1. 17 Apr, 2014 2 commits
  2. 11 Apr, 2014 3 commits
  3. 05 Apr, 2014 18 commits
  4. 03 Apr, 2014 9 commits
  5. 02 Apr, 2014 1 commit
  6. 01 Apr, 2014 7 commits
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging · 82c6f513
      Peter Maydell authored
      
      
      Tracing pull request
      
      # gpg: Signature made Tue 01 Apr 2014 19:08:48 BST using RSA key ID 81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
      
      * remotes/stefanha/tags/tracing-pull-request:
        trace: add workaround for SystemTap PR13296
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      82c6f513
    • Frank Ch. Eigler's avatar
      trace: add workaround for SystemTap PR13296 · 9bcec938
      Frank Ch. Eigler authored
      
      
      SystemTap sdt.h sometimes results in compiled probes without sufficient
      information to extract arguments.  This can be solved in a slightly
      hacky way by encouraging the compiler to place arguments into registers.
      
      This patch fixes the apic_reset_irq_delivered() trace event on Fedora 20
      with gcc-4.8.2-7.fc20 and systemtap-sdt-devel-2.4-2.fc20 on x86_64.
      
      Signed-off-by: default avatarFrank Ch. Eigler <fche@redhat.com>
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      9bcec938
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging · 53e11bd3
      Peter Maydell authored
      
      
      Block pull request
      
      # gpg: Signature made Tue 01 Apr 2014 18:11:16 BST using RSA key ID 81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
      
      * remotes/stefanha/tags/block-pull-request: (51 commits)
        qcow2: link all L2 meta updates in preallocate()
        parallels: Sanity check for s->tracks (CVE-2014-0142)
        parallels: Fix catalog size integer overflow (CVE-2014-0143)
        qcow2: Limit snapshot table size
        qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
        qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
        qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
        qcow2: Fix copy_sectors() with VM state
        block: Limit request size (CVE-2014-0143)
        block: vdi bounds check qemu-io tests
        dmg: prevent chunk buffer overflow (CVE-2014-0145)
        dmg: use uint64_t consistently for sectors and lengths
        dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
        dmg: use appropriate types when reading chunks
        dmg: drop broken bdrv_pread() loop
        dmg: prevent out-of-bounds array access on terminator
        dmg: coding style and indentation cleanup
        qcow2: Fix new L1 table size check (CVE-2014-0143)
        qcow2: Protect against some integer overflows in bdrv_check
        qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
        ...
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      53e11bd3
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-7' into staging · 507979a8
      Peter Maydell authored
      
      
      input bugfixes for 2.0
      
      # gpg: Signature made Tue 01 Apr 2014 10:16:43 BST using RSA key ID D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
      # gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
      
      * remotes/kraxel/tags/pull-input-7:
        input: add sanity check
        input: mouse_set should check input device type.
        input: fix input_event_key_number trace event
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      507979a8
    • Stefan Hajnoczi's avatar
      qcow2: link all L2 meta updates in preallocate() · c792707f
      Stefan Hajnoczi authored
      
      
      preallocate() only links the first QCowL2Meta's data clusters into the
      L2 table and ignores any chained QCowL2Metas in the linked list.
      
      Chains of QCowL2Meta structs are built up when contiguous clusters span
      L2 tables.  Each QCowL2Meta describes one L2 table update.  This is a
      rare case in preallocate() but can happen.
      
      This patch fixes preallocate() by iterating over the whole list of
      QCowL2Metas.  Compare with the qcow2_co_writev() function's
      implementation, which is similar but also also handles request
      dependencies.  preallocate() only performs one allocation at a time so
      there can be no dependencies.
      
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      c792707f
    • Kevin Wolf's avatar
      parallels: Sanity check for s->tracks (CVE-2014-0142) · 9302e863
      Kevin Wolf authored
      
      
      This avoids a possible division by zero.
      
      Convert s->tracks to unsigned as well because it feels better than
      surviving just because the results of calculations with s->tracks are
      converted to unsigned anyway.
      
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      9302e863
    • Kevin Wolf's avatar
      parallels: Fix catalog size integer overflow (CVE-2014-0143) · afbcc40b
      Kevin Wolf authored
      
      
      The first test case would cause a huge memory allocation, leading to a
      qemu abort; the second one to a too small malloc() for the catalog
      (smaller than s->catalog_size), which causes a read-only out-of-bounds
      array access and on big endian hosts an endianess conversion for an
      undefined memory area.
      
      The sample image used here is not an original Parallels image. It was
      created using an hexeditor on the basis of the struct that qemu uses.
      Good enough for trying to crash the driver, but not for ensuring
      compatibility.
      
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      afbcc40b