Accepting request 536899 from home:bfrogers:branches:Virtualization

Add note about QED format support being withdrawn. Also add a few more security fixes OBS-URL: https://build.opensuse.org/request/show/536899 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=372
2017-10-26 14:38:26 +00:00 · 2017-10-26 14:38:26 +00:00 · 40d6206ff1
commit 40d6206ff1
parent e3edfcd663
13 changed files with 288 additions and 28 deletions
--- a/0040-io-monitor-encoutput-buffer-size-fr.patch
+++ b/0040-io-monitor-encoutput-buffer-size-fr.patch
@ -0,0 +1,77 @@
 From e0032c4d69b0c6b3eeeded2ab496db61c4632e46 Mon Sep 17 00:00:00 2001
 From: "Daniel P. Berrange" <berrange@redhat.com>
 Date: Wed, 18 Oct 2017 14:51:33 -0600
 Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
 The websocket GSource is monitoring the size of the rawoutput
 buffer to determine if the channel can accepts more writes.
 The rawoutput buffer, however, is merely a temporary staging
 buffer before data is copied into the encoutput buffer. Thus
 its size will always be zero when the GSource runs.
 This flaw causes the encoutput buffer to grow without bound
 if the other end of the underlying data channel doesn't
 read data being sent. This can be seen with VNC if a client
 is on a slow WAN link and the guest OS is sending many screen
 updates. A malicious VNC client can act like it is on a slow
 link by playing a video in the guest and then reading data
 very slowly, causing QEMU host memory to expand arbitrarily.
 This issue is assigned CVE-2017-15268, publically reported in
  https://bugs.launchpad.net/qemu/+bug/1718964
 (cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493)
 Reviewed-by: Eric Blake <eblake@redhat.com>
 [Dan: Added extra checks to deal with code refactored in master but
 not stable 2.10]
 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
 [BR: BSC#1062942 CVE-2017-15268]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 io/channel-websock.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/io/channel-websock.c b/io/channel-websock.c
 index 5a3badbec2..19116dc148 100644
 --- a/io/channel-websock.c
 +++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
 #include "trace.h"
 -/* Max amount to allow in rawinput/rawoutput buffers */
 +/* Max amount to allow in rawinput/encoutput buffers */
 #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
 #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
 -    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
 +    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
@@ -1022,7 +1022,7 @@ qio_channel_websock_source_check(GSource *source)
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
 -    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
 +    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
@@ -1041,7 +1041,7 @@ qio_channel_websock_source_dispatch(GSource *source,
     if (wsource->wioc->rawinput.offset) {
         cond |= G_IO_IN;
     }
 -    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
 +    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
         cond |= G_IO_OUT;
     }
--- a/0041-cirrus-fix-oob-access-in-mode4and5-.patch
+++ b/0041-cirrus-fix-oob-access-in-mode4and5-.patch
@ -0,0 +1,57 @@
 From f3c7b39cec549039b89fa1c6b2ab238b4bac1a97 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Wed, 18 Oct 2017 14:54:15 -0600
 Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions
 Move dst calculation into the loop, so we apply the mask on each
 interation and will not overflow vga memory.
 Cc: Prasad J Pandit <pjp@fedoraproject.org>
 Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: 20171011084314.21752-1-kraxel@redhat.com
 [BR: BSC#1063122 CVE-2017-15289]
 Signed-off-by: Bruce Rogers <brogers@suse.com
 ---
 hw/display/cirrus_vga.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
 index afc290ab91..077a8cb74f 100644
 --- a/hw/display/cirrus_vga.c
 +++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
     unsigned val = mem_value;
     uint8_t *dst;
 -    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
 +        dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	} else if (mode == 5) {
 	    *dst = s->cirrus_shadow_gr0;
 	}
 	val <<= 1;
 -	dst++;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 8);
 }
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
     unsigned val = mem_value;
     uint8_t *dst;
 -    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
 +        dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	    *(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
 	    *(dst + 1) = s->vga.gr[0x10];
 	}
 	val <<= 1;
 -	dst += 2;
     }
     memory_region_set_dirty(&s->vga.vram, offset, 16);
 }
--- a/0042-9pfs-use-g_malloc0-to-allocate-spac.patch
+++ b/0042-9pfs-use-g_malloc0-to-allocate-spac.patch
@ -0,0 +1,43 @@
 From 89a7eced18edb0d38a444abc1b367d241ae6cff8 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Mon, 16 Oct 2017 14:21:59 +0200
 Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
 9p back-end first queries the size of an extended attribute,
 allocates space for it via g_malloc() and then retrieves its
 value into allocated buffer. Race between querying attribute
 size and retrieving its could lead to memory bytes disclosure.
 Use g_malloc0() to avoid it.
 Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Signed-off-by: Greg Kurz <groug@kaod.org>
 (cherry picked from commit 7bd92756303f2158a68d5166264dc30139b813b6)
 [BR: BSC#1062069 CVE-2017-15038]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 hw/9pfs/9p.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
 index 8e9490c5f5..c41c0eb106 100644
 --- a/hw/9pfs/9p.c
 +++ b/hw/9pfs/9p.c
@@ -3236,7 +3236,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
         xattr_fidp->fid_type = P9_FID_XATTR;
         xattr_fidp->fs.xattr.xattrwalk_fid = true;
         if (size) {
 -            xattr_fidp->fs.xattr.value = g_malloc(size);
 +            xattr_fidp->fs.xattr.value = g_malloc0(size);
             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
                                      xattr_fidp->fs.xattr.value,
                                      xattr_fidp->fs.xattr.len);
@@ -3269,7 +3269,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
         xattr_fidp->fid_type = P9_FID_XATTR;
         xattr_fidp->fs.xattr.xattrwalk_fid = true;
         if (size) {
 -            xattr_fidp->fs.xattr.value = g_malloc(size);
 +            xattr_fidp->fs.xattr.value = g_malloc0(size);
             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
                                     &name, xattr_fidp->fs.xattr.value,
                                     xattr_fidp->fs.xattr.len);
--- a/qemu-linux-user.changes
+++ b/qemu-linux-user.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Thu Oct 19 21:58:01 UTC 2017 - brogers@suse.com
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
 * Patches added:
  0040-io-monitor-encoutput-buffer-size-fr.patch
  0041-cirrus-fix-oob-access-in-mode4and5-.patch
  0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 -------------------------------------------------------------------
 Tue Oct  3 21:07:30 UTC 2017 - brogers@suse.com
--- a/qemu-linux-user.spec
+++ b/qemu-linux-user.spec
@ -65,6 +65,9 @@ Patch0036:      0036-io-fix-temp-directory-used-by-test-.patch
 Patch0037:      0037-io-fix-check-for-handshake-completi.patch
 Patch0038:      0038-crypto-fix-test-cert-generation-to-.patch
 Patch0039:      0039-vhost-user-disable-the-broken-subpr.patch
 Patch0040:      0040-io-monitor-encoutput-buffer-size-fr.patch
 Patch0041:      0041-cirrus-fix-oob-access-in-mode4and5-.patch
 Patch0042:      0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 Source400:      update_git.sh
@ -157,6 +160,9 @@ run cross-architecture builds.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 %build
 ./configure \
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Oct 19 21:57:57 UTC 2017 - brogers@suse.com
 - Add announcement in support docs about qed storage format no
  longer being supported in next major SLE release (SLE15)
  (fate#324200)
 - Address various security/stability issues
 * Fix DoS in I/O channel websockets (CVE-2017-15268 bsc#1062942)
  0040-io-monitor-encoutput-buffer-size-fr.patch
 * Fix OOB access in cirrus vga device emulation (CVE-2017-15289
  bsc#1063122)
  0041-cirrus-fix-oob-access-in-mode4and5-.patch
 * Fix information leak in 9pfs interface (CVE-2017-15038 bsc#1062069)
  0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
 -------------------------------------------------------------------
 Mon Oct 16 14:50:03 UTC 2017 - brogers@suse.com
--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@ -184,6 +184,9 @@ Patch0036:      0036-io-fix-temp-directory-used-by-test-.patch
 Patch0037:      0037-io-fix-check-for-handshake-completi.patch
 Patch0038:      0038-crypto-fix-test-cert-generation-to-.patch
 Patch0039:      0039-vhost-user-disable-the-broken-subpr.patch
 Patch0040:      0040-io-monitor-encoutput-buffer-size-fr.patch
 Patch0041:      0041-cirrus-fix-oob-access-in-mode4and5-.patch
 Patch0042:      0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
@ -887,6 +890,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 pushd roms/ipxe
 %patch1100 -p1
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Oct 19 21:57:57 UTC 2017 - brogers@suse.com
 - Add announcement in support docs about qed storage format no
  longer being supported in next major SLE release (SLE15)
  (fate#324200)
 - Address various security/stability issues
 * Fix DoS in I/O channel websockets (CVE-2017-15268 bsc#1062942)
  0040-io-monitor-encoutput-buffer-size-fr.patch
 * Fix OOB access in cirrus vga device emulation (CVE-2017-15289
  bsc#1063122)
  0041-cirrus-fix-oob-access-in-mode4and5-.patch
 * Fix information leak in 9pfs interface (CVE-2017-15038 bsc#1062069)
  0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
 -------------------------------------------------------------------
 Mon Oct 16 14:50:03 UTC 2017 - brogers@suse.com
--- a/qemu.spec
+++ b/qemu.spec
@ -184,6 +184,9 @@ Patch0036:      0036-io-fix-temp-directory-used-by-test-.patch
 Patch0037:      0037-io-fix-check-for-handshake-completi.patch
 Patch0038:      0038-crypto-fix-test-cert-generation-to-.patch
 Patch0039:      0039-vhost-user-disable-the-broken-subpr.patch
 Patch0040:      0040-io-monitor-encoutput-buffer-size-fr.patch
 Patch0041:      0041-cirrus-fix-oob-access-in-mode4and5-.patch
 Patch0042:      0042-9pfs-use-g_malloc0-to-allocate-spac.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
@ -200,7 +203,7 @@ Patch1200:      sgabios-stable-buildid.patch
 # SLOF (Currently no patches)
-# skiboot (OPAL)
+# skiboot
 Patch1400:      skiboot-GCC7-fixes-for-Wimplicit-fallthr.patch
 Patch1401:      skiboot-libc-stdio-vsnprintf.c-add-expli.patch
@ -887,6 +890,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0037 -p1
 %patch0038 -p1
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 pushd roms/ipxe
 %patch1100 -p1
--- a/supported.arm.txt
+++ b/supported.arm.txt
@ -182,6 +182,12 @@ Deprecated, Superseded, Modified and Dropped Features
 - The previously supported blkdev-add QMP command has been flagged as lacking
  and could possibly change syntax in the future.
 - Due to upstream's decision to no longer fully support the qed storage format
  going forward (since it really provides no benefit over qcow2 and is now no
  longer actively maintained upstream), creating qed storage images is no longer
  supported and it is highly discouraged to continuing to use existing qed
  images. They should instead be converted to another supported format.
 QEMU Command-Line and Monitor Syntax and Support
 ------------------------------------------------
@ -189,10 +195,10 @@ QEMU Command-Line and Monitor Syntax and Support
  qemu-system-aarch64 [options]
  Where 'options' are taken from the options listed below.
-  The images used with -drive or -cdrom, may be in the raw (no format), qcow2
+  The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
-  or qed storage formats, and may be located in files within the host
+  storage formats, and may be located in files within the host filesystem,
-  filesystem, logical volumes, host physical disks, or network based storage.
+  logical volumes, host physical disks, or network based storage. Read only
-  Read only media may also be accessed via URL style protocol specifiers.
+  media may also be accessed via URL style protocol specifiers.
  Note that as a general rule, as new command line options are added which serve
  to replace an older option or interface, you are strongly encouraged to adapt
@ -234,7 +240,7 @@ QEMU Command-Line and Monitor Syntax and Support
          virtio-scsi|virtio-rng|e1000-82540em)
  -dfilter range, ...
  -display ...
-  -drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
+  -drive ... (if specified if=[virtio] and format=[qcow2|raw] and
             snapshot=off only)
  -echr ...
  -enable-fips
@ -597,8 +603,8 @@ QEMU Command-Line and Monitor Syntax and Support
          (note that some of these device names represent supported devices and
          are used internally, but are not specifyable via -device even though
          they appear in the list of devices)
-  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
+  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
-         or raw]
+         raw]
  -dtb file
  -enable-hax
  -fda/-fdb ...
--- a/supported.ppc.txt
+++ b/supported.ppc.txt
@ -182,6 +182,12 @@ Deprecated, Superseded, Modified and Dropped Features
 - The previously supported blkdev-add QMP command has been flagged as lacking
  and could possibly change syntax in the future.
 - Due to upstream's decision to no longer fully support the qed storage format
  going forward (since it really provides no benefit over qcow2 and is now no
  longer actively maintained upstream), creating qed storage images is no longer
  supported and it is highly discouraged to continuing to use existing qed
  images. They should instead be converted to another supported format.
 QEMU Command-Line and Monitor Syntax and Support
 ------------------------------------------------
@ -189,10 +195,10 @@ QEMU Command-Line and Monitor Syntax and Support
  qemu-system-ppc64 [options]
  Where 'options' are taken from the options listed below.
-  The images used with -drive or -cdrom, may be in the raw (no format), qcow2
+  The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
-  or qed storage formats, and may be located in files within the host
+  storage formats, and may be located in files within the host filesystem,
-  filesystem, logical volumes, host physical disks, or network based storage.
+  logical volumes, host physical disks, or network based storage. Read only
-  Read only media may also be accessed via URL style protocol specifiers.
+  media may also be accessed via URL style protocol specifiers.
  Note that as a general rule, as new command line options are added which serve
  to replace an older option or interface, you are strongly encouraged to adapt
@ -234,7 +240,7 @@ QEMU Command-Line and Monitor Syntax and Support
          virtio-scsi|virtio-rng|e1000-82540em)
  -dfilter range, ...
  -display ...
-  -drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
+  -drive ... (if specified if=[virtio] and format=[qcow2|raw] and
             snapshot=off only)
  -echr ...
  -enable-fips
@ -547,8 +553,8 @@ QEMU Command-Line and Monitor Syntax and Support
          (note that some of these device names represent supported devices and
          are used internally, but are not specifyable via -device even though
          they appear in the list of devices)
-  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
+  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
-         or raw]
+         raw]
  -dtb file
  -enable-hax
  -fda/-fdb ...
--- a/supported.s390.txt
+++ b/supported.s390.txt
@ -183,6 +183,12 @@ Deprecated, Superseded, Modified and Dropped Features
 - The previously supported blkdev-add QMP command has been flagged as lacking
  and could possibly change syntax in the future.
 - Due to upstream's decision to no longer fully support the qed storage format
  going forward (since it really provides no benefit over qcow2 and is now no
  longer actively maintained upstream), creating qed storage images is no longer
  supported and it is highly discouraged to continuing to use existing qed
  images. They should instead be converted to another supported format.
 QEMU Command-Line and Monitor Syntax and Support
 ------------------------------------------------
@ -190,10 +196,10 @@ QEMU Command-Line and Monitor Syntax and Support
  qemu-system-s390x [options]
  Where 'options' are taken from the options listed below.
-  The images used with -drive or -cdrom, may be in the raw (no format), qcow2
+  The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
-  or qed storage formats, and may be located in files within the host
+  storage formats, and may be located in files within the host filesystem,
-  filesystem, logical volumes, host physical disks, or network based storage.
+  logical volumes, host physical disks, or network based storage. Read only
-  Read only media may also be accessed via URL style protocol specifiers.
+  media may also be accessed via URL style protocol specifiers.
  Note that as a general rule, as new command line options are added which serve
  to replace an older option or interface, you are strongly encouraged to adapt
@ -230,7 +236,7 @@ QEMU Command-Line and Monitor Syntax and Support
          virtio-net|virtio-serial|virtio-balloon|virtio-scsi|virtio-rng)
  -dfilter range, ...
  -display ...
-  -drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
+  -drive ... (if specified if=[virtio] and format=[qcow2|raw] and
             snapshot=off only)
  -echr ...
  -enable-fips
@ -557,8 +563,8 @@ QEMU Command-Line and Monitor Syntax and Support
          (note that some of these device names represent supported devices and
          are used internally, but are not specifyable via -device even though
          they appear in the list of devices)
-  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
+  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
-         or raw]
+         raw]
  -dtb file
  -enable-hax
  -fda/-fdb ...
--- a/supported.x86.txt
+++ b/supported.x86.txt
@ -274,6 +274,12 @@ Deprecated, Superseded, Modified and Dropped Features
  are not supported in this release. The current q35 machine type is however now
  fully supported.
 - Due to upstream's decision to no longer fully support the qed storage format
  going forward (since it really provides no benefit over qcow2 and is now no
  longer actively maintained upstream), creating qed storage images is no longer
  supported and it is highly discouraged to continuing to use existing qed
  images. They should instead be converted to another supported format.
 QEMU Command-Line and Monitor Syntax and Support
 ------------------------------------------------
@ -284,9 +290,9 @@ QEMU Command-Line and Monitor Syntax and Support
  Where 'options' are taken from the options listed below, and 'disk_image' is
  the file system reference to the the x86 guest's primary IDE based hard disk
  image. This image as well as those used with -drive or -cdrom, may be in the
-  raw (no format), qcow2 or qed storage formats, and may be located in files
+  raw (no format) or qcow2 storage formats, and may be located in files within
-  within the host filesystem, logical volumes, host physical disks, or network
+  the host filesystem, logical volumes, host physical disks, or network based
-  based storage. Read only media may also be accessed via URL style protocol
+  storage. Read only media may also be accessed via URL style protocol
  specifiers.
  Note that as a general rule, as new command line options are added which serve
@ -333,7 +339,7 @@ QEMU Command-Line and Monitor Syntax and Support
          virtio-scsi|virtio-rng|e1000-82540em)
  -dfilter range, ...
  -display ...
-  -drive ... (if specified if=[floppy|ide|virtio] and format=[qcow2|qed|raw] and
+  -drive ... (if specified if=[floppy|ide|virtio] and format=[qcow2|raw] and
             snapshot=off only)
  -echr ...
  -enable-fips
@ -669,8 +675,8 @@ QEMU Command-Line and Monitor Syntax and Support
          (note that some of these device names represent supported devices and
          are used internally, but are not specifyable via -device even though
          they appear in the list of devices)
-  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
+  -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
-         or raw]
+         raw]
  -dtb file
  -enable-hax
  -g ...