc0(sizeof(*resp) + max_size);
|
||||
+ if (!max_size) {
|
||||
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
+ resp = g_malloc0(sizeof(*resp) + max_size);
|
||||
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
||||
virgl_renderer_fill_caps(gc.capset_id,
|
||||
gc.capset_version,
|
||||
--
|
||||
2.1.4
|
||||
|
50
debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
vendored
Normal file
50
debian/patches/extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
vendored
Normal file
|
@ -0,0 +1,50 @@
|
|||
From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 28 Nov 2016 17:49:04 -0800
|
||||
Subject: [PATCH 1/8] watchdog: 6300esb: add exit function
|
||||
|
||||
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
|
||||
in realize isn't freed thus leaking memory leak. This patch avoid
|
||||
this through adding the exit function.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
|
||||
Notes:
|
||||
CVE-2016-10155
|
||||
|
||||
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
|
||||
index a83d951..49b3cd1 100644
|
||||
--- a/hw/watchdog/wdt_i6300esb.c
|
||||
+++ b/hw/watchdog/wdt_i6300esb.c
|
||||
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
|
||||
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
|
||||
}
|
||||
|
||||
+static void i6300esb_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
|
||||
+
|
||||
+ timer_del(d->timer);
|
||||
+ timer_free(d->timer);
|
||||
+}
|
||||
+
|
||||
static WatchdogTimerModel model = {
|
||||
.wdt_name = "i6300esb",
|
||||
.wdt_description = "Intel 6300ESB",
|
||||
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
|
||||
k->config_read = i6300esb_config_read;
|
||||
k->config_write = i6300esb_config_write;
|
||||
k->realize = i6300esb_realize;
|
||||
+ k->exit = i6300esb_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
|
||||
k->class_id = PCI_CLASS_SYSTEM_OTHER;
|
||||
--
|
||||
2.1.4
|
||||
|
63
debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
vendored
Normal file
63
debian/patches/extra/CVE-2016-7156-scsi-pvscsi-avoid-infinite-loop-while-building-SG-li.patch
vendored
Normal file
|
@ -0,0 +1,63 @@
|
|||
From a8ceb006190b9072b0b9866ec5a07bd6de4eca6d Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 6 Sep 2016 23:23:17 +0530
|
||||
Subject: [PATCH 5/6] scsi: pvscsi: avoid infinite loop while building SG list
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation for large 'dataLen' values, when data_length is cast to uint32_t
|
||||
and chunk_size becomes always zero. Fix this by removing the incorrect
|
||||
cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 22f872c..e43e0a4 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -629,17 +631,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
35
debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
vendored
Normal file
35
debian/patches/extra/CVE-2016-7161-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
vendored
Normal file
|
@ -0,0 +1,35 @@
|
|||
From b5cfb53ba6a976d0d478eb438a5ada3b719e8d59 Mon Sep 17 00:00:00 2001
|
||||
From: chaojianhu <chaojianhu@hotmail.com>
|
||||
Date: Tue, 9 Aug 2016 11:52:54 +0800
|
||||
Subject: [PATCH 2/5] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
|
||||
|
||||
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
|
||||
of data before calling memcpy. As a result, the NetClientState object in
|
||||
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
|
||||
will be affected.
|
||||
|
||||
Reported-by: chaojianhu <chaojianhu@hotmail.com>
|
||||
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/xilinx_ethlite.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
|
||||
index bc846e7..12b7419 100644
|
||||
--- a/hw/net/xilinx_ethlite.c
|
||||
+++ b/hw/net/xilinx_ethlite.c
|
||||
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
|
||||
}
|
||||
|
||||
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
|
||||
+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
|
||||
+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
|
||||
+ return -1;
|
||||
+ }
|
||||
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
|
||||
|
||||
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
|
||||
--
|
||||
2.1.4
|
||||
|
45
debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
vendored
Normal file
45
debian/patches/extra/CVE-2016-7170-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
|||
From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
38
debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
vendored
Normal file
38
debian/patches/extra/CVE-2016-7422-virtio-add-check-for-descriptor-s-mapped-address.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
From 1723b5e7962eb077353bab0772ca8114774b6c60 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH 4/7] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
32
debian/patches/extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
vendored
Normal file
32
debian/patches/extra/CVE-2016-7466-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 37c1493..726435c 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3715,8 +3715,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
||||
--
|
||||
2.1.4
|
||||
|
48
debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
vendored
Normal file
48
debian/patches/extra/CVE-2016-7907-net-imx-limit-buffer-descriptor-count.patch
vendored
Normal file
|
@ -0,0 +1,48 @@
|
|||
From 3798522afcf58abbce6de67446fcae7a34ae919d Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:01:38 +0530
|
||||
Subject: [PATCH 5/7] net: imx: limit buffer descriptor count
|
||||
|
||||
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set an upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/net/imx_fec.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||
index 1c415ab..1d74827 100644
|
||||
--- a/hw/net/imx_fec.c
|
||||
+++ b/hw/net/imx_fec.c
|
||||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
||||
#define PHY_INT_PARFAULT (1 << 2)
|
||||
#define PHY_INT_AUTONEG_PAGE (1 << 1)
|
||||
|
||||
+#define IMX_MAX_DESC 1024
|
||||
+
|
||||
static void imx_eth_update(IMXFECState *s);
|
||||
|
||||
/*
|
||||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||
|
||||
static void imx_fec_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXFECBufDesc bd;
|
||||
int len;
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
52
debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
vendored
Normal file
52
debian/patches/extra/CVE-2016-7908-net-mcf-limit-buffer-descriptor-count.patch
vendored
Normal file
|
@ -0,0 +1,52 @@
|
|||
From 94087c0cbe014b4a60d96930d7cb43d54a05c701 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH 6/7] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
||||
--
|
||||
2.1.4
|
||||
|
36
debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
vendored
Normal file
36
debian/patches/extra/CVE-2016-7909-net-pcnet-check-rx-tx-descriptor-ring-length.patch
vendored
Normal file
|
@ -0,0 +1,36 @@
|
|||
From ed825b783750cbe88aa67bbe83cf662082828efa Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 30 Sep 2016 00:27:33 +0530
|
||||
Subject: [PATCH 7/7] net: pcnet: check rx/tx descriptor ring length
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f..3078de8 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
||||
--
|
||||
2.1.4
|
||||
|
30
debian/patches/extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
vendored
Normal file
30
debian/patches/extra/CVE-2016-7994-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
vendored
Normal file
|
@ -0,0 +1,30 @@
|
|||
From 594fa98211f92ab07ee6d6b6a9eda93a416a1f57 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:07:11 -0700
|
||||
Subject: [PATCH 1/2] virtio-gpu: fix memory leak in
|
||||
virtio_gpu_resource_create_2d
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 7fe6ed8..5b6d17b 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
32
debian/patches/extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
vendored
Normal file
32
debian/patches/extra/CVE-2016-7995-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
From 91a16e6e51a4e046d59379fc83b9dfc1e860e9c7 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sat, 8 Oct 2016 11:58:03 +0300
|
||||
Subject: [PATCH 2/2] usb: ehci: fix memory leak in ehci_process_itd
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||