ivshmem can talk to a server over a UNIX domain socket on the host. We should
validate inputs from the server to prevent crashes or memory corruption.
Stefan Hajnoczi (2):
ivshmem: check ivshmem_read() size argument
ivshmem: validate incoming_posn value from server
hw/misc/ivshmem.c | 16 ++
The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field. Fix this and
check we received enough bytes before accessing the buffer pointer.
Cc: Cam Macdonell
Reported-by: Sebastian Krahmer
Signed-off-by: Stefan Hajnoczi
---
hw/misc/iv
Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.
Cc: Cam Macdonell
Reported-by: Sebastian Krahmer
Signed-off-by: Stefan Hajnoczi
---
hw/misc/ivshmem.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/hw/misc/ivshmem.c
On Fri, Mar 28, 2014 at 08:26:26PM -0400, Jeff Cody wrote:
> On Sat, Mar 29, 2014 at 12:22:58AM +0100, Max Reitz wrote:
> > On 26.03.2014 13:06, Stefan Hajnoczi wrote:
> > >+echo "Test 7: Block Size != 1MB; too large test (1MB + 1)"
> > >+poke_file "$TEST_IMG" "$bs_offset" "\x00\x00\x11\x00" # inv
On Fri, Mar 28, 2014 at 10:55:51AM +0100, Stefan Hajnoczi wrote:
> v3:
> * Add Stefan Weil's test-aio fix patch [Stefan Weil]
> * Patch 3 commit description s/The causes targets/This causes make targets/
> [Stefan Weil]
>
> v2:
> * Use ifeq instead of using *-n [Andreas]
>
> make check is bro
Hi Alex,
Yes thats exactly what I was looking for. Thanks.
Qasim
On Fri, Mar 28, 2014 at 4:22 PM, Alex Bennée wrote:
>
> Qasim Maqbool writes:
>
> > Hi,
> >
> > I need to add a few command line options to QEMU. However, I am yet to
> > determine how QEMU takes input from the command line and
Public bug reported:
hi,
when i load a snapshot of month ago using "loadvm name"command, the vm system
time is past time,not recover current time.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml
Hi,
My patch
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e3c1adf16e38714ebd761dd02517dd07760ba6d2
had been fixed this issue.
Best regards,
-Gonglei
From: qemu-devel-bounces+arei.gonglei=huawei@nongnu.org
[mailto:qemu-devel-bounces+arei.gonglei=huawei@nongnu.org] On Behalf Of
Caizhi
Hi Mark,
I have done some more testing on this and giving up. It is very fuzzy. Seems to
work on MacOSX and Linux hosts with Qemu 1.7 and
Qemu 2.0rc0 when the load of the system is under 2-3. If it is higher sometimes
the deadlock occur.
So I think we can close the bug and hope nobody is cross-
On Sat, Aug 3, 2013 at 2:30 AM, Vincenzo Maffione wrote:
> This patch partially implements the e1000 interrupt mitigation mechanisms.
> Using a single QEMUTimer, it emulates the ITR register (which is the newer
> mitigation register, recommended by Intel) and approximately emulates
> RADV and TADV
Am 31.03.2014 09:26, schrieb Stefan Hajnoczi:
> On Fri, Mar 28, 2014 at 10:55:51AM +0100, Stefan Hajnoczi wrote:
>> v3:
>> * Add Stefan Weil's test-aio fix patch [Stefan Weil]
>> * Patch 3 commit description s/The causes targets/This causes make targets/
>> [Stefan Weil]
>>
>> v2:
>> * Use ifeq
Peter,
Am 23.01.2014 17:22, schrieb Peter Maydell:
> Rather than requiring every new architecture to remember to add a line
> to the Makefile to say that qom-test will work on it, autogenerate
> the list of supported architectures by looking at the files in
> default-configs (as configure does), a
Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
> On 03/24/2014 05:24 PM, Alexey Kardashevskiy wrote:
>> btw while grepping through the code, I found dump_ppc_sprs() which prints
>> this (first chunk is what my patch adds and the second chunk is from
>> dump_ppc_sprs()):
>
>
>
> Noone has an
>>> Is there a better name than 'tcg_itype' ? Putting 'type' in the
>>> name of a type is a bit redundant, and suggests it contains
>>> a type rather than an insn.
>>
>> I'm open to suggestions there as well. On x86 and ia64, it won't hold an
>> entire insn, so "tcg_insn" seemed inappropriate.
>
>
On 31 March 2014 09:10, Andreas Färber wrote:
> Am 23.01.2014 17:22, schrieb Peter Maydell:
>> +# Get the list of all supported sysemu targets
>> +SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
>> + $(wildcard $(SRC_PATH)/default-configs/*-softmmu.mak)))
>> +
>> check-unit-y = tests/che
Am 31.03.2014 10:28, schrieb Peter Maydell:
> On 31 March 2014 09:10, Andreas Färber wrote:
>> Am 23.01.2014 17:22, schrieb Peter Maydell:
>>> +# Get the list of all supported sysemu targets
>>> +SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
>>> + $(wildcard $(SRC_PATH)/default-configs/
I've seen very similar problem on our installation. Have you tried to
run with kvm-clock explicitly disabled (either via no-kvmclock in
guest kernel or with -kvm-clock in qemu) ?
No, I haven't tried it yet (I've confirmed kvm-clock is currently
being used). I'll have a look at it.
Did it help y
On 31 March 2014 09:33, Andreas Färber wrote:
> What does that prove? I said qom-test, not check-qtest-x86_64. :)
> You need to run `make check-qtest-x86_64 V=1` to see it.
Ah, gotcha. I guess we do need to stick some kind of uniqueness
filter in somewhere.
thanks
-- PMM
On 03/31/2014 07:24 PM, Andreas Färber wrote:
> Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
>> On 03/24/2014 05:24 PM, Alexey Kardashevskiy wrote:
>>> btw while grepping through the code, I found dump_ppc_sprs() which prints
>>> this (first chunk is what my patch adds and the second chunk is
On Fri, Mar 28, 2014 at 11:08:58PM +0530, Prasad Joshi wrote:
> Signed-off-by: Prasad Joshi
> ---
> block/qcow2.c | 4
> 1 file changed, 4 insertions(+)
Thanks, applied to my block tree:
https://github.com/stefanha/qemu/commits/block
Stefan
This minimizes QEMUMachine usage, as part of machine QOM-ification.
Signed-off-by: Marcel Apfelbaum
---
include/hw/xen/xen.h| 2 +-
include/qemu/typedefs.h | 1 +
include/sysemu/kvm.h| 2 +-
include/sysemu/qtest.h | 2 +-
kvm-all.c | 6 +++---
kvm-stub.c
In order to eliminate the QEMUMachine indirection,
add its fields directly to MachineClass.
Do not remove yet qemu_machine field because it is
in use already by sparpr.
Signed-off-by: Marcel Apfelbaum
---
include/hw/boards.h | 23 +++
1 file changed, 23 insertions(+)
diff --
No need to go through qemu_machine field. Use
MachineClass fields directly.
Signed-off-by: Marcel Apfelbaum
---
device-hotplug.c | 2 +-
qmp.c| 4 +--
vl.c | 103 ---
3 files changed, 63 insertions(+), 46 deletions(-
All the references of QEMUMachine are already
replaced by MachineClass.
Signed-off-by: Marcel Apfelbaum
---
include/hw/boards.h | 7 +++
vl.c| 3 +--
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 7cf1f07..66ee98
No need for QEMUMachine anymore because
its fields are passed to MachineClass.
Signed-off-by: Marcel Apfelbaum
---
hw/ppc/spapr.c | 26 +++---
1 file changed, 11 insertions(+), 15 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a11e121..b4ce950 100644
--- a/h
V1 -> V2:
- Addressed Paolo's comments:
- replaced commas by semicolons on patch 4/5.
- Rebased to master.
This is a continuation of 'QEMU Machine as QOM object' effort.
The scope of this series is to allow machine QOM-ification
of all machines gradually, by removing the need for QEMUMachi
* (chenliang0...@icloud.com) wrote:
> It is ok, we just need to guarantee that the pages in cache are same to the
> page in dest side.
> Don??t care about whether they are same to src side. Because the modified
> pages during this
> time will be sent at next time.
It's an interesting, if
On 31 March 2014 09:50, Alexey Kardashevskiy wrote:
> On 03/31/2014 07:24 PM, Andreas Färber wrote:
>> Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
>>> Noone has an opinion? Come on! :)
>>
>> We're in Hard Freeze!!! >:-| There's more important works than post-2.0
>> debug infos ATM. Anyway..
Hi
Please, send any topic that you are interested in covering.
Thanks, Juan.
Call details:
10:00 AM to 11:00 AM EDT
Every two weeks
If you need phone number details, contact me privately.
Commit 3687d5325 accidentally resulted in our running qom-test twice
for x86_64, once directly via the wildcard, and once because x86_64
includes all the i386 qtests (which includes qom-test). Run the list
of qtests through $(sort) to remove duplicates so we only ever run
a qtest once.
Reported-by
On 03/31/2014 09:07 PM, Peter Maydell wrote:
> On 31 March 2014 09:50, Alexey Kardashevskiy wrote:
>> On 03/31/2014 07:24 PM, Andreas Färber wrote:
>>> Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
Noone has an opinion? Come on! :)
>>>
>>> We're in Hard Freeze!!! >:-| There's more import
Hi,
Am 31.03.2014 12:40, schrieb Juan Quintela:
>
> Please, send any topic that you are interested in covering.
I would like to discuss the state of the QEMU release process, please:
* -rc1 has not been tagged.
* Who besides Anthony could upload a tarball if we tag and create it?
* make-release
On Fr, 2014-03-28 at 15:37 +0100, Frederic Konrad wrote:
> Hi everybody,
>
> I didn't see anything on the list about that.
> I get this bug in the current git.
>
> I configured qemu with the following command line:
>
> ./configure --target-list=ppc-softmmu
>
> I ran QEMU with the following comm
On 31/03/2014 13:30, Gerd Hoffmann wrote:
On Fr, 2014-03-28 at 15:37 +0100, Frederic Konrad wrote:
Hi everybody,
I didn't see anything on the list about that.
I get this bug in the current git.
I configured qemu with the following command line:
./configure --target-list=ppc-softmmu
I ran QEM
From: ChenLiang
The logic of old code is correct. But Checking byte by byte will
consume time after an concurrency scene.
Reported-by: Dr. David Alan Gilbert
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
---
xbzrle.c | 28 ++--
1 file changed, 18 insertions(+), 10 d
From: ChenLiang
It is risk if runs xbzrle_encode_buffer on changing data.
Changes since v1:
* avoid to stuck in loop
* check 8 bytes at a time after an concurrency scene
ChenLiang (2):
xbzrle: don't check the value in the vm ram repeatedly
xbzrle: check 8 bytes at a time after an concurren
From: ChenLiang
xbzrle_encode_buffer checks the value in the vm ram repeatedly.
It is risk if runs xbzrle_encode_buffer on changing data.
And it is not necessary.
Reported-by: Dr. David Alan Gilbert
Signed-off-by: ChenLiang
Signed-off-by: Gonglei
---
xbzrle.c | 20 +++-
1 fil
On Mon, Mar 31, 2014 at 12:51:31PM +0200, Andreas Färber wrote:
> Am 31.03.2014 12:40, schrieb Juan Quintela:
> >
> > Please, send any topic that you are interested in covering.
>
> I would like to discuss the state of the QEMU release process, please:
>
> * -rc1 has not been tagged.
> * Who bes
On Thu, Mar 27, 2014 at 02:58:32PM -, Mark Wood-Patrick wrote:
> Public bug reported:
>
> With qemu-2.0.0-rc0 on CentOS release 5.7 (Final) I get
>
> make: *** No rule to make target `trace/generated-events.h', needed by
> `Makefile'. Stop.
Please try "make distclean" and then ./configure a
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
This introduces an NMI (non maskable interrupt) callback per CPU class
which QMP's "nmi" command may use to issue NMI on a CPU.
Signed-off-by: Alexey Kardashevskiy
---
hmp-commands.hx | 4 +---
include/qom/cpu.h | 1 +
2 files changed, 2
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy
---
target-i386/cpu.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 8fd1497..35f20e0 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
Chen Gang writes:
> Hello Maintainers:
>
> If it is necessary to send patch v2 by me, please let me know, I
> will/should send.
Not a maintainer, but if you send a v2 with an improved commit message,
I'll R-by it, which can only help getting it merged.
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy
---
target-ppc/cpu-qom.h| 1 +
target-ppc/excp_helper.c| 2 +-
target-ppc/translate_init.c | 18 ++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/target-ppc
Gerd Hoffmann writes:
>> +if (!(s->handler->mask & (INPUT_EVENT_MASK_REL |
>> + INPUT_EVENT_MASK_ABS))) {
>> +monitor_printf(mon, "Input device '%s' is not a mouse",
>> + s->handler->name);
>
> That should be error_rep
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy
Missing patch description.
Also, this patch should be among the first in your patch set. It makes
review a lot easier on code movements like this when you always remove
and add back the same code inside
On 03/31/2014 08:38 PM, Markus Armbruster wrote:
> Chen Gang writes:
>
>> Hello Maintainers:
>>
>> If it is necessary to send patch v2 by me, please let me know, I
>> will/should send.
>
> Not a maintainer, but if you send a v2 with an improved commit message,
> I'll R-by it, which can only help
On 31 March 2014 13:53, Chen Gang wrote:
> On 03/31/2014 08:38 PM, Markus Armbruster wrote:
>> Chen Gang writes:
>>
>>> Hello Maintainers:
>>>
>>> If it is necessary to send patch v2 by me, please let me know, I
>>> will/should send.
>>
>> Not a maintainer, but if you send a v2 with an improved c
On 03/31/2014 09:01 PM, Peter Maydell wrote:
> On 31 March 2014 13:53, Chen Gang wrote:
>> On 03/31/2014 08:38 PM, Markus Armbruster wrote:
>>> Chen Gang writes:
>>>
Hello Maintainers:
If it is necessary to send patch v2 by me, please let me know, I
will/should send.
>>>
>>>
On 31 March 2014 14:12, Chen Gang wrote:
> Next, when I send trivial patches, I will/should cc to qemu-trivial. I
> guess, most of my future patches will be trivial patches (and for me,
> trivial != minor).
We describe on the wiki what we mean by 'trivial':
http://wiki.qemu.org/Contribute/Trivial
On 31/03/14 12:51, Andreas Färber wrote:
> Hi,
>
> Am 31.03.2014 12:40, schrieb Juan Quintela:
>>
>> Please, send any topic that you are interested in covering.
>
> I would like to discuss the state of the QEMU release process, please:
>
> * -rc1 has not been tagged.
> * Who besides Anthony coul
On 31 March 2014 14:21, Christian Borntraeger wrote:
> Another thing might be the release process in general. Currently it seems
> that everybody tries to push everything just before the hard freeze. I had
> to debug some problems introduced _after_ soft freeze. Is there some
> interest in having
On 03/31/2014 09:16 PM, Peter Maydell wrote:
> On 31 March 2014 14:12, Chen Gang wrote:
>> Next, when I send trivial patches, I will/should cc to qemu-trivial. I
>> guess, most of my future patches will be trivial patches (and for me,
>> trivial != minor).
>
> We describe on the wiki what we me
On 03/24/2014 07:24 AM, Alexey Kardashevskiy wrote:
On 03/23/2014 01:43 AM, Stuart Brady wrote:
On Sat, Mar 22, 2014 at 11:25:49PM +1100, Alexey Kardashevskiy wrote:
This adds printing of all SPR registers registered for a CPU.
This removes "SPR_" prefix from SPR name to reduce the output.
Cc
On 31 March 2014 14:26, Chen Gang wrote:
> Next, when I send trivial patches, I will only send to qemu-trivial (not
> send/cc to qemu-devel again), that will be more efficient. :-)
No, please always send to qemu-devel; just also cc qemu-trivial
(or the relevant subsystem maintainers as listed in
On Mon, Mar 31, 2014 at 6:25 AM, Peter Maydell wrote:
> On 31 March 2014 14:21, Christian Borntraeger wrote:
>> Another thing might be the release process in general. Currently it seems
>> that everybody tries to push everything just before the hard freeze. I had
>> to debug some problems introd
Changes from previous version:
Rewritten input validation in multiple patches using the new
VMSTATE_VALIDATE macro.
Addressed review comments from Peter Maydell,
Andreas Färber, Don Koch and Dr. David Alan Gilbert.
The following is the list of patches unmodified from v1:
virtio-ne
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin
---
vmstate.c | 97 ++-
1 file changed, 52 insertions(+), 45 deletions(-)
diff --git a/vmstate.c b/vmstate.c
i
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Dr. David Alan Gilbert
---
include/migration/vmstate.h | 1 +
vmstate.c | 10 ++
2 files changed, 11 insertions(+)
diff --git a/include/m
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid i
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be differ
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_
CVE-2013-4532
s->tx_fifo_len is read from the wire and later used as an index into
s->tx_fifo[] when a DATA command is issued by the guest. If
s->tx_fifo_len is greater than the length of s->tx_fifo[], or less
than 0, the buffer can be overrun/underrun by arbitrary data written out
by the guest up
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin
---
include/migration/vmstate.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index de970ab..5b71370 100644
--- a/include/migra
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori
Signed-off-by: Michael S. Tsirkin
Reviewed-by: Dr. David Alan Gilbert
---
hw/timer/hpet.c | 13 +
From: Michael Roth
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropria
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
---
hw/ssi/pl022.c | 12
1 file changed, 12 insertions(+)
diff --
4) CVE-2013-4529
hw/pci/pcie_aer.cpcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we g
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Signed-off-by: Michael S.
CVE-2013-4532
s->tx_frame_len is read from the wire and can later used as an index
into s->tx_fifo[] for memset() when a DATA command is issued by the guest.
In this case s->tx_frame_len is checked to avoid an overrun, but if the
value is negative a subsequently executed guest can underrun the bu
From: Michael Roth
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as V
CVE-2013-4532
s->next_packet is read from wire as an index into s->rx[]. If
s->next_packet exceeds the length of s->rx[], the buffer can be
subsequently overrun with arbitrary data from the wire.
Fix this by failing migration if s->next_packet we read from
the wire exceeds this.
Similarly, valid
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber
Signed-off-by: Michael S. Tsirkin
---
hw/input/tsc210x.c | 12
1 file c
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fif
From: Dmitry Fleytman
CVE-2013-4544
Signed-off-by: Dmitry Fleytman
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
---
hw/net/vmxnet3.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index a4b5c11..8c6df05 100644
--- a/hw/net/vmxne
From: Gerd Hoffmann
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked against data_buf size.
Signed-off-by: Gerd Hoffman
Il 31/03/2014 16:01, Anthony Liguori ha scritto:
> "merge window" has been suggested before. I think it would be
> a terrible idea for QEMU, personally. We're not the kernel in
> many ways, notably dev community size and a greater tendency
> to changes that have effects across the whole tree.
>
>
From: Dmitry Fleytman
CVE-2013-4544
Signed-off-by: Dmitry Fleytman
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
---
hw/net/vmxnet3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 0fa54e7..d062049 100644
--- a/hw/net/vmxnet3
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
savevm will segfault if version_id < vmsd->minimum_version_id &&
version_id >= vmsd->minimum_version_id_old
This calls through a NULL pointer. This is a bug (should
exit not crash).
Reviewed-by: Andreas Färber
Signed-off-by: Michael S. Tsirkin
---
vmstate.c | 3 +++
1 file changed, 3 insertio
From: Dmitry Fleytman
CVE-2013-4544
Signed-off-by: Dmitry Fleytman
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
---
hw/net/vmxnet3.c | 36 ++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet
From: Dmitry Fleytman
CVE-2013-4544
Signed-off-by: Dmitry Fleytman
Reported-by: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
---
hw/net/vmxnet3.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 8c6df05..0fa54
On 31 March 2014 15:28, Paolo Bonzini wrote:
> I think it would be a good idea to separate the committer and release
> manager roles. Peter is providing the community with a wonderful service,
> just like you were; putting too much work on his shoulders risks getting us
> in the same situation if
hi,all
from the aspect of qemu, there are file and block disk type,
what is the final difference between the two types ?
if its type is block and source is volume or physical disk, who finally
read/write the disk?
i thought block is raw format, so raw driver will do the actual r/w, am i right?
if
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin
---
hw/sd/ssi-sd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index 3273c8a..d9c4aee 100644
--- a/hw/sd/ssi-
From: Anton Ivanov
This transport allows to connect a QEMU nic to a static Ethernet
over L2TPv3 tunnel. The transport supports all options present
in the Linux kernel implementation. It allows QEMU to connect
to any Linux host running kernel 3.3+, most routers and network
devices as well as other
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth
Si
Am 31.03.2014 16:32, schrieb Peter Maydell:
> On 31 March 2014 15:28, Paolo Bonzini wrote:
>> I think it would be a good idea to separate the committer and release
>> manager roles. Peter is providing the community with a wonderful service,
>> just like you were; putting too much work on his shou
On 03/28/2014 11:57 AM, Greg Kurz wrote:
From: Rusty Russell
virtio data structures are defined as "target endian", which assumes
that's a fixed value. In fact, that actually means it's platform-specific.
The OASIS virtio 1.0 spec will fix this, by making all little endian.
We need to support
* Michael S. Tsirkin (m...@redhat.com) wrote:
> move size offset and number of elements math out
> to functions, to reduce code duplication.
>
> Signed-off-by: Michael S. Tsirkin
> ---
> vmstate.c | 97
> ++-
> 1 file changed, 52 inser
On 31 March 2014 15:16, Michael S. Tsirkin wrote:
> CVE-2013-4530
>
> pl022.c did not bounds check tx_fifo_head and
> rx_fifo_head after loading them from file and
> before they are used to dereference array.
>
> Reported-by: Michael S. Tsirkin Reported-by: Anthony Liguori
> Signed-off-by: Micha
From: Petar Jovanovic
Flags NONBLOCK and CLOEXEC can have different values on the host and the
guest, so set correct host values before calling accept4().
This fixes several issues with accept4 system call and user-mode of QEMU.
Signed-off-by: Petar Jovanovic
---
linux-user/syscall.c | 13 +
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Re
On 31 March 2014 16:09, Petar Jovanovic wrote:
> From: Petar Jovanovic
>
> Flags NONBLOCK and CLOEXEC can have different values on the host and the
> guest, so set correct host values before calling accept4().
>
> This fixes several issues with accept4 system call and user-mode of QEMU.
>
> Signe
On Mon, Mar 31, 2014 at 04:01:34PM +0100, Dr. David Alan Gilbert wrote:
> * Michael S. Tsirkin (m...@redhat.com) wrote:
> > move size offset and number of elements math out
> > to functions, to reduce code duplication.
> >
> > Signed-off-by: Michael S. Tsirkin
> > ---
> > vmstate.c | 97
> > +++
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-
On 31 March 2014 15:17, Michael S. Tsirkin wrote:
> CVE-2013-4533
>
> s->rx_level is read from the wire and used to determine how many bytes
> to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
> length of s->rx_fifo[] the buffer can be overrun with arbitrary data
> from the wire.
On 31 March 2014 15:16, Michael S. Tsirkin wrote:
> CVE-2013-4526
>
> Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
> we use the old version of ports to read the array but then allow any
> value for ports. This can cause the code to overflow.
>
> There's no reason to migr
From: Peter Maydell [peter.mayd...@linaro.org]
Sent: Monday, March 31, 2014 5:19 PM
To: Petar Jovanovic
Cc: QEMU Developers; Riku Voipio; Petar Jovanovic
Subject: Re: [Qemu-devel] [PATCH] linux-user: pass correct host flags to
accept4()
On 31 March 2014 1
1 - 100 of 242 matches
Mail list logo
