rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 400970 from home:bfrogers:branches:Virtualization

Browse Source 
Submit includes numerous security fixes, patches which help fulfill FATE regarding xen pv-usb. and a fix openQA is needing.

OBS-URL: https://build.opensuse.org/request/show/400970
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=299
This commit is contained in:
Bruce Rogers 2016-06-10 15:24:43 +00:00 committed by Git OBS Bridge
parent 5ba1856e11
commit f5f190ba99
18 changed files with 2125 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
0049-scsi-megasas-use-appropriate-proper.patch Normal file
View File

@ -0,0 +1,34 @@
From d884938c3eab2ca005180941c1dacf6e95f630cc Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 16:01:29 +0530
Subject: [PATCH] scsi: megasas: use appropriate property buffer size
When setting MegaRAID SAS controller properties via MegaRAID
Firmware Interface(MFI) commands, a user supplied size parameter
is used to set property value. Use appropriate size value to avoid
OOB access issues.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
[BR:CVE-2016-5106 BSC#982018]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index a63a581..dcbd3e1 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
dcmd_size);
return MFI_STAT_INVALID_PARAMETER;
}
- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
return MFI_STAT_OK;
}

36
0050-scsi-megasas-check-read_queue_head-.patch Normal file
View File

@ -0,0 +1,36 @@
From 09b7b3b4bf5463c411a0e4f442db3cf09ec33cbe Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 17:55:10 +0530
Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
[BR: CVE-2016-5107 BSC#982019]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index dcbd3e1..96aee1c 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
pa_hi = le32_to_cpu(initq->pi_addr_hi);
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
flags = le32_to_cpu(initq->flags);
if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
s->flags |= MEGASAS_MASK_USE_QUEUE64;

32
0051-scsi-megasas-null-terminate-bios-ve.patch Normal file
View File

@ -0,0 +1,32 @@
From 81ed91f0c8e7ba89afd4718129065c920b3923f0 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Jun 2016 16:44:03 +0530
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
[BR: CVE-2016-5337 BSC#983961]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 96aee1c..893448b 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
memcpy(biosver, ptr + 0x41, 31);
+ biosver[31] = 0;
memcpy(info.image_component[1].name, "BIOS", 4);
memcpy(info.image_component[1].version, biosver,
strlen((const char *)biosver));

73
0052-vmsvga-move-fifo-sanity-checks-to-v.patch Normal file
View File

@ -0,0 +1,73 @@
From 5f76584dd7ee7b300a52f57e5a66b667cd3d5faa Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 30 May 2016 09:09:18 +0200
Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
changes the fifo registers afterwards. Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.
Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
[BR: CVE-2016-4454 BSC#982222]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 0c63fa8..63a7c05 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
if (!s->config || !s->enable) {
return 0;
}
+
+ /* Check range and alignment. */
+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+ return 0;
+ }
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+ return 0;
+ }
+ if (CMD(max) > SVGA_FIFO_SIZE) {
+ return 0;
+ }
+ if (CMD(max) < CMD(min) + 10 * 1024) {
+ return 0;
+ }
+
num = CMD(next_cmd) - CMD(stop);
if (num < 0) {
num += CMD(max) - CMD(min);
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
case SVGA_REG_CONFIG_DONE:
if (value) {
s->fifo = (uint32_t *) s->fifo_ptr;
- /* Check range and alignment. */
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
- break;
- }
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
- break;
- }
- if (CMD(max) > SVGA_FIFO_SIZE) {
- break;
- }
- if (CMD(max) < CMD(min) + 10 * 1024) {
- break;
- }
vga_dirty_log_stop(&s->vga);
}
s->config = !!value;

45
0053-vmsvga-don-t-process-more-than-1024.patch Normal file
View File

@ -0,0 +1,45 @@
From 29983512d22362d394c01377fd9b0974865da1b4 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 30 May 2016 09:09:21 +0200
Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off. So we can simply exit the loop,
without having to worry about how processing will continue.
Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
[BR: CVE-2016-4453 BSC#982223]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 63a7c05..3bd4c52 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -596,13 +596,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
{
uint32_t cmd, colour;
- int args, len;
+ int args, len, maxloop = 1024;
int x, y, dx, dy, width, height;
struct vmsvga_cursor_definition_s cursor;
uint32_t cmd_start;
len = vmsvga_fifo_length(s);
- while (len > 0) {
+ while (len > 0 && --maxloop > 0) {
/* May need to go back to the start of the command if incomplete */
cmd_start = s->cmd->stop;

37
0054-block-iscsi-avoid-potential-overflo.patch Normal file
View File

@ -0,0 +1,37 @@
From 30f011dc5ea3328e6bef4923f60e03a5664425f9 Mon Sep 17 00:00:00 2001
From: Peter Lieven <pl@kamp.de>
Date: Tue, 24 May 2016 10:59:28 +0200
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
at least in the path via virtio-blk the maximum size is not
restricted.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
[BR: CVE-2016-5126 BSC#982285]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/iscsi.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/iscsi.c b/block/iscsi.c
index 302baf8..172e6cf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
return &acb->common;
}
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
+ qemu_aio_unref(acb);
+ return NULL;
+ }
+
acb->task = malloc(sizeof(struct scsi_task));
if (acb->task == NULL) {
error_report("iSCSI: Failed to allocate task for scsi command. %s",

71
0055-scsi-esp-check-TI-buffer-index-befo.patch Normal file
View File

@ -0,0 +1,71 @@
From e53e6fe07906e619b25fc1eb120b7a07b541bcb8 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 6 Jun 2016 22:04:43 +0530
Subject: [PATCH] scsi: esp: check TI buffer index before read/write
The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.
While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
[BR: CVE-2016-5338 BSC#983982]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 591c817..3adb685 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -400,19 +400,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
trace_esp_mem_readb(saddr, s->rregs[saddr]);
switch (saddr) {
case ESP_FIFO:
- if (s->ti_size > 0) {
+ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+ /* Data out. */
+ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
+ s->rregs[ESP_FIFO] = 0;
+ esp_raise_irq(s);
+ } else if (s->ti_rptr < s->ti_wptr) {
s->ti_size--;
- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
- /* Data out. */
- qemu_log_mask(LOG_UNIMP,
- "esp: PIO data read not implemented\n");
- s->rregs[ESP_FIFO] = 0;
- } else {
- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
- }
+ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
esp_raise_irq(s);
}
- if (s->ti_size == 0) {
+ if (s->ti_rptr == s->ti_wptr) {
s->ti_rptr = 0;
s->ti_wptr = 0;
}
@@ -456,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
} else {
trace_esp_error_fifo_overrun();
}
- } else if (s->ti_size == TI_BUFSZ - 1) {
+ } else if (s->ti_wptr == TI_BUFSZ - 1) {
trace_esp_error_fifo_overrun();
} else {
s->ti_size++;

104
0056-xen-introduce-dummy-system-device.patch Normal file
View File

@ -0,0 +1,104 @@
From 6eaa3deb4b8e3f101f9b4487b786c34394486d72 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 12 May 2016 16:13:39 +0200
Subject: [PATCH] xen: introduce dummy system device
Introduce a new dummy system device serving as parent for virtual
buses. This will enable new pv backends to introduce virtual buses
which are removable again opposed to system buses which are meant
to stay once added.
Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-2-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 9432e53a5bc88681b2d3aec4dac9db07c5476d1b)
[BR: FATE#316612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xenpv/xen_machine_pv.c | 40 ++++++++++++++++++++++++++++++++++++++++
include/hw/xen/xen_backend.h | 1 +
2 files changed, 41 insertions(+)
diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c
index fc13535..48d5bc6 100644
--- a/hw/xenpv/xen_machine_pv.c
+++ b/hw/xenpv/xen_machine_pv.c
@@ -25,10 +25,15 @@
#include "qemu/osdep.h"
#include "hw/hw.h"
#include "hw/boards.h"
+#include "hw/sysbus.h"
#include "hw/xen/xen_backend.h"
#include "xen_domainbuild.h"
#include "sysemu/block-backend.h"
+#define TYPE_XENSYSDEV "xensysdev"
+
+DeviceState *xen_sysdev;
+
static void xen_init_pv(MachineState *machine)
{
DriveInfo *dinfo;
@@ -67,6 +72,9 @@ static void xen_init_pv(MachineState *machine)
break;
}
+ xen_sysdev = qdev_create(NULL, TYPE_XENSYSDEV);
+ qdev_init_nofail(xen_sysdev);
+
xen_be_register("console", &xen_console_ops);
xen_be_register("vkbd", &xen_kbdmouse_ops);
xen_be_register("vfb", &xen_framebuffer_ops);
@@ -101,6 +109,38 @@ static void xen_init_pv(MachineState *machine)
xen_init_display(xen_domid);
}
+static int xen_sysdev_init(SysBusDevice *dev)
+{
+ return 0;
+}
+
+static Property xen_sysdev_properties[] = {
+ {/* end of property list */},
+};
+
+static void xen_sysdev_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc = DEVICE_CLASS(klass);
+ SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+ k->init = xen_sysdev_init;
+ dc->props = xen_sysdev_properties;
+}
+
+static const TypeInfo xensysdev_info = {
+ .name = TYPE_XENSYSDEV,
+ .parent = TYPE_SYS_BUS_DEVICE,
+ .instance_size = sizeof(SysBusDevice),
+ .class_init = xen_sysdev_class_init,
+};
+
+static void xenpv_register_types(void)
+{
+ type_register_static(&xensysdev_info);
+}
+
+type_init(xenpv_register_types);
+
static void xenpv_machine_init(MachineClass *mc)
{
mc->desc = "Xen Para-virtualized PC";
diff --git a/include/hw/xen/xen_backend.h b/include/hw/xen/xen_backend.h
index c839eeb..b4b4ff0 100644
--- a/include/hw/xen/xen_backend.h
+++ b/include/hw/xen/xen_backend.h
@@ -60,6 +60,7 @@ extern xc_interface *xen_xc;
extern xenforeignmemory_handle *xen_fmem;
extern struct xs_handle *xenstore;
extern const char *xen_protocol;
+extern DeviceState *xen_sysdev;
/* xenstore helper functions */
int xenstore_write_str(const char *base, const char *node, const char *val);

219
0057-xen-write-information-about-support.patch Normal file
View File

@ -0,0 +1,219 @@
From 40f5afa5ebaf4b6fba5a4d002a013d4e5aae7156 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 12 May 2016 16:13:40 +0200
Subject: [PATCH] xen: write information about supported backends
Add a Xenstore directory for each supported pv backend. This will allow
Xen tools to decide which backend type to use in case there are
multiple possibilities.
The information is added under
/local/domain/<backend-domid>/device-model/<domid>/backends
before the "running" state is written to Xenstore. Using a directory
for each backend enables us to add parameters for specific backends
in the future.
This interface is documented in the Xen source repository in the file
docs/misc/qemu-backends.txt
In order to reuse the Xenstore directory creation already present in
hw/xen/xen_devconfig.c move the related functions to
hw/xen/xen_backend.c where they fit better.
Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Message-id: 1463062421-613-3-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 637c53ffcb891ce8876183e6b593b8f0c3763ab1)
[BR: FATE#316612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xen/xen_backend.c | 63 ++++++++++++++++++++++++++++++++++++++++++++
hw/xen/xen_devconfig.c | 52 ++----------------------------------
include/hw/xen/xen_backend.h | 2 ++
3 files changed, 67 insertions(+), 50 deletions(-)
diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index 60575ad..c63f9df 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -42,11 +42,36 @@ struct xs_handle *xenstore = NULL;
const char *xen_protocol;
/* private */
+struct xs_dirs {
+ char *xs_dir;
+ QTAILQ_ENTRY(xs_dirs) list;
+};
+static QTAILQ_HEAD(xs_dirs_head, xs_dirs) xs_cleanup =
+ QTAILQ_HEAD_INITIALIZER(xs_cleanup);
+
static QTAILQ_HEAD(XenDeviceHead, XenDevice) xendevs = QTAILQ_HEAD_INITIALIZER(xendevs);
static int debug = 0;
/* ------------------------------------------------------------- */
+static void xenstore_cleanup_dir(char *dir)
+{
+ struct xs_dirs *d;
+
+ d = g_malloc(sizeof(*d));
+ d->xs_dir = dir;
+ QTAILQ_INSERT_TAIL(&xs_cleanup, d, list);
+}
+
+void xen_config_cleanup(void)
+{
+ struct xs_dirs *d;
+
+ QTAILQ_FOREACH(d, &xs_cleanup, list) {
+ xs_rm(xenstore, 0, d->xs_dir);
+ }
+}
+
int xenstore_write_str(const char *base, const char *node, const char *val)
{
char abspath[XEN_BUFSIZE];
@@ -75,6 +100,30 @@ char *xenstore_read_str(const char *base, const char *node)
return ret;
}
+int xenstore_mkdir(char *path, int p)
+{
+ struct xs_permissions perms[2] = {
+ {
+ .id = 0, /* set owner: dom0 */
+ }, {
+ .id = xen_domid,
+ .perms = p,
+ }
+ };
+
+ if (!xs_mkdir(xenstore, 0, path)) {
+ xen_be_printf(NULL, 0, "xs_mkdir %s: failed\n", path);
+ return -1;
+ }
+ xenstore_cleanup_dir(g_strdup(path));
+
+ if (!xs_set_permissions(xenstore, 0, path, perms, 2)) {
+ xen_be_printf(NULL, 0, "xs_set_permissions %s: failed\n", path);
+ return -1;
+ }
+ return 0;
+}
+
int xenstore_write_int(const char *base, const char *node, int ival)
{
char val[12];
@@ -726,6 +775,20 @@ err:
int xen_be_register(const char *type, struct XenDevOps *ops)
{
+ char path[50];
+ int rc;
+
+ if (ops->backend_register) {
+ rc = ops->backend_register();
+ if (rc) {
+ return rc;
+ }
+ }
+
+ snprintf(path, sizeof(path), "device-model/%u/backends/%s", xen_domid,
+ type);
+ xenstore_mkdir(path, XS_PERM_NONE);
+
return xenstore_scan(type, xen_domid, ops);
}
diff --git a/hw/xen/xen_devconfig.c b/hw/xen/xen_devconfig.c
index 1f30fe4..b7d290d 100644
--- a/hw/xen/xen_devconfig.c
+++ b/hw/xen/xen_devconfig.c
@@ -5,54 +5,6 @@
/* ------------------------------------------------------------- */
-struct xs_dirs {
- char *xs_dir;
- QTAILQ_ENTRY(xs_dirs) list;
-};
-static QTAILQ_HEAD(xs_dirs_head, xs_dirs) xs_cleanup = QTAILQ_HEAD_INITIALIZER(xs_cleanup);
-
-static void xen_config_cleanup_dir(char *dir)
-{
- struct xs_dirs *d;
-
- d = g_malloc(sizeof(*d));
- d->xs_dir = dir;
- QTAILQ_INSERT_TAIL(&xs_cleanup, d, list);
-}
-
-void xen_config_cleanup(void)
-{
- struct xs_dirs *d;
-
- QTAILQ_FOREACH(d, &xs_cleanup, list) {
- xs_rm(xenstore, 0, d->xs_dir);
- }
-}
-
-/* ------------------------------------------------------------- */
-
-static int xen_config_dev_mkdir(char *dev, int p)
-{
- struct xs_permissions perms[2] = {{
- .id = 0, /* set owner: dom0 */
- },{
- .id = xen_domid,
- .perms = p,
- }};
-
- if (!xs_mkdir(xenstore, 0, dev)) {
- xen_be_printf(NULL, 0, "xs_mkdir %s: failed\n", dev);
- return -1;
- }
- xen_config_cleanup_dir(g_strdup(dev));
-
- if (!xs_set_permissions(xenstore, 0, dev, perms, 2)) {
- xen_be_printf(NULL, 0, "xs_set_permissions %s: failed\n", dev);
- return -1;
- }
- return 0;
-}
-
static int xen_config_dev_dirs(const char *ftype, const char *btype, int vdev,
char *fe, char *be, int len)
{
@@ -66,8 +18,8 @@ static int xen_config_dev_dirs(const char *ftype, const char *btype, int vdev,
snprintf(be, len, "%s/backend/%s/%d/%d", dom, btype, xen_domid, vdev);
free(dom);
- xen_config_dev_mkdir(fe, XS_PERM_READ | XS_PERM_WRITE);
- xen_config_dev_mkdir(be, XS_PERM_READ);
+ xenstore_mkdir(fe, XS_PERM_READ | XS_PERM_WRITE);
+ xenstore_mkdir(be, XS_PERM_READ);
return 0;
}
diff --git a/include/hw/xen/xen_backend.h b/include/hw/xen/xen_backend.h
index b4b4ff0..63364f7 100644
--- a/include/hw/xen/xen_backend.h
+++ b/include/hw/xen/xen_backend.h
@@ -28,6 +28,7 @@ struct XenDevOps {
int (*free)(struct XenDevice *xendev);
void (*backend_changed)(struct XenDevice *xendev, const char *node);
void (*frontend_changed)(struct XenDevice *xendev, const char *node);
+ int (*backend_register)(void);
};
struct XenDevice {
@@ -63,6 +64,7 @@ extern const char *xen_protocol;
extern DeviceState *xen_sysdev;
/* xenstore helper functions */
+int xenstore_mkdir(char *path, int p);
int xenstore_write_str(const char *base, const char *node, const char *val);
int xenstore_write_int(const char *base, const char *node, int ival);
int xenstore_write_int64(const char *base, const char *node, int64_t ival);

1165
0058-xen-add-pvUSB-backend.patch Normal file
View File

File diff suppressed because it is too large Load Diff

28
0059-usb-Fix-conditions-that-xen-usb.c-i.patch Normal file
View File

@ -0,0 +1,28 @@
From 9ddd9862dbc30107d2315f0b858e32cd0c90db8a Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 10 Jun 2016 07:12:15 -0600
Subject: [PATCH] usb: Fix conditions that xen-usb.c is used
When non-x86 arch targets are built on x86 we have a mismatched
between what is built in support of xen. xen-usb.c is conditioned
upon CONFIG_USB_LIBUSB and CONFIG_XEN_BACKEND, but it relies on
an external reference that is instead controlled by CONFIG_XEN.
Add a dependency on CONFIG_XEN as well.
[BR: FATE#316612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/Makefile.objs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/Makefile.objs b/hw/usb/Makefile.objs
index 98b5c9d..2db2fa1 100644
--- a/hw/usb/Makefile.objs
+++ b/hw/usb/Makefile.objs
@@ -39,6 +39,6 @@ common-obj-$(CONFIG_USB_REDIR) += redirect.o quirks.o
# usb pass-through
common-obj-y += $(patsubst %,host-%.o,$(HOST_USB))
-ifeq ($(CONFIG_USB_LIBUSB),y)
+ifeq ($(CONFIG_XEN)$(CONFIG_USB_LIBUSB),yy)
common-obj-$(CONFIG_XEN_BACKEND) += xen-usb.o
endif

129
0060-vnc-add-configurable-keyboard-delay.patch Normal file
View File

@ -0,0 +1,129 @@
From 464539abcc33f2d8465dead1555de169b87239b9 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 1 Jun 2016 08:22:30 +0200
Subject: [PATCH] vnc: add configurable keyboard delay
Limits the rate kbd events from the vnc server are forwarded to the
guest, so input devices which are typically low-bandwidth can keep
up even on bulky input.
v2: update documentation too.
v3: spell fixes.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Yang Hongyang <hongyang.yang@easystack.cn>
Message-id: 1464762150-25817-1-git-send-email-kraxel@redhat.com
(cherry picked from commit c5ce83334465ee5acb6789a2f22d125273761c9e)
[BR: BSC#974914]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qemu-options.hx | 8 ++++++++
ui/vnc.c | 13 +++++++++++--
ui/vnc.h | 1 +
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/qemu-options.hx b/qemu-options.hx
index 32b25a5..3bcd98f 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1410,6 +1410,14 @@ everybody else. 'ignore' completely ignores the shared flag and
allows everybody connect unconditionally. Doesn't conform to the rfb
spec but is traditional QEMU behavior.
+@item key-delay-ms
+
+Set keyboard delay, for key down and key up events, in milliseconds.
+Default is 1. Keyboards are low-bandwidth devices, so this slowdown
+can help the device and guest to keep up and not lose events in case
+events are arriving in bulk. Possible causes for the latter are flaky
+network connections, or scripts for automated testing.
+
@end table
ETEXI
diff --git a/ui/vnc.c b/ui/vnc.c
index ab65db9..1bee07f 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1639,6 +1639,7 @@ static void reset_keys(VncState *vs)
for(i = 0; i < 256; i++) {
if (vs->modifiers_state[i]) {
qemu_input_event_send_key_number(vs->vd->dcl.con, i, false);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
vs->modifiers_state[i] = 0;
}
}
@@ -1648,9 +1649,9 @@ static void press_key(VncState *vs, int keysym)
{
int keycode = keysym2scancode(vs->vd->kbd_layout, keysym) & SCANCODE_KEYMASK;
qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, true);
- qemu_input_event_send_key_delay(0);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
- qemu_input_event_send_key_delay(0);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
}
static int current_led_state(VncState *vs)
@@ -1802,6 +1803,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
if (qemu_console_is_graphic(NULL)) {
qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, down);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
} else {
bool numlock = vs->modifiers_state[0x45];
bool control = (vs->modifiers_state[0x1d] ||
@@ -1923,6 +1925,7 @@ static void vnc_release_modifiers(VncState *vs)
continue;
}
qemu_input_event_send_key_number(vs->vd->dcl.con, keycode, false);
+ qemu_input_event_send_key_delay(vs->vd->key_delay_ms);
}
}
@@ -3298,6 +3301,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "lock-key-sync",
.type = QEMU_OPT_BOOL,
},{
+ .name = "key-delay-ms",
+ .type = QEMU_OPT_NUMBER,
+ },{
.name = "sasl",
.type = QEMU_OPT_BOOL,
},{
@@ -3536,6 +3542,7 @@ void vnc_display_open(const char *id, Error **errp)
#endif
int acl = 0;
int lock_key_sync = 1;
+ int key_delay_ms;
if (!vs) {
error_setg(errp, "VNC display not active");
@@ -3658,6 +3665,7 @@ void vnc_display_open(const char *id, Error **errp)
reverse = qemu_opt_get_bool(opts, "reverse", false);
lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
+ key_delay_ms = qemu_opt_get_number(opts, "key-delay-ms", 1);
sasl = qemu_opt_get_bool(opts, "sasl", false);
#ifndef CONFIG_VNC_SASL
if (sasl) {
@@ -3790,6 +3798,7 @@ void vnc_display_open(const char *id, Error **errp)
}
#endif
vs->lock_key_sync = lock_key_sync;
+ vs->key_delay_ms = key_delay_ms;
device_id = qemu_opt_get(opts, "display");
if (device_id) {
diff --git a/ui/vnc.h b/ui/vnc.h
index 81a3261..6568bca 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -155,6 +155,7 @@ struct VncDisplay
DisplayChangeListener dcl;
kbd_layout_t *kbd_layout;
int lock_key_sync;
+ int key_delay_ms;
QemuMutex mutex;
QEMUCursor *cursor;

18
qemu-linux-user.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Fri Jun 10 13:35:11 UTC 2016 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches added:
0049-scsi-megasas-use-appropriate-proper.patch
0050-scsi-megasas-check-read_queue_head-.patch
0051-scsi-megasas-null-terminate-bios-ve.patch
0052-vmsvga-move-fifo-sanity-checks-to-v.patch
0053-vmsvga-don-t-process-more-than-1024.patch
0054-block-iscsi-avoid-potential-overflo.patch
0055-scsi-esp-check-TI-buffer-index-befo.patch
0056-xen-introduce-dummy-system-device.patch
0057-xen-write-information-about-support.patch
0058-xen-add-pvUSB-backend.patch
0059-usb-Fix-conditions-that-xen-usb.c-i.patch
0060-vnc-add-configurable-keyboard-delay.patch
-------------------------------------------------------------------
Thu May 26 16:23:33 UTC 2016 - brogers@suse.com

24
qemu-linux-user.spec
View File

@ -73,6 +73,18 @@ Patch0045: 0045-esp-check-dma-length-before-reading.patch
Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch
Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch
Patch0048: 0048-vga-add-sr_vbe-register-set.patch
Patch0049: 0049-scsi-megasas-use-appropriate-proper.patch
Patch0050: 0050-scsi-megasas-check-read_queue_head-.patch
Patch0051: 0051-scsi-megasas-null-terminate-bios-ve.patch
Patch0052: 0052-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0053: 0053-vmsvga-don-t-process-more-than-1024.patch
Patch0054: 0054-block-iscsi-avoid-potential-overflo.patch
Patch0055: 0055-scsi-esp-check-TI-buffer-index-befo.patch
Patch0056: 0056-xen-introduce-dummy-system-device.patch
Patch0057: 0057-xen-write-information-about-support.patch
Patch0058: 0058-xen-add-pvUSB-backend.patch
Patch0059: 0059-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0060: 0060-vnc-add-configurable-keyboard-delay.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -174,6 +186,18 @@ run cross-architecture builds.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \

31
qemu-testsuite.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Fri Jun 10 13:35:06 UTC 2016 - brogers@suse.com
- Address various security/stability issues
* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Fix OOB access in megasas emulated device (CVE-2016-5106 bsc#982018)
0049-scsi-megasas-use-appropriate-proper.patch
* Fix OOB access in megasas emulated device (CVE-2016-5107 bsc#982019)
0050-scsi-megasas-check-read_queue_head-.patch
* Fix OOB access in megasas emulated device (CVE-2016-5337 bsc#983961)
0051-scsi-megasas-null-terminate-bios-ve.patch
* Correct the vmvga fifo access checks (CVE-2016-4454 bsc#982222)
0052-vmsvga-move-fifo-sanity-checks-to-v.patch
* Fix potential DoS issue in vmvga processing (CVE-2016-4453 bsc#982223)
0053-vmsvga-don-t-process-more-than-1024.patch
* Fix heap buffer overflow flaw when iscsi protocol is used
(CVE-2016-5126 bsc#982285)
0054-block-iscsi-avoid-potential-overflo.patch
* Fix OOB access in 53C9X emulation (CVE-2016-5338 bsc#983982)
0055-scsi-esp-check-TI-buffer-index-befo.patch
- Add support to qemu for pv-usb under Xen (fate#316612)
0056-xen-introduce-dummy-system-device.patch
0057-xen-write-information-about-support.patch
0058-xen-add-pvUSB-backend.patch
0059-usb-Fix-conditions-that-xen-usb.c-i.patch
- Provide ability to rate limit keyboard events from the vnc server.
This is part of the solution to an issue affecting openQA testing,
where characters are lost, resulting in unexpected failures
(bsc#974914)
0060-vnc-add-configurable-keyboard-delay.patch
-------------------------------------------------------------------
Fri Jun 3 17:29:41 UTC 2016 - brogers@suse.com

24
qemu-testsuite.spec
View File

@ -114,6 +114,18 @@ Patch0045: 0045-esp-check-dma-length-before-reading.patch
Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch
Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch
Patch0048: 0048-vga-add-sr_vbe-register-set.patch
Patch0049: 0049-scsi-megasas-use-appropriate-proper.patch
Patch0050: 0050-scsi-megasas-check-read_queue_head-.patch
Patch0051: 0051-scsi-megasas-null-terminate-bios-ve.patch
Patch0052: 0052-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0053: 0053-vmsvga-don-t-process-more-than-1024.patch
Patch0054: 0054-block-iscsi-avoid-potential-overflo.patch
Patch0055: 0055-scsi-esp-check-TI-buffer-index-befo.patch
Patch0056: 0056-xen-introduce-dummy-system-device.patch
Patch0057: 0057-xen-write-information-about-support.patch
Patch0058: 0058-xen-add-pvUSB-backend.patch
Patch0059: 0059-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0060: 0060-vnc-add-configurable-keyboard-delay.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -710,6 +722,18 @@ This package provides a service file for starting and stopping KSM.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios

31
qemu.changes
View File

@ -1,3 +1,34 @@
-------------------------------------------------------------------
Fri Jun 10 13:35:06 UTC 2016 - brogers@suse.com
- Address various security/stability issues
* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Fix OOB access in megasas emulated device (CVE-2016-5106 bsc#982018)
0049-scsi-megasas-use-appropriate-proper.patch
* Fix OOB access in megasas emulated device (CVE-2016-5107 bsc#982019)
0050-scsi-megasas-check-read_queue_head-.patch
* Fix OOB access in megasas emulated device (CVE-2016-5337 bsc#983961)
0051-scsi-megasas-null-terminate-bios-ve.patch
* Correct the vmvga fifo access checks (CVE-2016-4454 bsc#982222)
0052-vmsvga-move-fifo-sanity-checks-to-v.patch
* Fix potential DoS issue in vmvga processing (CVE-2016-4453 bsc#982223)
0053-vmsvga-don-t-process-more-than-1024.patch
* Fix heap buffer overflow flaw when iscsi protocol is used
(CVE-2016-5126 bsc#982285)
0054-block-iscsi-avoid-potential-overflo.patch
* Fix OOB access in 53C9X emulation (CVE-2016-5338 bsc#983982)
0055-scsi-esp-check-TI-buffer-index-befo.patch
- Add support to qemu for pv-usb under Xen (fate#316612)
0056-xen-introduce-dummy-system-device.patch
0057-xen-write-information-about-support.patch
0058-xen-add-pvUSB-backend.patch
0059-usb-Fix-conditions-that-xen-usb.c-i.patch
- Provide ability to rate limit keyboard events from the vnc server.
This is part of the solution to an issue affecting openQA testing,
where characters are lost, resulting in unexpected failures
(bsc#974914)
0060-vnc-add-configurable-keyboard-delay.patch
-------------------------------------------------------------------
Fri Jun 3 17:29:41 UTC 2016 - brogers@suse.com

24
qemu.spec
View File

@ -114,6 +114,18 @@ Patch0045: 0045-esp-check-dma-length-before-reading.patch
Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch
Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch
Patch0048: 0048-vga-add-sr_vbe-register-set.patch
Patch0049: 0049-scsi-megasas-use-appropriate-proper.patch
Patch0050: 0050-scsi-megasas-check-read_queue_head-.patch
Patch0051: 0051-scsi-megasas-null-terminate-bios-ve.patch
Patch0052: 0052-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0053: 0053-vmsvga-don-t-process-more-than-1024.patch
Patch0054: 0054-block-iscsi-avoid-potential-overflo.patch
Patch0055: 0055-scsi-esp-check-TI-buffer-index-befo.patch
Patch0056: 0056-xen-introduce-dummy-system-device.patch
Patch0057: 0057-xen-write-information-about-support.patch
Patch0058: 0058-xen-add-pvUSB-backend.patch
Patch0059: 0059-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0060: 0060-vnc-add-configurable-keyboard-delay.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -710,6 +722,18 @@ This package provides a service file for starting and stopping KSM.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios