Hello, we've seen a very occasional failure in the startup of qemu where the
call to inet_listen() for the VNC port fails with EADDRINUSE.
I believe there is a race condition when two qemu processes both bind to the
same port, in one the subsequent call to listen() will succeed and the other
fa
On Wednesday, 14 June 2023 Simon Rowe wrote:
> We've also seen a handful of similar reports. Again, just the MBR sector
> overwritten by what looks to be guest data (e.g. log messages). The
> common thread with our incidents is again a SATA disk under the AHCI
> controller,
On Thursday, 28 September 2023 Fiona Ebner wrote:
> AFAICT, yes, because the DMA callback is invoked before resetting the
> state now. But not 100% sure if it can't be triggered in some other way,
> maybe Simon knows more? I don't have a reproducer for the CVE either,
> but the second patch after
On Monday, 2 October 2023 John Snow wrote:
> Which reset pathway are you testing that causes the problem?
The test centres on a VM-initiated bus reset because a DMA write has stalled (I
deliberately discard the iSCSI response).
> I'm not fully clear on why checking for DRQ is legitimate here.
On Tuesday, 3 October 2023 John Snow wrote:
> Simon, can you confirm that Fiona's patches are appropriate for your
> reproducer? In the meantime I'll do my
> own audit for the problem as you described it (thank you very much for that)
> and see if there's anything else
> that needs to be addres
er in:
https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg03883.html
Simon Rowe (1):
hw/ide/core: terminate in-flight DMA on IDE bus reset
hw/ide/core.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
--
2.22.3
is still set in the DMA
callback (as it is otherwise cleared at the start of the bus
reset). If it is not, treat the transfer as ended.
This only appears to affect SATA controllers, plain IDE does not use
aio.
Fixes: CVE-2023-5088
Signed-off-by: Simon Rowe
Cc: Felipe Franciosi
---
hw/ide/core.c
On Wednesday, 6 September 2023 Fiona Ebner wrote:
> If there is a pending DMA operation during ide_bus_reset(), the fact
> that the IDEState is already reset before the operation is canceled
> can be problematic. In particular, ide_dma_cb() might be called and
> then use the reset IDEState which
On Thursday, 15 June 2023 Fiona Ebner wrote:
> which version/build of QEMU are you using? Can you correlate the issue
> with any block job or was the drive in use by the guest only?
I believe this has been seen on a range of releases so that includes QEMU 4.2
and 2.12. We do have custom patches
client receives updates with a
"staircase" effect.
Reduce the rounding to a multiple of two.
Signed-off-by: Simon Rowe
---
hw/display/vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 892fedc8dc..ea659e2812 100644
--- a/
I've been trying to track down the cause of a glitch that affects guest VNC
consoles when the resolution is set to 1366x768. This results in a "stair case"
effect where each successive row is offset to the right by a handful of pixels.
I believe this is related to the fact that the horizontal re
On 02/10/2024, 13:01, "Daniel P. Berrangé" wrote:
> There's a newer bug report here, but not real progress:
>
> https://gitlab.com/qemu-project/qemu/-/issues/90
>
> 1366 is particularly problematic as it apparently can't be represented
> exactly in EDID which needs a x8 multiple.
Thanks for the
Looking at the trace output it seems that the displaysurface has been rounded
from the start
vnc_client_connect VNC client connect state=0x556dce1c1b20 ioc=0x556dce9e1e70
displaysurface_create_from surface=0x556dce104b30, 1360x768, format 0x20020888
vnc_server_dpy_recreate VNC server dpy recreate
On 03/10/2024, 14:05, "Daniel P. Berrangé" wrote:
> The QEMU VNC code has logic which rounds up display sizes to a multiple
> of 16:
>
> static int vnc_width(VncDisplay *vd)
> {
> return MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds),
> VNC_DIRTY_
Ping?
On 04/10/2024, 09:39, "Simon Rowe" wrote:
When validating the parameters of VBE ioport writes the X co-ordinate
is silently rounded down to a multiple of 8. For valid resolutions
(such as 1366x768) which are not divisible by 8 this causes
miscalculations because the display s
15 matches
Mail list logo
