35 changed files with 0 additions and 1965 deletions
@ -1 +0,0 @@ |
|||
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d |
@ -1 +0,0 @@ |
|||
KERNEL=="kvm", GROUP="kvm", MODE="0660" |
@ -1,14 +0,0 @@ |
|||
# This should have the following permissions: root:qemu 0640 |
|||
|
|||
# allow br0 |
|||
# Uncommenting the above would allow users in the 'qemu' group |
|||
# to add devices to 'br0' |
|||
|
|||
# allow virbr0 |
|||
# Uncommenting the above would allow users in the 'qemu' group |
|||
# to add devices to 'virbr0' |
|||
|
|||
# include /etc/qemu/bob.conf |
|||
# Uncommenting the above would allow users in the 'bob' group |
|||
# to have permissions defined in it, iff it has the following |
|||
# permissions: root:bob 0640 |
@ -1,13 +0,0 @@ |
|||
--- a/configure
|
|||
+++ b/configure
|
|||
@@ -4468,10 +4468,6 @@ fi
|
|||
if test "$gcov" = "yes" ; then |
|||
CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" |
|||
LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" |
|||
-elif test "$fortify_source" = "yes" ; then
|
|||
- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
|
|||
-elif test "$debug" = "no"; then
|
|||
- CFLAGS="-O2 $CFLAGS"
|
|||
fi |
|||
|
|||
########################################## |
@ -1,15 +0,0 @@ |
|||
Linux C libs are moving away from implicit header pollution with sys/types.h |
|||
|
|||
--- a/include/qemu/osdep.h
|
|||
+++ b/include/qemu/osdep.h
|
|||
@@ -78,6 +78,10 @@ extern int daemon(int, int);
|
|||
#include <assert.h> |
|||
#include <signal.h> |
|||
|
|||
+#ifdef __linux__
|
|||
+#include <sys/sysmacros.h>
|
|||
+#endif
|
|||
+
|
|||
#ifdef __OpenBSD__ |
|||
#include <sys/signal.h> |
|||
#endif |
@ -1,27 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In Vmxnet3 device emulator while processing transmit(tx) queue, |
|||
when it reaches end of packet, it calls vmxnet3_complete_packet. |
|||
In that local 'txcq_descr' object is not initialised, which could |
|||
leak host memory bytes a guest. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/vmxnet3.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
|||
index 90f6943..92f6af9 100644
|
|||
--- a/hw/net/vmxnet3.c
|
|||
+++ b/hw/net/vmxnet3.c
|
|||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
|||
|
|||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); |
|||
|
|||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
|||
txcq_descr.txdIdx = tx_ridx; |
|||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); |
|||
|
|||
--
|
|||
2.5.5 |
@ -1,81 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Vmware Paravirtual SCSI emulation uses command descriptors to |
|||
process SCSI commands. These descriptors come with their ring |
|||
buffers. A guest could set the page count for these rings to |
|||
an arbitrary value, leading to infinite loop or OOB access. |
|||
Add check to avoid it. |
|||
|
|||
Reported-by: Tom Victor <address@hidden> |
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/scsi/vmw_pvscsi.c | 21 ++++++++++----------- |
|||
1 file changed, 10 insertions(+), 11 deletions(-) |
|||
|
|||
Update per review |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html |
|||
|
|||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|||
index 5116f4a..4245c15 100644
|
|||
--- a/hw/scsi/vmw_pvscsi.c
|
|||
+++ b/hw/scsi/vmw_pvscsi.c
|
|||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
|||
return log; |
|||
} |
|||
|
|||
-static int
|
|||
+static void
|
|||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) |
|||
{ |
|||
int i; |
|||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
|||
uint32_t req_ring_size, cmp_ring_size; |
|||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; |
|||
|
|||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
|||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
|||
- return -1;
|
|||
- }
|
|||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; |
|||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; |
|||
txr_len_log2 = pvscsi_log2(req_ring_size - 1); |
|||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
|||
|
|||
/* Flush ring state page changes */ |
|||
smp_wmb(); |
|||
-
|
|||
- return 0;
|
|||
} |
|||
|
|||
static int |
|||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
|||
|
|||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); |
|||
for (i = 0; i < rc->cmpRingNumPages; i++) { |
|||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
|||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
|||
} |
|||
} |
|||
|
|||
@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
|||
|
|||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); |
|||
|
|||
+ if (!rc->reqRingNumPages
|
|||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
|||
+ || !rc->cmpRingNumPages
|
|||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
|||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
|||
+ }
|
|||
+
|
|||
pvscsi_dbg_dump_tx_rings_config(rc); |
|||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
|||
- return PVSCSI_COMMAND_PROCESSING_FAILED;
|
|||
- }
|
|||
+ pvscsi_ring_init_data(&s->rings, rc);
|
|||
|
|||
s->rings_info_valid = TRUE; |
|||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; |
|||
--
|
|||
2.5.5 |
@ -1,62 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very |
|||
long time or go into an infinite loop due to two different bugs: |
|||
|
|||
1) the request descriptor data length is defined to be 64 bit. While |
|||
building SG list from a request descriptor, it gets truncated to 32bit |
|||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop |
|||
situation for large 'dataLen' values, when data_length is cast to uint32_t |
|||
and chunk_size becomes always zero. Fix this by removing the incorrect |
|||
cast. |
|||
|
|||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the |
|||
element has a zero length. Get out of the loop early when this happens, |
|||
by introducing an upper limit on the number of SG list elements. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/scsi/vmw_pvscsi.c | 11 ++++++----- |
|||
1 file changed, 6 insertions(+), 5 deletions(-) |
|||
|
|||
Update as per: |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html |
|||
|
|||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|||
index 4245c15..babac5a 100644
|
|||
--- a/hw/scsi/vmw_pvscsi.c
|
|||
+++ b/hw/scsi/vmw_pvscsi.c
|
|||
@@ -40,6 +40,8 @@
|
|||
#define PVSCSI_MAX_DEVS (64) |
|||
#define PVSCSI_MSIX_NUM_VECTORS (1) |
|||
|
|||
+#define PVSCSI_MAX_SG_ELEM 2048
|
|||
+
|
|||
#define PVSCSI_MAX_CMD_DATA_WORDS \ |
|||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) |
|||
|
|||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
|||
static void |
|||
pvscsi_convert_sglist(PVSCSIRequest *r) |
|||
{ |
|||
- int chunk_size;
|
|||
+ uint32_t chunk_size, elmcnt = 0;
|
|||
uint64_t data_length = r->req.dataLen; |
|||
PVSCSISGState sg = r->sg; |
|||
- while (data_length) {
|
|||
- while (!sg.resid) {
|
|||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
|||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
|||
pvscsi_get_next_sg_elem(&sg); |
|||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, |
|||
r->sg.resid); |
|||
} |
|||
- assert(data_length > 0);
|
|||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
|||
+ chunk_size = MIN(data_length, sg.resid);
|
|||
if (chunk_size) { |
|||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); |
|||
} |
|||
--
|
|||
2.5.5 |
@ -1,28 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
When LSI SAS1068 Host Bus emulator builds configuration page |
|||
headers, the format string used in 'mptsas_config_manufacturing_1' |
|||
was wrong. It could lead to an invalid memory access. |
|||
|
|||
Reported-by: Tom Victor <address@hidden> |
|||
Fix-suggested-by: Paolo Bonzini <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/scsi/mptconfig.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
|||
index 7071854..1ec895b 100644
|
|||
--- a/hw/scsi/mptconfig.c
|
|||
+++ b/hw/scsi/mptconfig.c
|
|||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
|||
{ |
|||
/* VPD - all zeros */ |
|||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, |
|||
- "s256");
|
|||
+ "*s256");
|
|||
} |
|||
|
|||
static |
|||
--
|
|||
2.5.5 |
@ -1,27 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
When LSI SAS1068 Host Bus emulator builds configuration page |
|||
headers, mptsas_config_pack() asserts to check returned size |
|||
value is within limit of 256 bytes. Fix that assert expression. |
|||
|
|||
Suggested-by: Paolo Bonzini <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/scsi/mptconfig.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
|||
index 1ec895b..531947f 100644
|
|||
--- a/hw/scsi/mptconfig.c
|
|||
+++ b/hw/scsi/mptconfig.c
|
|||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
|||
va_end(ap); |
|||
|
|||
if (data) { |
|||
- assert(ret < 256 && (ret % 4) == 0);
|
|||
+ assert(ret / 4 < 256);
|
|||
stb_p(*data + 1, ret / 4); |
|||
} |
|||
return ret; |
|||
--
|
|||
2.5.5 |
@ -1,40 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, |
|||
the computed BITMAP and PIXMAP size are checked against the |
|||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. |
|||
Correct these checks to avoid OOB memory access. |
|||
|
|||
Reported-by: Qinghao Tang <address@hidden> |
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/display/vmware_vga.c | 12 +++++++----- |
|||
1 file changed, 7 insertions(+), 5 deletions(-) |
|||
|
|||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
|||
index e51a05e..6599cf0 100644
|
|||
--- a/hw/display/vmware_vga.c
|
|||
+++ b/hw/display/vmware_vga.c
|
|||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
|||
cursor.bpp = vmsvga_fifo_read(s); |
|||
|
|||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); |
|||
- if (cursor.width > 256 ||
|
|||
- cursor.height > 256 ||
|
|||
- cursor.bpp > 32 ||
|
|||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
|||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
|||
+ if (cursor.width > 256
|
|||
+ || cursor.height > 256
|
|||
+ || cursor.bpp > 32
|
|||
+ || SVGA_BITMAP_SIZE(x, y)
|
|||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
|||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
|||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
|||
goto badcmd; |
|||
} |
|||
|
|||
--
|
|||
2.5.5 |
|||
|
@ -1,34 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Vmware Paravirtual SCSI emulator while processing IO requests |
|||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr' |
|||
always returned positive value. Limit IO loop to the ring size. |
|||
|
|||
Cc: address@hidden |
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
Message-Id: <address@hidden> |
|||
Signed-off-by: Paolo Bonzini <address@hidden> |
|||
---
|
|||
hw/scsi/vmw_pvscsi.c | 5 ++++- |
|||
1 file changed, 4 insertions(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|||
index babac5a..a5ce7de 100644
|
|||
--- a/hw/scsi/vmw_pvscsi.c
|
|||
+++ b/hw/scsi/vmw_pvscsi.c
|
|||
@@ -247,8 +247,11 @@ static hwaddr
|
|||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) |
|||
{ |
|||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); |
|||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
|||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
|||
|
|||
- if (ready_ptr != mgr->consumed_ptr) {
|
|||
+ if (ready_ptr != mgr->consumed_ptr
|
|||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
|||
uint32_t next_ready_ptr = |
|||
mgr->consumed_ptr++ & mgr->txr_len_mask; |
|||
uint32_t next_ready_page = |
|||
--
|
|||
1.8.3.1 |
@ -1,38 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
virtio back end uses set of buffers to facilitate I/O operations. |
|||
If its size is too large, 'cpu_physical_memory_map' could return |
|||
a null address. This would result in a null dereference |
|||
while un-mapping descriptors. Add check to avoid it. |
|||
|
|||
Reported-by: Qinghao Tang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/virtio/virtio.c | 10 ++++++---- |
|||
1 file changed, 6 insertions(+), 4 deletions(-) |
|||
|
|||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
|||
index 15ee3a7..0a4c5b6 100644
|
|||
--- a/hw/virtio/virtio.c
|
|||
+++ b/hw/virtio/virtio.c
|
|||
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
|||
} |
|||
|
|||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); |
|||
- iov[num_sg].iov_len = len;
|
|||
- addr[num_sg] = pa;
|
|||
+ if (iov[num_sg].iov_base) {
|
|||
+ iov[num_sg].iov_len = len;
|
|||
+ addr[num_sg] = pa;
|
|||
|
|||
+ pa += len;
|
|||
+ num_sg++;
|
|||
+ }
|
|||
sz -= len; |
|||
- pa += len;
|
|||
- num_sg++;
|
|||
} |
|||
*p_num_sg = num_sg; |
|||
} |
|||
--
|
|||
2.5.5 |
@ -1,31 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
When processing IO request in mptsas, it uses g_new to allocate |
|||
a 'req' object. If an error occurs before 'req->sreq' is |
|||
allocated, It could lead to an OOB write in mptsas_free_request |
|||
function. Use g_new0 to avoid it. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
Message-Id: <address@hidden> |
|||
Cc: address@hidden |
|||
Signed-off-by: Paolo Bonzini <address@hidden> |
|||
---
|
|||
hw/scsi/mptsas.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
|||
index 0e0a22f..eaae1bb 100644
|
|||
--- a/hw/scsi/mptsas.c
|
|||
+++ b/hw/scsi/mptsas.c
|
|||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
|||
goto bad; |
|||
} |
|||
|
|||
- req = g_new(MPTSASRequest, 1);
|
|||
+ req = g_new0(MPTSASRequest, 1);
|
|||
QTAILQ_INSERT_TAIL(&s->pending, req, next); |
|||
req->scsi_io = *scsi_io; |
|||
req->dev = s; |
|||
--
|
|||
1.8.3.1 |
@ -1,26 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
If the xhci uses msix, it doesn't free the corresponding |
|||
memory, thus leading a memory leak. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/usb/hcd-xhci.c | 3 +-- |
|||
1 file changed, 1 insertion(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|||
index 188f954..281a2a5 100644
|
|||
--- a/hw/usb/hcd-xhci.c
|
|||
+++ b/hw/usb/hcd-xhci.c
|
|||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
|||
/* destroy msix memory region */ |
|||
if (dev->msix_table && dev->msix_pba |
|||
&& dev->msix_entry_used) { |
|||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
|||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
|||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
|||
} |
|||
|
|||
usb_bus_release(&xhci->bus); |
|||
--
|
|||
1.8.3.1 |
@ -1,45 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
i.MX Fast Ethernet Controller uses buffer descriptors to manage |
|||
data flow to/fro receive & transmit queues. While transmitting |
|||
packets, it could continue to read buffer descriptors if a buffer |
|||
descriptor has length of zero and has crafted values in bd.flags. |
|||
Set an upper limit to number of buffer descriptors. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/imx_fec.c | 6 ++++-- |
|||
1 file changed, 4 insertions(+), 2 deletions(-) |
|||
|
|||
Update per |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html |
|||
|
|||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
|||
index 1c415ab..1d74827 100644
|
|||
--- a/hw/net/imx_fec.c
|
|||
+++ b/hw/net/imx_fec.c
|
|||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
|||
#define PHY_INT_PARFAULT (1 << 2) |
|||
#define PHY_INT_AUTONEG_PAGE (1 << 1) |
|||
|
|||
+#define IMX_MAX_DESC 1024
|
|||
+
|
|||
static void imx_eth_update(IMXFECState *s); |
|||
|
|||
/* |
|||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
|||
|
|||
static void imx_fec_do_tx(IMXFECState *s) |
|||
{ |
|||
- int frame_size = 0;
|
|||
+ int frame_size = 0, descnt = 0;
|
|||
uint8_t frame[ENET_MAX_FRAME_SIZE]; |
|||
uint8_t *ptr = frame; |
|||
uint32_t addr = s->tx_descriptor; |
|||
|
|||
- while (1) {
|
|||
+ while (descnt++ < IMX_MAX_DESC) {
|
|||
IMXFECBufDesc bd; |
|||
int len; |
|||
|
@ -1,52 +0,0 @@ |
|||
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 |
|||
From: Prasad J Pandit <pjp@fedoraproject.org> |
|||
Date: Thu, 22 Sep 2016 16:02:37 +0530 |
|||
Subject: [PATCH] net: mcf: limit buffer descriptor count |
|||
|
|||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage |
|||
data flow to/fro receive & transmit queues. While transmitting |
|||
packets, it could continue to read buffer descriptors if a buffer |
|||
descriptor has length of zero and has crafted values in bd.flags. |
|||
Set upper limit to number of buffer descriptors. |
|||
|
|||
Reported-by: Li Qiang <liqiang6-s@360.cn> |
|||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
|||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> |
|||
Signed-off-by: Jason Wang <jasowang@redhat.com> |
|||
---
|
|||
hw/net/mcf_fec.c | 5 +++-- |
|||
1 files changed, 3 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
|||
index 0ee8ad9..d31fea1 100644
|
|||
--- a/hw/net/mcf_fec.c
|
|||
+++ b/hw/net/mcf_fec.c
|
|||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
|||
#define DPRINTF(fmt, ...) do {} while(0) |
|||
#endif |
|||
|
|||
+#define FEC_MAX_DESC 1024
|
|||
#define FEC_MAX_FRAME_SIZE 2032 |
|||
|
|||
typedef struct { |
|||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
|||
uint32_t addr; |
|||
mcf_fec_bd bd; |
|||
int frame_size; |
|||
- int len;
|
|||
+ int len, descnt = 0;
|
|||
uint8_t frame[FEC_MAX_FRAME_SIZE]; |
|||
uint8_t *ptr; |
|||
|
|||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
|||
ptr = frame; |
|||
frame_size = 0; |
|||
addr = s->tx_descriptor; |
|||
- while (1) {
|
|||
+ while (descnt++ < FEC_MAX_DESC) {
|
|||
mcf_fec_read_bd(&bd, addr); |
|||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n", |
|||
addr, bd.flags, bd.length, bd.data); |
|||
--
|
|||
1.7.0.4 |
|||
|
@ -1,32 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
The AMD PC-Net II emulator has set of control and status(CSR) |
|||
registers. Of these, CSR76 and CSR78 hold receive and transmit |
|||
descriptor ring length respectively. This ring length could range |
|||
from 1 to 65535. Setting ring length to zero leads to an infinite |
|||
loop in pcnet_rdra_addr. Add check to avoid it. |
|||
|
|||
Reported-by: Li Qiang <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/pcnet.c | 3 +++ |
|||
1 file changed, 3 insertions(+) |
|||
|
|||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
|||
index 198a01f..3078de8 100644
|
|||
--- a/hw/net/pcnet.c
|
|||
+++ b/hw/net/pcnet.c
|
|||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
|||
case 47: /* POLLINT */ |
|||
case 72: |
|||
case 74: |
|||
+ break;
|
|||
case 76: /* RCVRL */ |
|||
case 78: /* XMTRL */ |
|||
+ val = (val > 0) ? val : 512;
|
|||
+ break;
|
|||
case 112: |
|||
if (CSR_STOP(s) || CSR_SPND(s)) |
|||
break; |
|||
--
|
|||
2.5.5 |
@ -1,25 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In virtio gpu resource create dispatch, if the pixman format is zero |
|||
it doesn't free the resource object allocated previously. Thus leading |
|||
a host memory leak issue. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/display/virtio-gpu.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
|||
index 7fe6ed8..5b6d17b 100644
|
|||
--- a/hw/display/virtio-gpu.c
|
|||
+++ b/hw/display/virtio-gpu.c
|
|||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
|||
qemu_log_mask(LOG_GUEST_ERROR, |
|||
"%s: host couldn't handle guest format %d\n", |
|||
__func__, c2d.format); |
|||
+ g_free(res);
|
|||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; |
|||
return; |
|||
} |
|||
--
|
|||
1.8.3.1 |
@ -1,26 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
While processing isochronous transfer descriptors(iTD), if the page |
|||
select(PG) field value is out of bands it will return. In this |
|||
situation the ehci's sg list doesn't be freed thus leading a memory |
|||
leak issue. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/usb/hcd-ehci.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|||
index b093db7..f4ece9a 100644
|
|||
--- a/hw/usb/hcd-ehci.c
|
|||
+++ b/hw/usb/hcd-ehci.c
|
|||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
|||
if (off + len > 4096) { |
|||
/* transfer crosses page border */ |
|||
if (pg == 6) { |
|||
+ qemu_sglist_destroy(&ehci->isgl);
|
|||
return -1; /* avoid page pg + 1 */ |
|||
} |
|||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); |
|||
--
|
|||
1.8.3.1 |
@ -1,61 +0,0 @@ |
|||
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 |
|||
From: Gerd Hoffmann <address@hidden> |
|||
Date: Fri, 7 Oct 2016 10:15:29 +0200 |
|||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process |
|||
|
|||
Signed-off-by: Gerd Hoffmann <address@hidden> |
|||
---
|
|||
hw/usb/hcd-xhci.c | 10 ++++++++++ |
|||
1 file changed, 10 insertions(+) |
|||
|
|||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|||
index 726435c..ee4fa48 100644
|
|||
--- a/hw/usb/hcd-xhci.c
|
|||
+++ b/hw/usb/hcd-xhci.c
|
|||
@@ -54,6 +54,8 @@
|
|||
* to the specs when it gets them */ |
|||
#define ER_FULL_HACK |
|||
|
|||
+#define TRB_LINK_LIMIT 4
|
|||
+
|
|||
#define LEN_CAP 0x40 |
|||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS) |
|||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) |
|||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
|||
dma_addr_t *addr) |
|||
{ |
|||
PCIDevice *pci_dev = PCI_DEVICE(xhci); |
|||
+ uint32_t link_cnt = 0;
|
|||
|
|||
while (1) { |
|||
TRBType type; |
|||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
|||
ring->dequeue += TRB_SIZE; |
|||
return type; |
|||
} else { |
|||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
|||
+ return 0;
|
|||
+ }
|
|||
ring->dequeue = xhci_mask64(trb->parameter); |
|||
if (trb->control & TRB_LK_TC) { |
|||
ring->ccs = !ring->ccs; |
|||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
|||
bool ccs = ring->ccs; |
|||
/* hack to bundle together the two/three TDs that make a setup transfer */ |
|||
bool control_td_set = 0; |
|||
+ uint32_t link_cnt = 0;
|
|||
|
|||
while (1) { |
|||
TRBType type; |
|||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
|||
type = TRB_TYPE(trb); |
|||
|
|||
if (type == TR_LINK) { |
|||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
|||
+ return -length;
|
|||
+ }
|
|||
dequeue = xhci_mask64(trb.parameter); |
|||
if (trb.control & TRB_LK_TC) { |
|||
ccs = !ccs; |
|||
--
|
|||
1.8.3.1 |
@ -1,34 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector |
|||
object thus causing potential memory leak. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/9pfs/9p.c | 5 +++-- |
|||
1 file changed, 3 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 119ee58..543a791 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
|
|||
if (len < 0) { |
|||
/* IO error return the error */ |
|||
err = len; |
|||
- goto out;
|
|||
+ goto out_free_iovec;
|
|||
} |
|||
} while (count < max_count && len > 0); |
|||
err = pdu_marshal(pdu, offset, "d", count); |
|||
if (err < 0) { |
|||
- goto out;
|
|||
+ goto out_free_iovec;
|
|||
} |
|||
err += offset + count; |
|||
+out_free_iovec:
|
|||
qemu_iovec_destroy(&qiov); |
|||
qemu_iovec_destroy(&qiov_full); |
|||
} else if (fidp->fid_type == P9_FID_XATTR) { |
|||
--
|
|||
1.8.3.1 |
@ -1,58 +0,0 @@ |
|||
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 |
|||
From: Li Qiang <liqiang6-s@360.cn> |
|||
Date: Mon, 17 Oct 2016 14:13:58 +0200 |
|||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings |
|||
|
|||
If a guest sends an empty string paramater to any 9P operation, the current |
|||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. |
|||
|
|||
This is unfortunate because it can cause NULL pointer dereference to happen |
|||
at various locations in the 9pfs code. And we don't want to check str->data |
|||
everywhere we pass it to strcmp() or any other function which expects a |
|||
dereferenceable pointer. |
|||
|
|||
This patch enforces the allocation of genuine C empty strings instead, so |
|||
callers don't have to bother. |
|||
|
|||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if |
|||
the returned string is empty. It now uses v9fs_string_size() since |
|||
name.data cannot be NULL anymore. |
|||
|
|||
Signed-off-by: Li Qiang <liqiang6-s@360.cn> |
|||
[groug, rewritten title and changelog, |
|||
fix empty string check in v9fs_xattrwalk()] |
|||
Signed-off-by: Greg Kurz <groug@kaod.org> |
|||
---
|
|||
fsdev/9p-iov-marshal.c | 2 +- |
|||
hw/9pfs/9p.c | 2 +- |
|||
2 files changed, 2 insertions(+), 2 deletions(-) |
|||
|
|||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
|||
index 663cad5..1d16f8d 100644
|
|||
--- a/fsdev/9p-iov-marshal.c
|
|||
+++ b/fsdev/9p-iov-marshal.c
|
|||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
|||
str->data = g_malloc(str->size + 1); |
|||
copied = v9fs_unpack(str->data, out_sg, out_num, offset, |
|||
str->size); |
|||
- if (copied > 0) {
|
|||
+ if (copied >= 0) {
|
|||
str->data[str->size] = 0; |
|||
} else { |
|||
v9fs_string_free(str); |
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 119ee58..39a7e1d 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
|
|||
goto out; |
|||
} |
|||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); |
|||
- if (name.data == NULL) {
|
|||
+ if (!v9fs_string_size(&name)) {
|
|||
/* |
|||
* listxattr request. Get the size first |
|||
*/ |
|||
--
|
|||
2.7.3 |
|||
|
@ -1,30 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Rocker network switch emulator has test registers to help debug |
|||
DMA operations. While testing host DMA access, a buffer address |
|||
is written to register 'TEST_DMA_ADDR' and its size is written to |
|||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT |
|||
test, if DMA buffer size was greater than 'INT_MAX', it leads to |
|||
an invalid buffer access. Limit the DMA buffer size to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/rocker/rocker.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
|||
index 30f2ce4..e9d215a 100644
|
|||
--- a/hw/net/rocker/rocker.c
|
|||
+++ b/hw/net/rocker/rocker.c
|
|||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
|||
rocker_msix_irq(r, val); |
|||
break; |
|||
case ROCKER_TEST_DMA_SIZE: |
|||
- r->test_dma_size = val;
|
|||
+ r->test_dma_size = val & 0xFFFF;
|
|||
break; |
|||
case ROCKER_TEST_DMA_ADDR + 4: |
|||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; |
|||
--
|
|||
2.5.5 |
@ -1,29 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
The JAZZ RC4030 chipset emulator has a periodic timer and |
|||
associated interval reload register. The reload value is used |
|||
as divider when computing timer's next tick value. If reload |
|||
value is large, it could lead to divide by zero error. Limit |
|||
the interval reload value to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/dma/rc4030.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
|||
index 2f2576f..c1b4997 100644
|
|||
--- a/hw/dma/rc4030.c
|
|||
+++ b/hw/dma/rc4030.c
|
|||
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
|||
break; |
|||
/* Interval timer reload */ |
|||
case 0x0228: |
|||
- s->itr = val;
|
|||
+ s->itr = val & 0x01FF;
|
|||
qemu_irq_lower(s->timer_irq); |
|||
set_next_tick(s); |
|||
break; |
|||
--
|
|||
2.5.5 |
@ -1,34 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
16550A UART device uses an oscillator to generate frequencies |
|||
(baud base), which decide communication speed. This speed could |
|||
be changed by dividing it by a divider. If the divider is |
|||
greater than the baud base, speed is set to zero, leading to a |
|||
divide by zero error. Add check to avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/char/serial.c | 3 ++- |
|||
1 file changed, 2 insertions(+), 1 deletion(-) |
|||
|
|||
Update per |
|||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html |
|||
|
|||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
|||
index 3442f47..eec72b7 100644
|
|||
--- a/hw/char/serial.c
|
|||
+++ b/hw/char/serial.c
|
|||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
|||
int speed, parity, data_bits, stop_bits, frame_size; |
|||
QEMUSerialSetParams ssp; |
|||
|
|||
- if (s->divider == 0)
|
|||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
|||
return; |
|||
+ }
|
|||
|
|||
/* Start bit. */ |
|||
frame_size = 1; |
|||
--
|
|||
2.5.5 |
@ -1,31 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
Intel HDA emulator uses stream of buffers during DMA data |
|||
transfers. Each entry has buffer length and buffer pointer |
|||
position, which are used to derive bytes to 'copy'. If this |
|||
length and buffer pointer were to be same, 'copy' could be |
|||
set to zero(0), leading to an infinite loop. Add check to |
|||
avoid it. |
|||
|
|||
Reported-by: Huawei PSIRT <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/audio/intel-hda.c | 3 ++- |
|||
1 file changed, 2 insertions(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
|||
index cd95340..537face 100644
|
|||
--- a/hw/audio/intel-hda.c
|
|||
+++ b/hw/audio/intel-hda.c
|
|||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
|||
} |
|||
|
|||
left = len; |
|||
- while (left > 0) {
|
|||
+ s = st->bentries;
|
|||
+ while (left > 0 && s-- > 0) {
|
|||
copy = left; |
|||
if (copy > st->bsize - st->lpib) |
|||
copy = st->bsize - st->lpib; |
|||
--
|
|||
2.7.4 |
@ -1,29 +0,0 @@ |
|||
From: Prasad J Pandit <address@hidden> |
|||
|
|||
RTL8139 ethernet controller in C+ mode supports multiple |
|||
descriptor rings, each with maximum of 64 descriptors. While |
|||
processing transmit descriptor ring in 'rtl8139_cplus_transmit', |
|||
it does not limit the descriptor count and runs forever. Add |
|||
check to avoid it. |
|||
|
|||
Reported-by: Andrew Henderson <address@hidden> |
|||
Signed-off-by: Prasad J Pandit <address@hidden> |
|||
---
|
|||
hw/net/rtl8139.c | 2 +- |
|||
1 file changed, 1 insertion(+), 1 deletion(-) |
|||
|
|||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
|||
index 3345bc6..f05e59c 100644
|
|||
--- a/hw/net/rtl8139.c
|
|||
+++ b/hw/net/rtl8139.c
|
|||
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
|||
{ |
|||
int txcount = 0; |
|||
|
|||
- while (rtl8139_cplus_transmit_one(s))
|
|||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
|||
{ |
|||
++txcount; |
|||
} |
|||
--
|
|||
2.7.4 |
@ -1,21 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the |
|||
situation that this field has been allocated previously. Every time, it |
|||
will be allocated directly. This leads a host memory leak issue. This |
|||
patch fix this. |
|||
|
|||
--
|
|||
1.8.3.1 |
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 75ba5f1..a4c7109 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
|
|||
xattr_fidp->fs.xattr.flags = flags; |
|||
v9fs_string_init(&xattr_fidp->fs.xattr.name); |
|||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); |
|||
+ g_free(xattr_fidp->fs.xattr.value);
|
|||
xattr_fidp->fs.xattr.value = g_malloc(size); |
|||
err = offset; |
|||
put_fid(pdu, file_fidp); |
@ -1,27 +0,0 @@ |
|||
Author: Li Qiang <liqiang6-s@360.cn> |
|||
Date: Mon Oct 17 14:13:58 2016 +0200 |
|||
|
|||
9pfs: fix information leak in xattr read |
|||
|
|||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest |
|||
reads this memory before writing to it, this will leak host heap memory |
|||
to the guest. This patch avoid this. |
|||
|
|||
Signed-off-by: Li Qiang <liqiang6-s@360.cn> |
|||
Reviewed-by: Greg Kurz <groug@kaod.org> |
|||
Signed-off-by: Greg Kurz <groug@kaod.org> |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 26aa7d5..bf23b01 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
|
|||
xattr_fidp->fs.xattr.flags = flags; |
|||
v9fs_string_init(&xattr_fidp->fs.xattr.name); |
|||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); |
|||
g_free(xattr_fidp->fs.xattr.value); |
|||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
|||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
|||
err = offset; |
|||
put_fid(pdu, file_fidp); |
|||
out_nofid: |
@ -1,92 +0,0 @@ |
|||
From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 |
|||
From: Li Qiang <liqiang6-s@360.cn> |
|||
Date: Tue, 1 Nov 2016 12:00:40 +0100 |
|||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write |
|||
MIME-Version: 1.0 |
|||
Content-Type: text/plain; charset=UTF-8 |
|||
Content-Transfer-Encoding: 8bit |
|||
|
|||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest |
|||
originated offset: they must ensure this offset does not go beyond |
|||
the size of the extended attribute that was set in v9fs_xattrcreate(). |
|||
Unfortunately, the current code implement these checks with unsafe |
|||
calculations on 32 and 64 bit values, which may allow a malicious |
|||
guest to cause OOB access anyway. |
|||
|
|||
Fix this by comparing the offset and the xattr size, which are |
|||
both uint64_t, before trying to compute the effective number of bytes |
|||
to read or write. |
|||
|
|||
Suggested-by: Greg Kurz <groug@kaod.org> |
|||
Signed-off-by: Li Qiang <liqiang6-s@360.cn> |
|||
Reviewed-by: Greg Kurz <groug@kaod.org> |
|||
Reviewed-By: Guido Günther <agx@sigxcpu.org> |
|||
Signed-off-by: Greg Kurz <groug@kaod.org> |
|||
---
|
|||
hw/9pfs/9p.c | 32 ++++++++++++-------------------- |
|||
1 file changed, 12 insertions(+), 20 deletions(-) |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index ab18ef2..7705ead 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
|||
{ |
|||
ssize_t err; |
|||
size_t offset = 7; |
|||
- int read_count;
|
|||
- int64_t xattr_len;
|
|||
+ uint64_t read_count;
|
|||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); |
|||
VirtQueueElement *elem = v->elems[pdu->idx]; |
|||
|
|||
- xattr_len = fidp->fs.xattr.len;
|
|||
- read_count = xattr_len - off;
|
|||
+ if (fidp->fs.xattr.len < off) {
|
|||
+ read_count = 0;
|
|||
+ } else {
|
|||
+ read_count = fidp->fs.xattr.len - off;
|
|||
+ }
|
|||
if (read_count > max_count) { |
|||
read_count = max_count; |
|||
- } else if (read_count < 0) {
|
|||
- /*
|
|||
- * read beyond XATTR value
|
|||
- */
|
|||
- read_count = 0;
|
|||
} |
|||
err = pdu_marshal(pdu, offset, "d", read_count); |
|||
if (err < 0) { |
|||
@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
|||
{ |
|||
int i, to_copy; |
|||
ssize_t err = 0; |
|||
- int write_count;
|
|||
- int64_t xattr_len;
|
|||
+ uint64_t write_count;
|
|||
size_t offset = 7; |
|||
|
|||
|
|||
- xattr_len = fidp->fs.xattr.len;
|
|||
- write_count = xattr_len - off;
|
|||
- if (write_count > count) {
|
|||
- write_count = count;
|
|||
- } else if (write_count < 0) {
|
|||
- /*
|
|||
- * write beyond XATTR value len specified in
|
|||
- * xattrcreate
|
|||
- */
|
|||
+ if (fidp->fs.xattr.len < off) {
|
|||
err = -ENOSPC; |
|||
goto out; |
|||
} |
|||
+ write_count = fidp->fs.xattr.len - off;
|
|||
+ if (write_count > count) {
|
|||
+ write_count = count;
|
|||
+ }
|
|||
err = pdu_marshal(pdu, offset, "d", write_count); |
|||
if (err < 0) { |
|||
return err; |
|||
--
|
|||
2.7.3 |
|||
|
@ -1,25 +0,0 @@ |
|||
From: Li Qiang <address@hidden> |
|||
|
|||
In v9fs_link dispatch function, it doesn't put the 'oldfidp' |
|||
fid object, this will make the 'oldfidp->ref' never reach to 0, |
|||
thus leading a memory leak issue. This patch fix this. |
|||
|
|||
Signed-off-by: Li Qiang <address@hidden> |
|||
---
|
|||
hw/9pfs/9p.c | 1 + |
|||
1 file changed, 1 insertion(+) |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index 8b50bfb..29f8b7a 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque)
|
|||
if (!err) { |
|||
err = offset; |
|||
} |
|||
+ put_fid(pdu, oldfidp);
|
|||
out: |
|||
put_fid(pdu, dfidp); |
|||
out_nofid: |
|||
--
|
|||
1.8.3.1 |
@ -1,27 +0,0 @@ |
|||
Author: Li Qiang <liqiang6-s@360.cn> |
|||
Date: Mon Oct 17 14:13:58 2016 +0200 |
|||
|
|||
9pfs: fix memory leak in v9fs_write |
|||
|
|||
If an error occurs when marshalling the transfer length to the guest, the |
|||
v9fs_write() function doesn't free an IO vector, thus leading to a memory |
|||
leak. This patch fixes the issue. |
|||
|
|||
Signed-off-by: Li Qiang <liqiang6-s@360.cn> |
|||
Reviewed-by: Greg Kurz <groug@kaod.org> |
|||
[groug, rephrased the changelog] |
|||
Signed-off-by: Greg Kurz <groug@kaod.org> |
|||
|
|||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
|||
index d43a552..e88cf25 100644
|
|||
--- a/hw/9pfs/9p.c
|
|||
+++ b/hw/9pfs/9p.c
|
|||
@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
|
|||
offset = 7; |
|||
err = pdu_marshal(pdu, offset, "d", total); |
|||
if (err < 0) { |
|||
- goto out;
|
|||
+ goto out_qiov;
|
|||
} |
|||
err += offset; |
|||
|
@ -1,139 +0,0 @@ |
|||
#!/sbin/openrc-run |
|||
# Copyright 1999-2016 Gentoo Foundation |
|||
# Distributed under the terms of the GNU General Public License v2 |
|||
# $Id$ |
|||
|
|||
# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel |
|||
|
|||
# Defaulting to OC should be safe because it comes down to: |
|||
# - do we trust the interp itself to not be malicious? yes; we built it. |
|||
# - do we trust the programs we're running? ish; same permission as native |
|||
# binaries apply. so if user can do bad stuff natively, cross isn't worse. |
|||
: ${QEMU_BINFMT_FLAGS:=OC} |
|||
|
|||
depend() { |
|||
after procfs |
|||
} |
|||
|
|||
start() { |
|||
ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})" |
|||
|
|||
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then |
|||
modprobe -q binfmt_misc |
|||
fi |
|||
|
|||
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then |
|||
eend $? "You need support for 'misc binaries' in your kernel!" || return |
|||
fi |
|||
|
|||
if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then |
|||
mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1 |
|||
eend $? || return |
|||
fi |
|||
|
|||
# probe cpu type |
|||
cpu=`uname -m` |
|||
case "$cpu" in |
|||
i386|i486|i586|i686|i86pc|BePC|x86_64) |
|||
cpu="i386" |
|||
;; |
|||
m68k) |
|||
cpu="m68k" |
|||
;; |
|||
mips*) |
|||
cpu="mips" |
|||
;; |
|||
"Power Macintosh"|ppc|ppc64) |
|||
cpu="ppc" |
|||
;; |
|||
armv[4-9]*) |
|||
cpu="arm" |
|||
;; |
|||
sparc*) |
|||
cpu="sparc" |
|||
;; |
|||
esac |
|||
|
|||
# register the interpreter for each cpu except for the native one |
|||
if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then |
|||
echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then |
|||
echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then |
|||
echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then |
|||
echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then |
|||
echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then |
|||
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then |
|||
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then |
|||
#echo 'Please check cpu value and header information for m68k!' |
|||
echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then |
|||
# FIXME: We could use the other endianness on a MIPS host. |
|||
echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then |
|||
echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then |
|||
echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then |
|||
echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then |
|||
echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then |
|||
echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then |
|||
echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then |
|||
echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then |
|||
echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
|||
fi |
|||
eend $? |
|||
} |
|||
|
|||
stop() { |
|||
ebegin "Unregistering qemu-user binaries" |
|||
local arches |
|||
|
|||
arches="${arches} i386 i486" |
|||
arches="${arches} alpha" |
|||
arches="${arches} arm armeb" |
|||
arches="${arches} aarch64" |
|||
arches="${arches} sparc" |
|||
arches="${arches} ppc" |
|||
arches="${arches} m68k" |
|||
arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el" |
|||
arches="${arches} sh4 sh4eb" |
|||
arches="${arches} s390x" |
|||
|
|||
for a in ${arches}; do |
|||
if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then |
|||
echo '-1' > /proc/sys/fs/binfmt_misc/$a |
|||
fi |
|||
done |
|||
|
|||
eend $? |
|||
} |
|||
|
|||
# vim: ts=4 : |
@ -1,710 +0,0 @@ |
|||
# Copyright 1999-2016 Gentoo Foundation |
|||
# Distributed under the terms of the GNU General Public License v2 |
|||
# $Id$ |
|||
|
|||
EAPI="5" |
|||
|
|||
#MY_P="${P/_/-}" |
|||
|
|||
PYTHON_COMPAT=( python2_7 ) |
|||
PYTHON_REQ_USE="ncurses,readline" |
|||
|
|||
PLOCALES="bg de_DE fr_FR hu it tr zh_CN" |
|||
|
|||
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ |
|||
user udev fcaps readme.gentoo-r1 pax-utils l10n |
|||
|
|||
if [[ ${PV} = *9999* ]]; then |
|||
EGIT_REPO_URI="git://git.qemu.org/qemu.git" |
|||
inherit git-2 |
|||
SRC_URI="" |
|||
else |
|||
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" |
|||
KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd" |
|||
fi |
|||
|
|||
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" |
|||
HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" |
|||
|
|||
LICENSE="GPL-2 LGPL-2 BSD-2" |
|||
SLOT="0" |
|||
IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \ |
|||
gnutls gtk gtk2 infiniband iscsi +jpeg \ |
|||
kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs |
|||
+png pulseaudio python \ |
|||
rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu |
|||
static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \ |
|||
virgl virtfs +vnc vte xattr xen xfs" |
|||
|
|||
COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips |
|||
mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 |
|||
x86_64" |
|||
IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb" |
|||
IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" |
|||
|
|||
use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) |
|||
use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) |
|||
IUSE+=" ${use_softmmu_targets} ${use_user_targets}" |
|||
|
|||
# Allow no targets to be built so that people can get a tools-only build. |
|||
# Block USE flag configurations known to not work. |
|||
REQUIRED_USE="${PYTHON_REQUIRED_USE} |
|||
gtk2? ( gtk ) |
|||
qemu_softmmu_targets_arm? ( fdt ) |
|||
qemu_softmmu_targets_microblaze? ( fdt ) |
|||
qemu_softmmu_targets_ppc? ( fdt ) |
|||
qemu_softmmu_targets_ppc64? ( fdt ) |
|||
sdl2? ( sdl ) |
|||
static? ( static-softmmu static-user ) |
|||
static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 ) |
|||
virtfs? ( xattr ) |
|||
vte? ( gtk )" |
|||
|
|||
# Yep, you need both libcap and libcap-ng since virtfs only uses libcap. |
|||
# |
|||
# The attr lib isn't always linked in (although the USE flag is always |
|||
# respected). This is because qemu supports using the C library's API |
|||
# when available rather than always using the extranl library. |
|||
# |
|||
# Older versions of gnutls are supported, but it's simpler to just require |
|||
# the latest versions. This is also why we require nettle. |
|||
# |
|||
# TODO: Split out tools deps into another var. e.g. bzip2 is only used by |
|||
# system binaries and tools, not user binaries. |
|||
COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] |
|||
sys-libs/zlib[static-libs(+)] |
|||
bzip2? ( app-arch/bzip2[static-libs(+)] ) |
|||
xattr? ( sys-apps/attr[static-libs(+)] )" |
|||
SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} |
|||
>=x11-libs/pixman-0.28.0[static-libs(+)] |
|||
accessibility? ( app-accessibility/brltty[static-libs(+)] ) |
|||
aio? ( dev-libs/libaio[static-libs(+)] ) |
|||
alsa? ( >=media-libs/alsa-lib-1.0.13 ) |
|||
bluetooth? ( net-wireless/bluez ) |
|||
caps? ( sys-libs/libcap-ng[static-libs(+)] ) |
|||
curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) |
|||
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) |
|||
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) |
|||
gnutls? ( |
|||
dev-libs/nettle:=[static-libs(+)] |
|||
>=net-libs/gnutls-3.0:=[static-libs(+)] |
|||
) |
|||
gtk? ( |
|||
gtk2? ( |
|||
x11-libs/gtk+:2 |
|||
vte? ( x11-libs/vte:0 ) |
|||
) |
|||
!gtk2? ( |
|||
x11-libs/gtk+:3 |
|||
vte? ( x11-libs/vte:2.91 ) |
|||
) |
|||
) |
|||
infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) |
|||
iscsi? ( net-libs/libiscsi ) |
|||
jpeg? ( virtual/jpeg:0=[static-libs(+)] ) |
|||
lzo? ( dev-libs/lzo:2[static-libs(+)] ) |
|||
ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) |
|||
nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) |
|||
numa? ( sys-process/numactl[static-libs(+)] ) |
|||
opengl? ( |
|||
virtual/opengl |
|||
media-libs/libepoxy[static-libs(+)] |
|||
media-libs/mesa[static-libs(+)] |
|||
media-libs/mesa[egl,gles2,gbm] |
|||
) |
|||
png? ( media-libs/libpng:0=[static-libs(+)] ) |
|||
pulseaudio? ( media-sound/pulseaudio ) |
|||
rbd? ( sys-cluster/ceph[static-libs(+)] ) |
|||
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) |
|||
sdl? ( |
|||
!sdl2? ( |
|||
media-libs/libsdl[X] |
|||
>=media-libs/libsdl-1.2.11[static-libs(+)] |
|||
) |
|||
sdl2? ( |
|||
media-libs/libsdl2[X] |
|||
media-libs/libsdl2[static-libs(+)] |
|||
) |
|||
) |
|||
seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) |
|||
smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) |
|||
snappy? ( app-arch/snappy[static-libs(+)] ) |
|||
spice? ( |
|||
>=app-emulation/spice-protocol-0.12.3 |
|||
>=app-emulation/spice-0.12.0[static-libs(+)] |
|||
) |
|||
ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) |
|||
usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) |
|||
usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) |
|||
uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) |
|||
vde? ( net-misc/vde[static-libs(+)] ) |
|||
virgl? ( media-libs/virglrenderer[static-libs(+)] ) |
|||
virtfs? ( sys-libs/libcap ) |
|||
xfs? ( sys-fs/xfsprogs[static-libs(+)] )" |
|||
USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" |
|||
X86_FIRMWARE_DEPEND=" |
|||
>=sys-firmware/ipxe-1.0.0_p20130624 |
|||
pin-upstream-blobs? ( |
|||
~sys-firmware/seabios-1.9.0 |
|||
~sys-firmware/sgabios-0.1_pre8 |
|||
~sys-firmware/vgabios-0.7a |
|||
) |
|||
!pin-upstream-blobs? ( |
|||
sys-firmware/seabios |
|||
sys-firmware/sgabios |
|||
)" |
|||
CDEPEND=" |
|||
!static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) ) |
|||
!static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) ) |
|||
qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) |
|||
qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} ) |
|||
python? ( ${PYTHON_DEPS} ) |
|||
systemtap? ( dev-util/systemtap ) |
|||
xen? ( app-emulation/xen-tools:= )" |
|||
DEPEND="${CDEPEND} |
|||
dev-lang/perl |
|||
=dev-lang/python-2* |
|||
sys-apps/texinfo |
|||
virtual/pkgconfig |
|||
kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) |
|||
gtk? ( nls? ( sys-devel/gettext ) ) |
|||
static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) ) |
|||
static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) ) |
|||
test? ( |
|||
dev-libs/glib[utils] |
|||
sys-devel/bc |
|||
)" |
|||
RDEPEND="${CDEPEND} |
|||
selinux? ( sec-policy/selinux-qemu ) |
|||
" |
|||
|
|||
STRIP_MASK="/usr/share/qemu/palcode-clipper" |
|||
|
|||
QA_PREBUILT=" |
|||
usr/share/qemu/openbios-ppc |
|||
usr/share/qemu/openbios-sparc64 |
|||
usr/share/qemu/openbios-sparc32 |
|||
usr/share/qemu/palcode-clipper |
|||
usr/share/qemu/s390-ccw.img |
|||
usr/share/qemu/u-boot.e500 |
|||
" |
|||
|
|||
QA_WX_LOAD="usr/bin/qemu-i386 |
|||
usr/bin/qemu-x86_64 |
|||
usr/bin/qemu-alpha |
|||
usr/bin/qemu-arm |
|||
usr/bin/qemu-cris |
|||
usr/bin/qemu-m68k |
|||
usr/bin/qemu-microblaze |
|||
usr/bin/qemu-microblazeel |
|||
usr/bin/qemu-mips |
|||
usr/bin/qemu-mipsel |
|||
usr/bin/qemu-or32 |
|||
usr/bin/qemu-ppc |
|||
usr/bin/qemu-ppc64 |
|||
usr/bin/qemu-ppc64abi32 |
|||
usr/bin/qemu-sh4 |
|||
usr/bin/qemu-sh4eb |
|||
usr/bin/qemu-sparc |
|||
usr/bin/qemu-sparc64 |
|||
usr/bin/qemu-armeb |
|||
usr/bin/qemu-sparc32plus |
|||
usr/bin/qemu-s390x |
|||
usr/bin/qemu-unicore32" |
|||
|
|||
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure |
|||
you have the kernel module loaded before running kvm. The easiest way to |
|||
ensure that the kernel module is loaded is to load it on boot.\n |
|||
For AMD CPUs the module is called 'kvm-amd'.\n |
|||
For Intel CPUs the module is called 'kvm-intel'.\n |
|||
Please review /etc/conf.d/modules for how to load these.\n\n |
|||
Make sure your user is in the 'kvm' group\n |
|||
Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n |
|||
For brand new installs, the default permissions on /dev/kvm might not let you |
|||
access it. You can tell udev to reset ownership/perms:\n |
|||
udevadm trigger -c add /dev/kvm" |
|||
|
|||
qemu_support_kvm() { |
|||
if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \ |
|||
use qemu_softmmu_targets_ppc || use qemu_softmmu_targets_ppc64 \ |
|||
use qemu_softmmu_targets_s390x; then |
|||
return 0 |
|||
fi |
|||
|
|||
return 1 |
|||
} |
|||
|
|||
pkg_pretend() { |
|||
if use kernel_linux && kernel_is lt 2 6 25; then |
|||
eerror "This version of KVM requres a host kernel of 2.6.25 or higher." |
|||
elif use kernel_linux; then |
|||
if ! linux_config_exists; then |
|||
eerror "Unable to check your kernel for KVM support" |
|||
else |
|||
CONFIG_CHECK="~KVM ~TUN ~BRIDGE" |
|||
ERROR_KVM="You must enable KVM in your kernel to continue" |
|||
ERROR_KVM_AMD="If you have an AMD CPU, you must enable KVM_AMD in" |
|||
ERROR_KVM_AMD+=" your kernel configuration." |
|||
ERROR_KVM_INTEL="If you have an Intel CPU, you must enable" |
|||
ERROR_KVM_INTEL+=" KVM_INTEL in your kernel configuration." |
|||
ERROR_TUN="You will need the Universal TUN/TAP driver compiled" |
|||
ERROR_TUN+=" into your kernel or loaded as a module to use the" |
|||
ERROR_TUN+=" virtual network device if using -net tap." |
|||
ERROR_BRIDGE="You will also need support for 802.1d" |
|||
ERROR_BRIDGE+=" Ethernet Bridging for some network configurations." |
|||
use vhost-net && CONFIG_CHECK+=" ~VHOST_NET" |
|||
ERROR_VHOST_NET="You must enable VHOST_NET to have vhost-net" |
|||
ERROR_VHOST_NET+=" support" |
|||
|
|||
if use amd64 || use x86 || use amd64-linux || use x86-linux; then |
|||
CONFIG_CHECK+=" ~KVM_AMD ~KVM_INTEL" |
|||
fi |
|||
|
|||
use python && CONFIG_CHECK+=" ~DEBUG_FS" |
|||
ERROR_DEBUG_FS="debugFS support required for kvm_stat" |
|||
|
|||
# Now do the actual checks setup above |
|||
check_extra_config |
|||
fi |
|||
fi |
|||
|
|||
if grep -qs '/usr/bin/qemu-kvm' "${EROOT}"/etc/libvirt/qemu/*.xml; then |
|||
eerror "The kvm/qemu-kvm wrappers no longer exist, but your libvirt" |
|||
eerror "instances are still pointing to it. Please update your" |
|||
eerror "configs in /etc/libvirt/qemu/ to use the -enable-kvm flag" |
|||
eerror "and the right system binary (e.g. qemu-system-x86_64)." |
|||
die "update your virt configs to not use qemu-kvm" |
|||
fi |
|||
} |
|||
|
|||
pkg_setup() { |
|||
enewgroup kvm 78 |
|||
} |
|||
|
|||
# Sanity check to make sure target lists are kept up-to-date. |
|||
check_targets() { |
|||
local var=$1 mak=$2 |
|||
local detected sorted |
|||
|
|||
pushd "${S}"/default-configs >/dev/null || die |
|||
|
|||
# Force C locale until glibc is updated. #564936 |
|||
detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" | LC_COLLATE=C sort -u)) |
|||
sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u)) |
|||
if [[ ${sorted} != "${detected}" ]] ; then |
|||
eerror "The ebuild needs to be kept in sync." |
|||
eerror "${var}: ${sorted}" |
|||
eerror "$(printf '%-*s' ${#var} configure): ${detected}" |
|||
die "sync ${var} to the list of targets" |
|||
fi |
|||
|
|||
popd >/dev/null |
|||
} |
|||
|
|||
handle_locales() { |
|||
# Make sure locale list is kept up-to-date. |
|||
local detected sorted |
|||
detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u)) |
|||
sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u)) |
|||
if [[ ${sorted} != "${detected}" ]] ; then |
|||
eerror "The ebuild needs to be kept in sync." |
|||
eerror "PLOCALES: ${sorted}" |
|||
eerror " po/*.po: ${detected}" |
|||
die "sync PLOCALES" |
|||
fi |
|||
|
|||
# Deal with selective install of locales. |
|||
if use nls ; then |
|||
# Delete locales the user does not want. #577814 |
|||
rm_loc() { rm po/$1.po || die; } |
|||
l10n_for_each_disabled_locale_do rm_loc |
|||
else |
|||
# Cheap hack to disable gettext .mo generation. |
|||
rm -f po/*.po |
|||
fi |
|||
} |
|||
|
|||
src_prepare() { |
|||
check_targets IUSE_SOFTMMU_TARGETS softmmu |
|||
check_targets IUSE_USER_TARGETS linux-user |
|||
|
|||
# Alter target makefiles to accept CFLAGS set via flag-o |
|||
sed -i -r \ |
|||
-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \ |
|||
Makefile Makefile.target || die |
|||
|
|||
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch |
|||
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch |
|||
|
|||
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-9102.patch # bug 598328 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-9103.patch # bug 598328 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-9104.patch # bug 598328 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-9105.patch # bug 598328 |
|||
epatch "${FILESDIR}"/${P}-CVE-2016-9106.patch # bug 598772 |
|||
|
|||
# Fix ld and objcopy being called directly |
|||
tc-export AR LD OBJCOPY |
|||
|
|||
# Verbose builds |
|||
MAKEOPTS+=" V=1" |
|||
|
|||
epatch_user |
|||
|
|||
# Run after we've applied all patches. |
|||
handle_locales |
|||
} |
|||
|
|||
## |
|||
# configures qemu based on the build directory and the build type |
|||
# we are using. |
|||
# |
|||
qemu_src_configure() { |
|||
debug-print-function ${FUNCNAME} "$@" |
|||
|
|||
local buildtype=$1 |
|||
local builddir="${S}/${buildtype}-build" |
|||
local static_flag="static-${buildtype}" |
|||
|
|||
mkdir "${builddir}" |
|||
|
|||
local conf_opts=( |
|||
--prefix=/usr |
|||
--sysconfdir=/etc |
|||
--libdir=/usr/$(get_libdir) |
|||
--docdir=/usr/share/doc/${PF}/html |
|||
--disable-bsd-user |
|||
--disable-guest-agent |
|||
--disable-strip |
|||
--disable-werror |
|||
# We support gnutls/nettle for crypto operations. It is possible |
|||
# to use gcrypt when gnutls/nettle are disabled (but not when they |
|||
# are enabled), but it's not really worth the hassle. Disable it |
|||
# all the time to avoid automatically detecting it. #568856 |
|||
--disable-gcrypt |
|||
--python="${PYTHON}" |
|||
--cc="$(tc-getCC)" |
|||
--cxx="$(tc-getCXX)" |
|||
--host-cc="$(tc-getBUILD_CC)" |
|||
$(use_enable debug debug-info) |
|||
$(use_enable debug debug-tcg) |
|||
--enable-docs |
|||
$(use_enable tci tcg-interpreter) |
|||
$(use_enable xattr attr) |
|||
) |
|||
|
|||
# Disable options not used by user targets as the default configure |
|||
# options will autoprobe and try to link in a bunch of unused junk. |
|||
conf_softmmu() { |
|||
if [[ ${buildtype} == "user" ]] ; then |
|||
echo "--disable-${2:-$1}" |
|||
else |
|||
use_enable "$@" |
|||
fi |
|||
} |
|||
conf_opts+=( |
|||
$(conf_softmmu accessibility brlapi) |
|||
$(conf_softmmu aio linux-aio) |
|||
$(conf_softmmu bzip2) |
|||
$(conf_softmmu bluetooth bluez) |
|||
$(conf_softmmu caps cap-ng) |
|||
$(conf_softmmu curl) |
|||
$(conf_softmmu fdt) |
|||
$(conf_softmmu glusterfs) |
|||
$(conf_softmmu gnutls) |
|||
$(conf_softmmu gnutls nettle) |
|||
$(conf_softmmu gtk) |
|||
$(conf_softmmu infiniband rdma) |
|||
$(conf_softmmu iscsi libiscsi) |
|||
$(conf_softmmu jpeg vnc-jpeg) |
|||
$(conf_softmmu kernel_linux kvm) |
|||
$(conf_softmmu lzo) |
|||
$(conf_softmmu ncurses curses) |
|||
$(conf_softmmu nfs libnfs) |
|||
$(conf_softmmu numa) |
|||
$(conf_softmmu opengl) |
|||
$(conf_softmmu png vnc-png) |
|||
$(conf_softmmu rbd) |
|||
$(conf_softmmu sasl vnc-sasl) |
|||
$(conf_softmmu sdl) |
|||
$(conf_softmmu seccomp) |
|||
$(conf_softmmu smartcard) |
|||
$(conf_softmmu snappy) |
|||
$(conf_softmmu spice) |
|||
$(conf_softmmu ssh libssh2) |
|||
$(conf_softmmu usb libusb) |
|||