Commit fa423b39 authored by Michael Tokarev's avatar Michael Tokarev
Browse files

update to new upstream 2.11.0, remove old patches, refresh debian patches

parent dbf64e0d
qemu (1:2.10.0+dfsg-3) UNRELEASED; urgency=medium
qemu (1:2.11.0+dfsg-1) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* debian/control-in: build qemu-system and qemu-user on mips64 and
......
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 4 Oct 2017 17:06:52 +0530
Subject: 9pfs: use g_malloc0 to allocate space for xattr
Bug-Debian: http://bugs.debian.org/877890
9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 23ac7bb532..f8bbac251d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
--
2.11.0
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 11 Oct 2017 10:43:14 +0200
Subject: cirrus: fix oob access in mode4and5 write functions
Commit-Id: eb38e1bc3740725ca29a535351de94107ec58d51
Bug-Debian: http://bugs.debian.org/880832
Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171011084314.21752-1-kraxel@redhat.com
---
hw/display/cirrus_vga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index b4d579857a..bc32bf1e39 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
} else if (mode == 5) {
*dst = s->cirrus_shadow_gr0;
}
val <<= 1;
- dst++;
}
memory_region_set_dirty(&s->vga.vram, offset, 8);
}
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
*(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
*(dst + 1) = s->vga.gr[0x10];
}
val <<= 1;
- dst += 2;
}
memory_region_set_dirty(&s->vga.vram, offset, 16);
}
--
2.11.0
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 9 Oct 2017 14:43:42 +0100
Subject: io: monitor encoutput buffer size from websocket GSource
Commit-Id: a7b20a8efa28e5f22c26c06cd06c2f12bc863493
Bug-Debian: http://bugs.debian.org/880836
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
io/channel-websock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/io/channel-websock.c b/io/channel-websock.c
index 5a3badbec2..c02c2a66c9 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
#include "trace.h"
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}
--
2.11.0
This diff is collapsed.
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Sat, 23 Sep 2017 19:31:59 +0300
Subject: remove trailing whitespace from qemu-options.hx
Commit-Id: a295d244e575c4e44432e26bfd4634a8dcbf48d7
Bug-Debian: http://bugs.debian.org/875711
Remove trailing whitespace in qemu-options documentation, as it causes
reproducibility issues depending on the echo implementation used by
the Makefile.
Reported-By: Vagrant Cascadian <vagrant@debian.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
qemu-options.hx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qemu-options.hx b/qemu-options.hx
index 77859a248c..39225ae6c3 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -284,8 +284,8 @@ Set default value of @var{driver}'s property @var{prop} to @var{value}, e.g.:
qemu-system-i386 -global ide-hd.physical_block_size=4096 disk-image.img
@end example
-In particular, you can use this to set driver properties for devices which are
-created automatically by the machine model. To create a device which is not
+In particular, you can use this to set driver properties for devices which are
+created automatically by the machine model. To create a device which is not
created automatically and set properties on it, use -@option{device}.
-global @var{driver}.@var{prop}=@var{value} is shorthand for -global
--
2.11.0
use-fixed-data-path.patch
use-data-path.patch
qemu-2.10.1.diff
9pfs-use-g_malloc0-to-allocate-space-for-xattr-CVE-2017-15038.patch
remove-trailing-whitespace-from-qemu-options.hx.patch
io-monitor-encoutput-buffer-size-from-websocket-GSource-CVE-2017-15268.patch
cirrus-fix-oob-access-in-mode4and5-write-functions-CVE-2017-15289.patch
......@@ -20,32 +20,27 @@ This patch is debian-specific.
--- a/vl.c
+++ b/vl.c
@@ -125,7 +125,11 @@ int main(int argc, char **argv)
@@ -132,7 +132,7 @@ int main(int argc, char **argv)
#define MAX_VIRTIO_CONSOLES 1
#define MAX_SCLP_CONSOLES 1
-static const char *data_dir[16];
+#ifndef CONFIG_QEMU_DATAPATH
+# define CONFIG_QEMU_DATAPATH CONFIG_QEMU_DATADIR
+#endif
+static char qemu_datapath[] = CONFIG_QEMU_DATAPATH;
+static const char *data_dir[32];
static int data_dir_idx;
const char *bios_name = NULL;
enum vga_retrace_method vga_retrace_method = VGA_RETRACE_DUMB;
@@ -4057,9 +4061,12 @@ int main(int argc, char **argv, char **e
qemu_set_log(0);
}
@@ -4317,7 +4317,14 @@ int main(int argc, char **argv, char **e
/* qemu_add_data_dir(os_find_datadir()); */
- /* If all else fails use the install path specified when building. */
- if (data_dir_idx < ARRAY_SIZE(data_dir)) {
- data_dir[data_dir_idx++] = CONFIG_QEMU_DATADIR;
+ /* add standard dirs to data path */
+ for(optarg = strtok(qemu_datapath, ":");
+ optarg && data_dir_idx < ARRAY_SIZE(data_dir);
+ optarg = strtok(NULL, ":"))
+ {
+ data_dir[data_dir_idx++] = optarg;
}
/* add the datadir specified when building */
+#ifdef CONFIG_QEMU_DATAPATH
+ dirs = g_strsplit(CONFIG_QEMU_DATAPATH, G_SEARCHPATH_SEPARATOR_S, 0);
+ for (i = 0; dirs[i] != NULL; i++) {
+ qemu_add_data_dir(dirs[i]);
+ }
+#else
qemu_add_data_dir(CONFIG_QEMU_DATADIR);
+#endif
/* -L help lists the data directories and exits. */
if (list_data_dirs) {
......@@ -9,7 +9,7 @@ and it will still work.
--- a/os-posix.c
+++ b/os-posix.c
@@ -75,6 +75,7 @@ void os_setup_signal_handling(void)
@@ -72,6 +72,7 @@ void os_setup_signal_handling(void)
sigaction(SIGTERM, &act, NULL);
}
......@@ -17,7 +17,7 @@ and it will still work.
/* Find a likely location for support files using the location of the binary.
For installed binaries this will be "$bindir/../share/qemu". When
running from the build tree this will be "$bindir/../pc-bios". */
@@ -109,6 +110,7 @@ char *os_find_datadir(void)
@@ -107,6 +108,7 @@ char *os_find_datadir(void)
}
#undef SHARE_SUFFIX
#undef BUILD_SUFFIX
......@@ -27,18 +27,12 @@ and it will still work.
{
--- a/vl.c
+++ b/vl.c
@@ -4115,14 +4115,6 @@ int main(int argc, char **argv, char **e
qemu_set_log(0);
@@ -4314,7 +4314,7 @@ int main(int argc, char **argv, char **e
}
- /* If no data_dir is specified then try to find it relative to the
- executable path. */
- if (data_dir_idx < ARRAY_SIZE(data_dir)) {
- data_dir[data_dir_idx] = os_find_datadir();
- if (data_dir[data_dir_idx] != NULL) {
- data_dir_idx++;
- }
- }
/* If all else fails use the install path specified when building. */
if (data_dir_idx < ARRAY_SIZE(data_dir)) {
data_dir[data_dir_idx++] = CONFIG_QEMU_DATADIR;
/* try to find datadir relative to the executable path */
- qemu_add_data_dir(os_find_datadir());
+ /* qemu_add_data_dir(os_find_datadir()); */
/* add the datadir specified when building */
qemu_add_data_dir(CONFIG_QEMU_DATADIR);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment