diff -Nru qemu-2.5+dfsg/debian/changelog qemu-2.5+dfsg/debian/changelog --- qemu-2.5+dfsg/debian/changelog 2016-04-19 20:41:37.000000000 +0000 +++ qemu-2.5+dfsg/debian/changelog 2016-11-14 12:28:25.000000000 +0000 @@ -1,3 +1,283 @@ +qemu (1:2.5+dfsg-5ubuntu10.7~ppa1) xenial; urgency=medium + + * fix ambiguous machine trusty and utopic machine types (LP: #1641532) + + -- Christian Ehrhardt Mon, 14 Nov 2016 13:21:37 +0100 + +qemu (1:2.5+dfsg-5ubuntu10.6) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via unbounded memory allocation + - debian/patches/CVE-2016-5403.patch: re-enable original patch. + - debian/patches/CVE-2016-5403-2.patch: recalculate vq->inuse after + migration in hw/virtio/virtio.c. + - debian/patches/CVE-2016-5403-3.patch: decrement vq->inuse in + virtqueue_discard() in hw/virtio/virtio.c. + - debian/patches/CVE-2016-5403-4.patch: zero vq->inuse in + virtio_reset() in hw/virtio/virtio.c. + - CVE-2016-5403 + * SECURITY UPDATE: use after free while writing in vmxnet3 + - debian/patches/CVE-2016-6833.patch: check for device_active before + write in hw/net/vmxnet3.c. + - CVE-2016-6833 + * SECURITY UPDATE: DoS via infinite loop during packet fragmentation + - debian/patches/CVE-2016-6834.patch: check fragment length during + fragmentation in hw/net/vmxnet_tx_pkt.c. + - CVE-2016-6834 + * SECURITY UPDATE: Buffer overflow in vmxnet_tx_pkt_parse_headers() + - debian/patches/CVE-2016-6835.patch: check IP header length in + hw/net/vmxnet_tx_pkt.c. + - CVE-2016-6835 + * SECURITY UPDATE: Information leak in vmxnet3_complete_packet + - debian/patches/CVE-2016-6836.patch: initialise local tx descriptor in + hw/net/vmxnet3.c. + - CVE-2016-6836 + * SECURITY UPDATE: Integer overflow in packet initialisation in VMXNET3 + - debian/patches/CVE-2016-6888.patch: use g_new for pkt initialisation + in hw/net/vmxnet_tx_pkt.c. + - CVE-2016-6888 + * SECURITY UPDATE: directory traversal flaw in 9p virtio backend + - debian/patches/CVE-2016-7116-1.patch: forbid illegal path names in + hw/9pfs/virtio-9p.c. + - debian/patches/CVE-2016-7116-2.patch: forbid . and .. in file names + in hw/9pfs/virtio-9p.c. + - debian/patches/CVE-2016-7116-3.patch: handle walk of ".." in the root + directory in hw/9pfs/virtio-9p.*. + - debian/patches/CVE-2016-7116-4.patch: fix potential segfault during + walk in hw/9pfs/virtio-9p.c. + - CVE-2016-7116 + * SECURITY UPDATE: OOB read and infinite loop in pvscsi + - debian/patches/CVE-2016-7155.patch: check page count while + initialising descriptor rings in hw/scsi/vmw_pvscsi.c. + - CVE-2016-7155 + * SECURITY UPDATE: infinite loop when building SG list in pvscsi + - debian/patches/CVE-2016-7156.patch: limit loop to fetch SG list in + hw/scsi/vmw_pvscsi.c. + - CVE-2016-7156 + * SECURITY UPDATE: buffer overflow in xlnx.xps-ethernetlite + - debian/patches/CVE-2016-7161.patch: fix a heap overflow in + hw/net/xilinx_ethlite.c. + - CVE-2016-7161 + * SECURITY UPDATE: OOB stack memory access in vmware_vga + - debian/patches/CVE-2016-7170.patch: correct bitmap and pixmap size + checks in hw/display/vmware_vga.c. + - CVE-2016-7170 + * SECURITY UPDATE: Infinite loop when processing IO requests in pvscsi + - debian/patches/CVE-2016-7421.patch: limit process IO loop to ring + size in hw/scsi/vmw_pvscsi.c. + - CVE-2016-7421 + * SECURITY UPDATE: memory leakage during device unplug in xhci + - debian/patches/CVE-2016-7466.patch: fix memory leak in usb_xhci_exit + in hw/usb/hcd-xhci.c. + - CVE-2016-7466 + * SECURITY UPDATE: denial of service in mcf via invalid count + - debian/patches/CVE-2016-7908.patch: limit buffer descriptor count in + hw/net/mcf_fec.c. + - CVE-2016-7908 + * SECURITY UPDATE: denial of service in pcnet via invalid length + - debian/patches/CVE-2016-7909.patch: check rx/tx descriptor ring + length in hw/net/pcnet.c. + - CVE-2016-7909 + * SECURITY UPDATE: denial of service via memory leak in virtio-gpu + - debian/patches/CVE-2016-7994.patch: fix memory leak in + virtio_gpu_resource_create_2d in hw/display/virtio-gpu.c. + - CVE-2016-7994 + * SECURITY UPDATE: denial of service via infinite loop in xhci + - debian/patches/CVE-2016-8576.patch: limit the number of link trbs we + are willing to process in hw/usb/hcd-xhci.c. + - CVE-2016-8576 + * SECURITY UPDATE: host memory leakage in 9pfs + - debian/patches/CVE-2016-8577.patch: fix potential host memory leak in + v9fs_read in hw/9pfs/virtio-9p.c. + - CVE-2016-8577 + * SECURITY UPDATE: NULL dereference in 9pfs + - debian/patches/CVE-2016-8578.patch: allocate space for guest + originated empty strings in fsdev/virtio-9p-marshal.c, + hw/9pfs/virtio-9p.c. + - CVE-2016-8578 + * SECURITY UPDATE: OOB buffer access in rocker switch emulation + - debian/patches/CVE-2016-8668.patch: set limit to DMA buffer size in + hw/net/rocker/rocker.c. + - CVE-2016-8668 + * SECURITY UPDATE: infinite loop in Intel HDA controller + - debian/patches/CVE-2016-8909.patch: check stream entry count during + transfer in hw/audio/intel-hda.c. + - CVE-2016-8909 + * SECURITY UPDATE: infinite loop in RTL8139 ethernet controller + - debian/patches/CVE-2016-8910.patch: limit processing of ring + descriptors in hw/net/rtl8139.c. + - CVE-2016-8910 + * SECURITY UPDATE: memory leakage at device unplug in eepro100 + - debian/patches/CVE-2016-9101.patch: fix memory leak in device uninit + in hw/net/eepro100.c. + - CVE-2016-9101 + * SECURITY UPDATE: denial of service via memory leak in 9pfs + - debian/patches/CVE-2016-9102.patch: fix memory leak in + v9fs_xattrcreate in hw/9pfs/virtio-9p.c. + - CVE-2016-9102 + * SECURITY UPDATE: information leakage via xattribute in 9pfs + - debian/patches/CVE-2016-9103.patch: fix information leak in xattr + read in hw/9pfs/virtio-9p.c. + - CVE-2016-9103 + * SECURITY UPDATE: integer overflow leading to OOB access in 9pfs + - debian/patches/CVE-2016-9104.patch: fix integer overflow issue in + xattr read/write in hw/9pfs/virtio-9p.c. + - CVE-2016-9104 + * SECURITY UPDATE: denial of service via memory leakage in 9pfs + - debian/patches/CVE-2016-9105.patch: fix memory leak in v9fs_link in + hw/9pfs/virtio-9p.c. + - CVE-2016-9105 + * SECURITY UPDATE: denial of service via memory leakage in 9pfs + - debian/patches/CVE-2016-9106.patch: fix memory leak in v9fs_write in + hw/9pfs/virtio-9p.c. + - CVE-2016-9106 + + -- Marc Deslauriers Mon, 07 Nov 2016 11:17:16 -0500 + +qemu (1:2.5+dfsg-5ubuntu10.5) xenial; urgency=medium + + * fix default machine types. (LP: #1621042) + - add dep3 header to d/p/ubuntu/define-ubuntu-machine-types.patch + - remove double default and double ubuntu alias + - add xenial machine type + - add q35 based ubuntu machine type + - add ubuntu machine types on ppc64el and s390x + + -- Christian Ehrhardt Tue, 20 Sep 2016 09:38:03 +0200 + +qemu (1:2.5+dfsg-5ubuntu10.4) xenial-security; urgency=medium + + * SECURITY REGRESSION: crash on migration with memory stats enabled + (LP: #1612089) + - debian/patches/CVE-2016-5403.patch: disable for now pending + investigation. + + -- Marc Deslauriers Fri, 12 Aug 2016 08:46:19 -0400 + +qemu (1:2.5+dfsg-5ubuntu10.3) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS and possible host code execution in 53C9X Fast + SCSI Controller + - debian/patches/CVE-2016-4439.patch: check length in hw/scsi/esp.c. + - CVE-2016-4439 + * SECURITY UPDATE: DoS in 53C9X Fast SCSI Controller + - debian/patches/CVE-2016-4441.patch: check DMA length in + hw/scsi/esp.c. + - CVE-2016-4441 + * SECURITY UPDATE: infinite loop in vmware_vga + - debian/patches/CVE-2016-4453.patch: limit fifo commands in + hw/display/vmware_vga.c. + - CVE-2016-4453 + * SECURITY UPDATE: DoS or host memory leakage in vmware_vga + - debian/patches/CVE-2016-4454.patch: fix sanity checks in + hw/display/vmware_vga.c. + - CVE-2016-4454 + * SECURITY UPDATE: DoS in VMWARE PVSCSI paravirtual SCSI bus + - debian/patches/CVE-2016-4952.patch: check command descriptor ring + buffer size in hw/scsi/vmw_pvscsi.c. + - CVE-2016-4952 + * SECURITY UPDATE: MegaRAID SAS 8708EM2 host memory leakage + - debian/patches/CVE-2016-5105.patch: initialise local configuration + data buffer in hw/scsi/megasas.c. + - CVE-2016-5105 + * SECURITY UPDATE: DoS in MegaRAID SAS 8708EM2 + - debian/patches/CVE-2016-5106.patch: use appropriate property buffer + size in hw/scsi/megasas.c. + - CVE-2016-5106 + * SECURITY UPDATE: DoS in MegaRAID SAS 8708EM2 + - debian/patches/CVE-2016-5107.patch: check read_queue_head index + value in hw/scsi/megasas.c. + - CVE-2016-5107 + * SECURITY UPDATE: DoS or code execution via crafted iSCSI asynchronous + I/O ioctl call + - debian/patches/CVE-2016-5126.patch: avoid potential overflow in + block/iscsi.c. + - CVE-2016-5126 + * SECURITY UPDATE: DoS in 53C9X Fast SCSI Controller + - debian/patches/CVE-2016-5238.patch: check buffer length before + reading scsi command in hw/scsi/esp.c. + - CVE-2016-5238 + * SECURITY UPDATE: MegaRAID SAS 8708EM2 host memory leakage + - debian/patches/CVE-2016-5337.patch: null terminate bios version + buffer in hw/scsi/megasas.c. + - CVE-2016-5337 + * SECURITY UPDATE: DoS or code execution in 53C9X Fast SCSI Controller + - debian/patches/CVE-2016-5338.patch: check TI buffer index in + hw/scsi/esp.c. + - CVE-2016-5338 + * SECURITY UPDATE: DoS via unbounded memory allocation + - debian/patches/CVE-2016-5403.patch: check size in hw/virtio/virtio.c. + - CVE-2016-5403 + * SECURITY UPDATE: oob write access while reading ESP command + - debian/patches/CVE-2016-6351.patch: make cmdbuf big enough for + maximum CDB size and handle migration in hw/scsi/esp.c, + include/hw/scsi/esp.h, include/migration/vmstate.h. + - CVE-2016-6351 + + -- Marc Deslauriers Wed, 03 Aug 2016 12:40:51 -0400 + +qemu (1:2.5+dfsg-5ubuntu10.2) xenial; urgency=medium + + * Cherrypick upstream patches to support the query-gic-version QMP command + (LP: #1566564) + + -- dann frazier Fri, 03 Jun 2016 14:24:25 -0600 + +qemu (1:2.5+dfsg-5ubuntu10.1) xenial-security; urgency=medium + + * SECURITY UPDATE: denial of service via multiple eof_timers in ohci + - debian/patches/CVE-2016-2391.patch: allocate timer only once in + hw/usb/hcd-ohci.c. + - CVE-2016-2391 + * SECURITY UPDATE: denial of service in in remote NDIS control message + handling + - debian/patches/CVE-2016-2392.patch: check USB configuration + descriptor object in hw/usb/dev-network.c. + - CVE-2016-2392 + * SECURITY UPDATE: denial of service or host information leak in USB Net + device emulation support + - debian/patches/CVE-2016-2538.patch: check RNDIS buffer offsets and + length in hw/usb/dev-network.c. + - CVE-2016-2538 + * SECURITY UPDATE: denial of service via infinite loop in ne2000 + - debian/patches/CVE-2016-2841.patch: heck ring buffer control + registers in hw/net/ne2000.c. + - CVE-2016-2841 + * SECURITY UPDATE: denial of service via payload length in crafted packet + - debian/patches/CVE-2016-2857.patch: check packet payload length in + net/checksum.c. + - CVE-2016-2857 + * SECURITY UPDATE: denial of service in PRNG support + - debian/patches/CVE-2016-2858.patch: add request queue support to + rng-random in backends/rng-egd.c, backends/rng-random.c, + backends/rng.c, include/sysemu/rng.h. + - CVE-2016-2858 + * SECURITY UPDATE: arbitrary host code execution via VGA module + - debian/patches/CVE-2016-3710.patch: fix banked access bounds checking + in hw/display/vga.c. + - CVE-2016-3710 + * SECURITY UPDATE: denial of service via VGA module + - debian/patches/CVE-2016-3712.patch: make sure vga register setup for + vbe stays intact in hw/display/vga.c. + - CVE-2016-3712 + * SECURITY UPDATE: denial of service in Luminary Micro Stellaris Ethernet + - debian/patches/CVE-2016-4001.patch: check packet length against + receive buffer in hw/net/stellaris_enet.c. + - CVE-2016-4001 + * SECURITY UPDATE: denial of sevice and possible code execution in + MIPSnet + - debian/patches/CVE-2016-4002.patch: check size in hw/net/mipsnet.c. + - CVE-2016-4002 + * SECURITY UPDATE: host information leak via TPR access + - debian/patches/CVE-2016-4020.patch: initialize variable in + hw/i386/kvmvapic.c. + - CVE-2016-4020 + * SECURITY UPDATE: denial of service via infinite loop in in usb_ehci + - debian/patches/CVE-2016-4037.patch: apply limit to iTD/sidt + descriptors in hw/usb/hcd-ehci.c. + - CVE-2016-4037 + + -- Marc Deslauriers Tue, 10 May 2016 12:59:14 -0400 + qemu (1:2.5+dfsg-5ubuntu10) xenial; urgency=medium * qemu-system-s390x only available on s390x, so qemu-system should only diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2391.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2391.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2391.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2391.patch 2016-05-10 16:52:58.000000000 +0000 @@ -0,0 +1,96 @@ +From fa1298c2d623522eda7b4f1f721fcb935abb7360 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 22 Feb 2016 09:50:11 +0100 +Subject: [PATCH] ohci: allocate timer only once. + +Allocate timer once, at init time, instead of allocating/freeing +it all the time when starting/stopping the bus. Simplifies the +code, also fixes bugs (memory leak) due to missing checks whenever +the time is already allocated or not. + +Cc: Prasad J Pandit +Reported-by: Zuozhi Fzz +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ohci.c | 34 ++++++++-------------------------- + 1 files changed, 8 insertions(+), 26 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/hcd-ohci.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/hcd-ohci.c 2016-05-10 12:52:54.727787187 -0400 ++++ qemu-2.5+dfsg/hw/usb/hcd-ohci.c 2016-05-10 12:52:54.723787152 -0400 +@@ -1331,16 +1331,6 @@ + */ + static int ohci_bus_start(OHCIState *ohci) + { +- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, +- ohci_frame_boundary, +- ohci); +- +- if (ohci->eof_timer == NULL) { +- trace_usb_ohci_bus_eof_timer_failed(ohci->name); +- ohci_die(ohci); +- return 0; +- } +- + trace_usb_ohci_start(ohci->name); + + ohci_sof(ohci); +@@ -1352,11 +1342,7 @@ + static void ohci_bus_stop(OHCIState *ohci) + { + trace_usb_ohci_stop(ohci->name); +- if (ohci->eof_timer) { +- timer_del(ohci->eof_timer); +- timer_free(ohci->eof_timer); +- } +- ohci->eof_timer = NULL; ++ timer_del(ohci->eof_timer); + } + + /* Sets a flag in a port status register but only set it if the port is +@@ -1883,6 +1869,9 @@ + usb_packet_init(&ohci->usb_packet); + + ohci->async_td = 0; ++ ++ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ++ ohci_frame_boundary, ohci); + } + + #define TYPE_PCI_OHCI "pci-ohci" +@@ -1952,6 +1941,9 @@ + if (!ohci->masterbus) { + usb_bus_release(&s->bus); + } ++ ++ timer_del(s->eof_timer); ++ timer_free(s->eof_timer); + } + + static void usb_ohci_reset_pci(DeviceState *d) +@@ -2017,23 +2009,13 @@ + { + OHCIState *ohci = opaque; + +- return ohci->eof_timer != NULL; +-} +- +-static int ohci_eof_timer_pre_load(void *opaque) +-{ +- OHCIState *ohci = opaque; +- +- ohci_bus_start(ohci); +- +- return 0; ++ return timer_pending(ohci->eof_timer); + } + + static const VMStateDescription vmstate_ohci_eof_timer = { + .name = "ohci-core/eof-timer", + .version_id = 1, + .minimum_version_id = 1, +- .pre_load = ohci_eof_timer_pre_load, + .needed = ohci_eof_timer_needed, + .fields = (VMStateField[]) { + VMSTATE_TIMER_PTR(eof_timer, OHCIState), diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2392.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2392.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2392.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2392.patch 2016-05-10 16:53:42.000000000 +0000 @@ -0,0 +1,32 @@ +From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 11 Feb 2016 16:31:20 +0530 +Subject: [PATCH] usb: check USB configuration descriptor object + +When processing remote NDIS control message packets, the USB Net +device emulator checks to see if the USB configuration descriptor +object is of RNDIS type(2). But it does not check if it is null, +which leads to a null dereference error. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/dev-network.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/dev-network.c 2016-05-10 12:53:40.356190191 -0400 ++++ qemu-2.5+dfsg/hw/usb/dev-network.c 2016-05-10 12:53:40.352190156 -0400 +@@ -653,7 +653,8 @@ + + static int is_rndis(USBNetState *s) + { +- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; ++ return s->dev.config ? ++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; + } + + static int ndis_query(USBNetState *s, uint32_t oid, diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2538.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2538.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2538.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2538.patch 2016-05-10 16:53:53.000000000 +0000 @@ -0,0 +1,56 @@ +From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 17 Feb 2016 00:23:41 +0530 +Subject: [PATCH] usb: check RNDIS buffer offsets & length + +When processing remote NDIS control message packets, +the USB Net device emulator uses a fixed length(4096) data buffer. +The incoming informationBufferOffset & Length combination could +overflow and cross that range. Check control message buffer +offsets and length to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-network.c | 9 ++++++--- + 1 files changed, 6 insertions(+), 3 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/dev-network.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/dev-network.c 2016-05-10 12:53:51.108285466 -0400 ++++ qemu-2.5+dfsg/hw/usb/dev-network.c 2016-05-10 12:53:51.104285431 -0400 +@@ -915,8 +915,9 @@ + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + infobuflen = ndis_query(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen, infobuf, +@@ -961,8 +962,9 @@ + + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; + buflen = le32_to_cpu(buf->InformationBufferLength); +- if (bufoffs + buflen > length) ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { + return USB_RET_STALL; ++ } + + ret = ndis_set(s, le32_to_cpu(buf->OID), + bufoffs + (uint8_t *) buf, buflen); +@@ -1212,8 +1214,9 @@ + if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { + uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); + uint32_t size = le32_to_cpu(msg->DataLength); +- if (offs + size <= len) ++ if (offs < len && size < len && offs + size <= len) { + qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); ++ } + } + s->out_ptr -= len; + memmove(s->out_buf, &s->out_buf[len], s->out_ptr); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2841.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2841.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2841.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2841.patch 2016-05-10 16:54:06.000000000 +0000 @@ -0,0 +1,34 @@ +From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 24 Feb 2016 11:41:33 +0530 +Subject: [PATCH] net: ne2000: check ring buffer control registers + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. Registers PSTART & PSTOP +define ring buffer size & location. Setting these registers +to invalid values could lead to infinite loop or OOB r/w +access issues. Add check to avoid it. + +Reported-by: Yang Hongke +Tested-by: Yang Hongke +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/ne2000.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/ne2000.c 2016-05-10 12:54:04.004399892 -0400 ++++ qemu-2.5+dfsg/hw/net/ne2000.c 2016-05-10 12:54:04.000399857 -0400 +@@ -154,6 +154,10 @@ + { + int avail, index, boundary; + ++ if (s->stop <= s->start) { ++ return 1; ++ } ++ + index = s->curpag << 8; + boundary = s->boundary << 8; + if (index < boundary) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2857.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2857.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2857.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2857.patch 2016-05-10 16:54:16.000000000 +0000 @@ -0,0 +1,44 @@ +From 362786f14a753d8a5256ef97d7c10ed576d6572b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 2 Mar 2016 17:29:58 +0530 +Subject: [PATCH] net: check packet payload length + +While computing IP checksum, 'net_checksum_calculate' reads +payload length from the packet. It could exceed the given 'data' +buffer size. Add a check to avoid it. + +Reported-by: Liu Ling +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + net/checksum.c | 10 ++++++++-- + 1 files changed, 8 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/net/checksum.c +=================================================================== +--- qemu-2.5+dfsg.orig/net/checksum.c 2016-05-10 12:54:14.280491190 -0400 ++++ qemu-2.5+dfsg/net/checksum.c 2016-05-10 12:54:14.280491190 -0400 +@@ -59,6 +59,11 @@ + int hlen, plen, proto, csum_offset; + uint16_t csum; + ++ /* Ensure data has complete L2 & L3 headers. */ ++ if (length < 14 + 20) { ++ return; ++ } ++ + if ((data[14] & 0xf0) != 0x40) + return; /* not IPv4 */ + hlen = (data[14] & 0x0f) * 4; +@@ -76,8 +81,9 @@ + return; + } + +- if (plen < csum_offset+2) +- return; ++ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { ++ return; ++ } + + data[14+hlen+csum_offset] = 0; + data[14+hlen+csum_offset+1] = 0; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-2858.patch qemu-2.5+dfsg/debian/patches/CVE-2016-2858.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-2858.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-2858.patch 2016-05-10 17:36:22.000000000 +0000 @@ -0,0 +1,372 @@ +Description: fix denial of service in PRNG support +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=74074e8a7c60592cf1cc6469dbc2550d24aeded3 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=443590c2044968a97f5e7cddd35100c6075856a4 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817183 + +Index: qemu-2.5+dfsg/backends/rng-egd.c +=================================================================== +--- qemu-2.5+dfsg.orig/backends/rng-egd.c 2016-05-10 13:33:19.000000000 -0400 ++++ qemu-2.5+dfsg/backends/rng-egd.c 2016-05-10 13:34:06.733806673 -0400 +@@ -24,33 +24,12 @@ + + CharDriverState *chr; + char *chr_name; +- +- GSList *requests; + } RngEgd; + +-typedef struct RngRequest +-{ +- EntropyReceiveFunc *receive_entropy; +- uint8_t *data; +- void *opaque; +- size_t offset; +- size_t size; +-} RngRequest; +- +-static void rng_egd_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) + { + RngEgd *s = RNG_EGD(b); +- RngRequest *req; +- +- req = g_malloc(sizeof(*req)); +- +- req->offset = 0; +- req->size = size; +- req->receive_entropy = receive_entropy; +- req->opaque = opaque; +- req->data = g_malloc(req->size); ++ size_t size = req->size; + + while (size > 0) { + uint8_t header[2]; +@@ -64,24 +43,15 @@ + + size -= len; + } +- +- s->requests = g_slist_append(s->requests, req); +-} +- +-static void rng_egd_free_request(RngRequest *req) +-{ +- g_free(req->data); +- g_free(req); + } + + static int rng_egd_chr_can_read(void *opaque) + { + RngEgd *s = RNG_EGD(opaque); +- GSList *i; ++ RngRequest *req; + int size = 0; + +- for (i = s->requests; i; i = i->next) { +- RngRequest *req = i->data; ++ QSIMPLEQ_FOREACH(req, &s->parent.requests, next) { + size += req->size - req->offset; + } + +@@ -93,8 +63,8 @@ + RngEgd *s = RNG_EGD(opaque); + size_t buf_offset = 0; + +- while (size > 0 && s->requests) { +- RngRequest *req = s->requests->data; ++ while (size > 0 && !QSIMPLEQ_EMPTY(&s->parent.requests)) { ++ RngRequest *req = QSIMPLEQ_FIRST(&s->parent.requests); + int len = MIN(size, req->size - req->offset); + + memcpy(req->data + req->offset, buf + buf_offset, len); +@@ -103,38 +73,13 @@ + size -= len; + + if (req->offset == req->size) { +- s->requests = g_slist_remove_link(s->requests, s->requests); +- + req->receive_entropy(req->opaque, req->data, req->size); + +- rng_egd_free_request(req); ++ rng_backend_finalize_request(&s->parent, req); + } + } + } + +-static void rng_egd_free_requests(RngEgd *s) +-{ +- GSList *i; +- +- for (i = s->requests; i; i = i->next) { +- rng_egd_free_request(i->data); +- } +- +- g_slist_free(s->requests); +- s->requests = NULL; +-} +- +-static void rng_egd_cancel_requests(RngBackend *b) +-{ +- RngEgd *s = RNG_EGD(b); +- +- /* We simply delete the list of pending requests. If there is data in the +- * queue waiting to be read, this is okay, because there will always be +- * more data than we requested originally +- */ +- rng_egd_free_requests(s); +-} +- + static void rng_egd_opened(RngBackend *b, Error **errp) + { + RngEgd *s = RNG_EGD(b); +@@ -203,8 +148,6 @@ + } + + g_free(s->chr_name); +- +- rng_egd_free_requests(s); + } + + static void rng_egd_class_init(ObjectClass *klass, void *data) +@@ -212,7 +155,6 @@ + RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); + + rbc->request_entropy = rng_egd_request_entropy; +- rbc->cancel_requests = rng_egd_cancel_requests; + rbc->opened = rng_egd_opened; + } + +Index: qemu-2.5+dfsg/backends/rng-random.c +=================================================================== +--- qemu-2.5+dfsg.orig/backends/rng-random.c 2016-05-10 13:33:19.000000000 -0400 ++++ qemu-2.5+dfsg/backends/rng-random.c 2016-05-10 13:34:06.737806730 -0400 +@@ -21,10 +21,6 @@ + + int fd; + char *filename; +- +- EntropyReceiveFunc *receive_func; +- void *opaque; +- size_t size; + }; + + /** +@@ -37,36 +33,35 @@ + static void entropy_available(void *opaque) + { + RndRandom *s = RNG_RANDOM(opaque); +- uint8_t buffer[s->size]; +- ssize_t len; + +- len = read(s->fd, buffer, s->size); +- if (len < 0 && errno == EAGAIN) { +- return; +- } +- g_assert(len != -1); ++ while (!QSIMPLEQ_EMPTY(&s->parent.requests)) { ++ RngRequest *req = QSIMPLEQ_FIRST(&s->parent.requests); ++ ssize_t len; ++ ++ len = read(s->fd, req->data, req->size); ++ if (len < 0 && errno == EAGAIN) { ++ return; ++ } ++ g_assert(len != -1); ++ ++ req->receive_entropy(req->opaque, req->data, len); + +- s->receive_func(s->opaque, buffer, len); +- s->receive_func = NULL; ++ rng_backend_finalize_request(&s->parent, req); ++ } + ++ /* We've drained all requests, the fd handler can be reset. */ + qemu_set_fd_handler(s->fd, NULL, NULL, NULL); + } + +-static void rng_random_request_entropy(RngBackend *b, size_t size, +- EntropyReceiveFunc *receive_entropy, +- void *opaque) ++static void rng_random_request_entropy(RngBackend *b, RngRequest *req) + { + RndRandom *s = RNG_RANDOM(b); + +- if (s->receive_func) { +- s->receive_func(s->opaque, NULL, 0); ++ if (QSIMPLEQ_EMPTY(&s->parent.requests)) { ++ /* If there are no pending requests yet, we need to ++ * install our fd handler. */ ++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } +- +- s->receive_func = receive_entropy; +- s->opaque = opaque; +- s->size = size; +- +- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); + } + + static void rng_random_opened(RngBackend *b, Error **errp) +Index: qemu-2.5+dfsg/backends/rng.c +=================================================================== +--- qemu-2.5+dfsg.orig/backends/rng.c 2016-05-10 13:33:19.000000000 -0400 ++++ qemu-2.5+dfsg/backends/rng.c 2016-05-10 13:34:06.737806730 -0400 +@@ -19,18 +19,20 @@ + void *opaque) + { + RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); ++ RngRequest *req; + + if (k->request_entropy) { +- k->request_entropy(s, size, receive_entropy, opaque); +- } +-} ++ req = g_malloc(sizeof(*req)); + +-void rng_backend_cancel_requests(RngBackend *s) +-{ +- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); ++ req->offset = 0; ++ req->size = size; ++ req->receive_entropy = receive_entropy; ++ req->opaque = opaque; ++ req->data = g_malloc(req->size); + +- if (k->cancel_requests) { +- k->cancel_requests(s); ++ k->request_entropy(s, req); ++ ++ QSIMPLEQ_INSERT_TAIL(&s->requests, req, next); + } + } + +@@ -72,14 +74,48 @@ + s->opened = true; + } + ++static void rng_backend_free_request(RngRequest *req) ++{ ++ g_free(req->data); ++ g_free(req); ++} ++ ++static void rng_backend_free_requests(RngBackend *s) ++{ ++ RngRequest *req, *next; ++ ++ QSIMPLEQ_FOREACH_SAFE(req, &s->requests, next, next) { ++ rng_backend_free_request(req); ++ } ++ ++ QSIMPLEQ_INIT(&s->requests); ++} ++ ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req) ++{ ++ QSIMPLEQ_REMOVE(&s->requests, req, RngRequest, next); ++ rng_backend_free_request(req); ++} ++ + static void rng_backend_init(Object *obj) + { ++ RngBackend *s = RNG_BACKEND(obj); ++ ++ QSIMPLEQ_INIT(&s->requests); ++ + object_property_add_bool(obj, "opened", + rng_backend_prop_get_opened, + rng_backend_prop_set_opened, + NULL); + } + ++static void rng_backend_finalize(Object *obj) ++{ ++ RngBackend *s = RNG_BACKEND(obj); ++ ++ rng_backend_free_requests(s); ++} ++ + static void rng_backend_class_init(ObjectClass *oc, void *data) + { + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); +@@ -92,6 +128,7 @@ + .parent = TYPE_OBJECT, + .instance_size = sizeof(RngBackend), + .instance_init = rng_backend_init, ++ .instance_finalize = rng_backend_finalize, + .class_size = sizeof(RngBackendClass), + .class_init = rng_backend_class_init, + .abstract = true, +Index: qemu-2.5+dfsg/include/sysemu/rng.h +=================================================================== +--- qemu-2.5+dfsg.orig/include/sysemu/rng.h 2016-05-10 13:33:19.000000000 -0400 ++++ qemu-2.5+dfsg/include/sysemu/rng.h 2016-05-10 13:34:06.737806730 -0400 +@@ -25,6 +25,7 @@ + #define RNG_BACKEND_CLASS(klass) \ + OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) + ++typedef struct RngRequest RngRequest; + typedef struct RngBackendClass RngBackendClass; + typedef struct RngBackend RngBackend; + +@@ -32,13 +33,21 @@ + const void *data, + size_t size); + ++struct RngRequest ++{ ++ EntropyReceiveFunc *receive_entropy; ++ uint8_t *data; ++ void *opaque; ++ size_t offset; ++ size_t size; ++ QSIMPLEQ_ENTRY(RngRequest) next; ++}; ++ + struct RngBackendClass + { + ObjectClass parent_class; + +- void (*request_entropy)(RngBackend *s, size_t size, +- EntropyReceiveFunc *receive_entropy, void *opaque); +- void (*cancel_requests)(RngBackend *s); ++ void (*request_entropy)(RngBackend *s, RngRequest *req); + + void (*opened)(RngBackend *s, Error **errp); + }; +@@ -49,8 +58,10 @@ + + /*< protected >*/ + bool opened; ++ QSIMPLEQ_HEAD(requests, RngRequest) requests; + }; + ++ + /** + * rng_backend_request_entropy: + * @s: the backend to request entropy from +@@ -71,12 +82,13 @@ + void *opaque); + + /** +- * rng_backend_cancel_requests: +- * @s: the backend to cancel all pending requests in ++ * rng_backend_free_request: ++ * @s: the backend that created the request ++ * @req: the request to finalize + * +- * Cancels all pending requests submitted by @rng_backend_request_entropy. This +- * should be used by a device during reset or in preparation for live migration +- * to stop tracking any request. ++ * Used by child rng backend classes to finalize requests once they've been ++ * processed. The request is removed from the list of active requests and ++ * deleted. + */ +-void rng_backend_cancel_requests(RngBackend *s); ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req); + #endif diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-3710.patch qemu-2.5+dfsg/debian/patches/CVE-2016-3710.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-3710.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-3710.patch 2016-05-10 16:57:15.000000000 +0000 @@ -0,0 +1,104 @@ +From 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 26 Apr 2016 08:49:10 +0200 +Subject: [PATCH] vga: fix banked access bounds checking (CVE-2016-3710) + +vga allows banked access to video memory using the window at 0xa00000 +and it supports a different access modes with different address +calculations. + +The VBE bochs extentions support banked access too, using the +VBE_DISPI_INDEX_BANK register. The code tries to take the different +address calculations into account and applies different limits to +VBE_DISPI_INDEX_BANK depending on the current access mode. + +Which is probably effective in stopping misprogramming by accident. +But from a security point of view completely useless as an attacker +can easily change access modes after setting the bank register. + +Drop the bogus check, add range checks to vga_mem_{readb,writeb} +instead. + +Fixes: CVE-2016-3710 +Reported-by: Qinghao Tang +Signed-off-by: Gerd Hoffmann +--- + hw/display/vga.c | 24 ++++++++++++++++++------ + 1 files changed, 18 insertions(+), 6 deletions(-) + +Index: qemu-2.5+dfsg/hw/display/vga.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/vga.c 2016-05-10 12:57:11.478081601 -0400 ++++ qemu-2.5+dfsg/hw/display/vga.c 2016-05-10 12:57:11.474081565 -0400 +@@ -177,6 +177,7 @@ + size = 0x8000; + break; + } ++ assert(offset + size <= s->vram_size); + memory_region_init_alias(&s->chain4_alias, memory_region_owner(&s->vram), + "vga.chain4", &s->vram, offset, size); + memory_region_add_subregion_overlap(s->legacy_address_space, base, +@@ -714,11 +715,7 @@ + vbe_fixup_regs(s); + break; + case VBE_DISPI_INDEX_BANK: +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- val &= (s->vbe_bank_mask >> 2); +- } else { +- val &= s->vbe_bank_mask; +- } ++ val &= s->vbe_bank_mask; + s->vbe_regs[s->vbe_index] = val; + s->bank_offset = (val << 16); + vga_update_memory_access(s); +@@ -817,13 +814,21 @@ + + if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ ++ assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; + } else if (s->gr[VGA_GFX_MODE] & 0x10) { + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); +- ret = s->vram_ptr[((addr & ~1) << 1) | plane]; ++ addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return 0xff; ++ } ++ ret = s->vram_ptr[addr]; + } else { + /* standard VGA latched access */ ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return 0xff; ++ } + s->latch = ((uint32_t *)s->vram_ptr)[addr]; + + if (!(s->gr[VGA_GFX_MODE] & 0x08)) { +@@ -880,6 +885,7 @@ + plane = addr & 3; + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr); +@@ -893,6 +899,9 @@ + mask = (1 << plane); + if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { + addr = ((addr & ~1) << 1) | plane; ++ if (addr >= s->vram_size) { ++ return; ++ } + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM + printf("vga: odd/even: [0x" TARGET_FMT_plx "]\n", addr); +@@ -966,6 +975,9 @@ + mask = s->sr[VGA_SEQ_PLANE_WRITE]; + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; ++ if (addr * sizeof(uint32_t) >= s->vram_size) { ++ return; ++ } + ((uint32_t *)s->vram_ptr)[addr] = + (((uint32_t *)s->vram_ptr)[addr] & ~write_mask) | + (val & write_mask); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-3712.patch qemu-2.5+dfsg/debian/patches/CVE-2016-3712.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-3712.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-3712.patch 2016-05-10 17:10:45.000000000 +0000 @@ -0,0 +1,202 @@ +Description: fix denial of service via VGA module +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=bfa0f151a564a83b5a26f3e917da98674bf3cf62 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=2068192dcccd8a80dddfcc8df6164cf9c26e0fc4 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823830 + +Index: qemu-2.5+dfsg/hw/display/vga.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/vga.c 2016-05-10 12:57:11.474081565 -0400 ++++ qemu-2.5+dfsg/hw/display/vga.c 2016-05-10 12:57:41.498353953 -0400 +@@ -140,6 +140,13 @@ + static uint16_t expand2[256]; + static uint8_t expand4to8[16]; + ++static void vbe_update_vgaregs(VGACommonState *s); ++ ++static inline bool vbe_enabled(VGACommonState *s) ++{ ++ return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + hwaddr base, offset, size; +@@ -477,6 +484,7 @@ + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; ++ vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -508,6 +516,7 @@ + printf("vga: write GR%x = 0x%02x\n", s->gr_index, val); + #endif + s->gr[s->gr_index] = val & gr_mask[s->gr_index]; ++ vbe_update_vgaregs(s); + vga_update_memory_access(s); + break; + case VGA_CRT_IM: +@@ -526,10 +535,12 @@ + if (s->cr_index == VGA_CRTC_OVERFLOW) { + s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) | + (val & 0x10); ++ vbe_update_vgaregs(s); + } + return; + } + s->cr[s->cr_index] = val; ++ vbe_update_vgaregs(s); + + switch(s->cr_index) { + case VGA_CRTC_H_TOTAL: +@@ -562,7 +573,7 @@ + uint16_t *r = s->vbe_regs; + uint32_t bits, linelength, maxy, offset; + +- if (!(r[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { ++ if (!vbe_enabled(s)) { + /* vbe is turned off -- nothing to do */ + return; + } +@@ -637,6 +648,49 @@ + s->vbe_start_addr = offset / 4; + } + ++/* we initialize the VGA graphic mode */ ++static void vbe_update_vgaregs(VGACommonState *s) ++{ ++ int h, shift_control; ++ ++ if (!vbe_enabled(s)) { ++ /* vbe is turned off -- nothing to do */ ++ return; ++ } ++ ++ /* graphic mode + memory map 1 */ ++ s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | ++ VGA_GR06_GRAPHICS_MODE; ++ s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ ++ s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; ++ /* width */ ++ s->cr[VGA_CRTC_H_DISP] = ++ (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; ++ /* height (only meaningful if < 1024) */ ++ h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; ++ s->cr[VGA_CRTC_V_DISP_END] = h; ++ s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | ++ ((h >> 7) & 0x02) | ((h >> 3) & 0x40); ++ /* line compare to 1023 */ ++ s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; ++ s->cr[VGA_CRTC_OVERFLOW] |= 0x10; ++ s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; ++ ++ if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { ++ shift_control = 0; ++ s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ } else { ++ shift_control = 2; ++ /* set chain 4 mode */ ++ s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ /* activate all planes */ ++ s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ } ++ s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | ++ (shift_control << 5); ++ s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ ++} ++ + static uint32_t vbe_ioport_read_index(void *opaque, uint32_t addr) + { + VGACommonState *s = opaque; +@@ -713,6 +767,7 @@ + case VBE_DISPI_INDEX_Y_OFFSET: + s->vbe_regs[s->vbe_index] = val; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + break; + case VBE_DISPI_INDEX_BANK: + val &= s->vbe_bank_mask; +@@ -723,52 +778,19 @@ + case VBE_DISPI_INDEX_ENABLE: + if ((val & VBE_DISPI_ENABLED) && + !(s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED)) { +- int h, shift_control; + + s->vbe_regs[VBE_DISPI_INDEX_VIRT_WIDTH] = 0; + s->vbe_regs[VBE_DISPI_INDEX_X_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_Y_OFFSET] = 0; + s->vbe_regs[VBE_DISPI_INDEX_ENABLE] |= VBE_DISPI_ENABLED; + vbe_fixup_regs(s); ++ vbe_update_vgaregs(s); + + /* clear the screen */ + if (!(val & VBE_DISPI_NOCLEARMEM)) { + memset(s->vram_ptr, 0, + s->vbe_regs[VBE_DISPI_INDEX_YRES] * s->vbe_line_offset); + } +- +- /* we initialize the VGA graphic mode */ +- /* graphic mode + memory map 1 */ +- s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 | +- VGA_GR06_GRAPHICS_MODE; +- s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */ +- s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3; +- /* width */ +- s->cr[VGA_CRTC_H_DISP] = +- (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1; +- /* height (only meaningful if < 1024) */ +- h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1; +- s->cr[VGA_CRTC_V_DISP_END] = h; +- s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) | +- ((h >> 7) & 0x02) | ((h >> 3) & 0x40); +- /* line compare to 1023 */ +- s->cr[VGA_CRTC_LINE_COMPARE] = 0xff; +- s->cr[VGA_CRTC_OVERFLOW] |= 0x10; +- s->cr[VGA_CRTC_MAX_SCAN] |= 0x40; +- +- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { +- shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ +- } else { +- shift_control = 2; +- /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; +- /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; +- } +- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | +- (shift_control << 5); +- s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */ + } else { + s->bank_offset = 0; + } +@@ -1056,7 +1078,7 @@ + { + uint32_t start_addr, line_offset, line_compare; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + line_offset = s->vbe_line_offset; + start_addr = s->vbe_start_addr; + line_compare = 65535; +@@ -1381,7 +1403,7 @@ + { + int ret; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + ret = s->vbe_regs[VBE_DISPI_INDEX_BPP]; + } else { + ret = 0; +@@ -1393,7 +1415,7 @@ + { + int width, height; + +- if (s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED) { ++ if (vbe_enabled(s)) { + width = s->vbe_regs[VBE_DISPI_INDEX_XRES]; + height = s->vbe_regs[VBE_DISPI_INDEX_YRES]; + } else { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4001.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4001.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4001.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4001.patch 2016-05-10 16:58:01.000000000 +0000 @@ -0,0 +1,43 @@ +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + hw/net/stellaris_enet.c | 12 +++++++++++- + 1 files changed, 11 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/stellaris_enet.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/stellaris_enet.c 2016-05-10 12:57:59.062513678 -0400 ++++ qemu-2.5+dfsg/hw/net/stellaris_enet.c 2016-05-10 12:57:59.058513642 -0400 +@@ -235,8 +235,18 @@ + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4002.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4002.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4002.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4002.patch 2016-05-10 16:58:07.000000000 +0000 @@ -0,0 +1,30 @@ +From: Prasad J Pandit + +When receiving packets over MIPSnet network device, it uses + receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk + +Signed-off-by: Prasad J Pandit +--- + hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c +index f261011..e134b31 100644 +--- a/hw/net/mipsnet.c ++++ b/hw/net/mipsnet.c +@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si + if (!mipsnet_can_receive(nc)) + return 0; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return 0; ++ } + s->busy = 1; + + /* Just accept everything. */ +-- +2.5.5 diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4020.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4020.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4020.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4020.patch 2016-05-10 16:58:19.000000000 +0000 @@ -0,0 +1,26 @@ +From: Prasad J Pandit + +When processing Task Priorty Register(TPR) access, it could leak +automatic stack variable 'imm32' in patch_instruction(). +Initialise the variable to avoid it. + +Reported by: Donghai Zdh + +Signed-off-by: Prasad J Pandit +--- + hw/i386/kvmvapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/hw/i386/kvmvapic.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/i386/kvmvapic.c 2016-05-10 12:58:17.274679585 -0400 ++++ qemu-2.5+dfsg/hw/i386/kvmvapic.c 2016-05-10 12:58:17.270679549 -0400 +@@ -393,7 +393,7 @@ + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4037.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4037.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4037.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4037.patch 2016-05-10 16:58:56.000000000 +0000 @@ -0,0 +1,59 @@ +From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Apr 2016 09:11:38 +0200 +Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a +DoS by the guest (create a circular iTD queue and let qemu ehci +emulation run in circles forever). Unfortunately this has two problems: +First it misses the case of siTDs, and second it reportedly breaks +FreeBSD. + +So lets go for a different approach: just count the number of iTDs and +siTDs we have seen per frame and apply a limit. That should really +catch all cases now. + +Reported-by: 杜少博 +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/hcd-ehci.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/hcd-ehci.c 2016-05-10 12:58:53.875013888 -0400 ++++ qemu-2.5+dfsg/hw/usb/hcd-ehci.c 2016-05-10 12:58:53.871013851 -0400 +@@ -2006,6 +2006,7 @@ + static void ehci_advance_state(EHCIState *ehci, int async) + { + EHCIQueue *q = NULL; ++ int itd_count = 0; + int again; + + do { +@@ -2030,10 +2031,12 @@ + + case EST_FETCHITD: + again = ehci_state_fetchitd(ehci, async); ++ itd_count++; + break; + + case EST_FETCHSITD: + again = ehci_state_fetchsitd(ehci, async); ++ itd_count++; + break; + + case EST_ADVANCEQUEUE: +@@ -2082,7 +2085,8 @@ + break; + } + +- if (again < 0) { ++ if (again < 0 || itd_count > 16) { ++ /* TODO: notify guest (raise HSE irq?) */ + fprintf(stderr, "processing error - resetting ehci HC\n"); + ehci_reset(ehci); + again = 0; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4439.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4439.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4439.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4439.patch 2016-08-03 16:36:42.000000000 +0000 @@ -0,0 +1,39 @@ +From c98c6c105f66f05aa0b7c1d2a4a3f716450907ef Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:30 +0530 +Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/esp.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/esp.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/esp.c 2016-08-03 12:36:40.428586339 -0400 ++++ qemu-2.5+dfsg/hw/scsi/esp.c 2016-08-03 12:36:40.424586300 -0400 +@@ -446,7 +446,11 @@ + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4441.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4441.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4441.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4441.patch 2016-08-03 16:36:49.000000000 +0000 @@ -0,0 +1,72 @@ +From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:31 +0530 +Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/esp.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/esp.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/esp.c 2016-08-03 12:36:47.488655041 -0400 ++++ qemu-2.5+dfsg/hw/scsi/esp.c 2016-08-03 12:36:47.488655041 -0400 +@@ -80,7 +80,7 @@ + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -90,6 +90,9 @@ + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -164,7 +167,7 @@ + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -178,7 +181,7 @@ + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -190,7 +193,7 @@ + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4453.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4453.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4453.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4453.patch 2016-08-03 16:37:35.000000000 +0000 @@ -0,0 +1,42 @@ +From 4e68a0ee17dad7b8d870df0081d4ab2e079016c2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 30 May 2016 09:09:21 +0200 +Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +vmsvga_fifo_run is called in regular intervals (on each display update) +and will resume where it left off. So we can simply exit the loop, +without having to worry about how processing will continue. + +Fixes: CVE-2016-4453 +Cc: qemu-stable@nongnu.org +Cc: P J P +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com +--- + hw/display/vmware_vga.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/display/vmware_vga.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/vmware_vga.c 2016-08-03 12:37:33.717075881 -0400 ++++ qemu-2.5+dfsg/hw/display/vmware_vga.c 2016-08-03 12:37:33.713075845 -0400 +@@ -595,13 +595,13 @@ + static void vmsvga_fifo_run(struct vmsvga_state_s *s) + { + uint32_t cmd, colour; +- int args, len; ++ int args, len, maxloop = 1024; + int x, y, dx, dy, width, height; + struct vmsvga_cursor_definition_s cursor; + uint32_t cmd_start; + + len = vmsvga_fifo_length(s); +- while (len > 0) { ++ while (len > 0 && --maxloop > 0) { + /* May need to go back to the start of the command if incomplete */ + cmd_start = s->fifo_stop; + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4454.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4454.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4454.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4454.patch 2016-08-03 16:46:54.000000000 +0000 @@ -0,0 +1,141 @@ +Description: fix DoS or host memory leak in vmware_vga +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=521360267876d3b6518b328051a2e56bca55bef8 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=7e486f7577764a07aa35588e119903c80a5c30a2 + +Index: qemu-2.5+dfsg/hw/display/vmware_vga.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/vmware_vga.c 2015-12-12 07:16:02.000000000 -0500 ++++ qemu-2.5+dfsg/hw/display/vmware_vga.c 2016-08-03 12:37:16.144917017 -0400 +@@ -64,17 +64,11 @@ + uint8_t *fifo_ptr; + unsigned int fifo_size; + +- union { +- uint32_t *fifo; +- struct QEMU_PACKED { +- uint32_t min; +- uint32_t max; +- uint32_t next_cmd; +- uint32_t stop; +- /* Add registers here when adding capabilities. */ +- uint32_t fifo[0]; +- } *cmd; +- }; ++ uint32_t *fifo; ++ uint32_t fifo_min; ++ uint32_t fifo_max; ++ uint32_t fifo_next; ++ uint32_t fifo_stop; + + #define REDRAW_FIFO_LEN 512 + struct vmsvga_rect_s { +@@ -196,7 +190,7 @@ + */ + SVGA_FIFO_MIN = 0, + SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */ +- SVGA_FIFO_NEXT_CMD, ++ SVGA_FIFO_NEXT, + SVGA_FIFO_STOP, + + /* +@@ -544,8 +538,6 @@ + } + #endif + +-#define CMD(f) le32_to_cpu(s->cmd->f) +- + static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) + { + int num; +@@ -553,21 +545,45 @@ + if (!s->config || !s->enable) { + return 0; + } +- num = CMD(next_cmd) - CMD(stop); ++ ++ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]); ++ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]); ++ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]); ++ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]); ++ ++ /* Check range and alignment. */ ++ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) { ++ return 0; ++ } ++ if (s->fifo_min < sizeof(uint32_t) * 4) { ++ return 0; ++ } ++ if (s->fifo_max > SVGA_FIFO_SIZE || ++ s->fifo_min >= SVGA_FIFO_SIZE || ++ s->fifo_stop >= SVGA_FIFO_SIZE || ++ s->fifo_next >= SVGA_FIFO_SIZE) { ++ return 0; ++ } ++ if (s->fifo_max < s->fifo_min + 10 * 1024) { ++ return 0; ++ } ++ ++ num = s->fifo_next - s->fifo_stop; + if (num < 0) { +- num += CMD(max) - CMD(min); ++ num += s->fifo_max - s->fifo_min; + } + return num >> 2; + } + + static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s) + { +- uint32_t cmd = s->fifo[CMD(stop) >> 2]; ++ uint32_t cmd = s->fifo[s->fifo_stop >> 2]; + +- s->cmd->stop = cpu_to_le32(CMD(stop) + 4); +- if (CMD(stop) >= CMD(max)) { +- s->cmd->stop = s->cmd->min; ++ s->fifo_stop += 4; ++ if (s->fifo_stop >= s->fifo_max) { ++ s->fifo_stop = s->fifo_min; + } ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + return cmd; + } + +@@ -587,7 +603,7 @@ + len = vmsvga_fifo_length(s); + while (len > 0) { + /* May need to go back to the start of the command if incomplete */ +- cmd_start = s->cmd->stop; ++ cmd_start = s->fifo_stop; + + switch (cmd = vmsvga_fifo_read(s)) { + case SVGA_CMD_UPDATE: +@@ -746,7 +762,8 @@ + break; + + rewind: +- s->cmd->stop = cmd_start; ++ s->fifo_stop = cmd_start; ++ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop); + break; + } + } +@@ -1003,19 +1020,6 @@ + case SVGA_REG_CONFIG_DONE: + if (value) { + s->fifo = (uint32_t *) s->fifo_ptr; +- /* Check range and alignment. */ +- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { +- break; +- } +- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { +- break; +- } +- if (CMD(max) > SVGA_FIFO_SIZE) { +- break; +- } +- if (CMD(max) < CMD(min) + 10 * 1024) { +- break; +- } + vga_dirty_log_stop(&s->vga); + } + s->config = !!value; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-4952.patch qemu-2.5+dfsg/debian/patches/CVE-2016-4952.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-4952.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-4952.patch 2016-08-03 16:37:46.000000000 +0000 @@ -0,0 +1,99 @@ +From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 23 May 2016 16:18:05 +0530 +Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952) + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the ring buffer size to an arbitrary +value leading to OOB access issue. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> +Reviewed-by: Shmulik Ladkani +Reviewed-by: Dmitry Fleytman +Signed-off-by: Paolo Bonzini +--- + hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- + 1 files changed, 20 insertions(+), 4 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/vmw_pvscsi.c 2016-08-03 12:37:44.329171886 -0400 ++++ qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c 2016-08-03 12:37:44.325171850 -0400 +@@ -126,7 +126,7 @@ + return log; + } + +-static void ++static int + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -134,6 +134,10 @@ + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + ++ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) ++ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { ++ return -1; ++ } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -165,15 +169,20 @@ + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + +-static void ++static int + pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + { + int i; + uint32_t len_log2; + uint32_t ring_size; + ++ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ return -1; ++ } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; + len_log2 = pvscsi_log2(ring_size - 1); + +@@ -193,6 +202,8 @@ + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + + static void +@@ -743,7 +754,10 @@ + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + + pvscsi_dbg_dump_tx_rings_config(rc); +- pvscsi_ring_init_data(&s->rings, rc); ++ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } +@@ -823,7 +837,9 @@ + } + + if (s->rings_info_valid) { +- pvscsi_ring_init_msg(&s->rings, rc); ++ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } + s->msg_ring_info_valid = TRUE; + } + return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5105.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5105.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5105.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5105.patch 2016-08-03 16:38:43.000000000 +0000 @@ -0,0 +1,31 @@ +From d37af740730dbbb93960cd318e040372d04d6dcf Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:41:44 +0530 +Subject: [PATCH] scsi: megasas: initialise local configuration data buffer + +When reading MegaRAID SAS controller configuration via MegaRAID +Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read +uses an uninitialised local data buffer. Initialise this buffer +to avoid stack information leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/megasas.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/megasas.c 2016-08-03 12:38:41.089686169 -0400 ++++ qemu-2.5+dfsg/hw/scsi/megasas.c 2016-08-03 12:38:41.089686169 -0400 +@@ -1292,7 +1292,7 @@ + + static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + { +- uint8_t data[4096]; ++ uint8_t data[4096] = { 0 }; + struct mfi_config_data *info; + int num_pd_disks = 0, array_offset, ld_offset; + BusChild *kid; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5106.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5106.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5106.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5106.patch 2016-08-03 16:38:49.000000000 +0000 @@ -0,0 +1,31 @@ +From 1b85898025c4cd95dce673d15e67e60e98e91731 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 16:01:29 +0530 +Subject: [PATCH] scsi: megasas: use appropriate property buffer size + +When setting MegaRAID SAS controller properties via MegaRAID +Firmware Interface(MFI) commands, a user supplied size parameter +is used to set property value. Use appropriate size value to avoid +OOB access issues. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/megasas.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/megasas.c 2016-08-03 12:38:47.465744023 -0400 ++++ qemu-2.5+dfsg/hw/scsi/megasas.c 2016-08-03 12:38:47.461743986 -0400 +@@ -1445,7 +1445,7 @@ + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); ++ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5107.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5107.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5107.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5107.patch 2016-08-03 16:39:02.000000000 +0000 @@ -0,0 +1,33 @@ +From b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 25 May 2016 17:55:10 +0530 +Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value + +While doing MegaRAID SAS controller command frame lookup, routine +'megasas_lookup_frame' uses 'read_queue_head' value as an index +into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value +within array bounds to avoid any OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> +Reviewed-by: Alexander Graf +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/megasas.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/megasas.c 2016-08-03 12:39:00.869865697 -0400 ++++ qemu-2.5+dfsg/hw/scsi/megasas.c 2016-08-03 12:39:00.865865662 -0400 +@@ -649,7 +649,9 @@ + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; + s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head %= MEGASAS_MAX_FRAMES; + s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { + s->flags |= MEGASAS_MASK_USE_QUEUE64; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5126.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5126.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5126.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5126.patch 2016-08-03 16:39:16.000000000 +0000 @@ -0,0 +1,34 @@ +From a6b3167fa0e825aebb5a7cd8b437b6d41584a196 Mon Sep 17 00:00:00 2001 +From: Peter Lieven +Date: Tue, 24 May 2016 10:59:28 +0200 +Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb + +at least in the path via virtio-blk the maximum size is not +restricted. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> +Signed-off-by: Paolo Bonzini +--- + block/iscsi.c | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/block/iscsi.c +=================================================================== +--- qemu-2.5+dfsg.orig/block/iscsi.c 2016-08-03 12:39:13.421979704 -0400 ++++ qemu-2.5+dfsg/block/iscsi.c 2016-08-03 12:39:13.417979667 -0400 +@@ -834,6 +834,13 @@ + return &acb->common; + } + ++ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) { ++ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)", ++ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE); ++ qemu_aio_unref(acb); ++ return NULL; ++ } ++ + acb->task = malloc(sizeof(struct scsi_task)); + if (acb->task == NULL) { + error_report("iSCSI: Failed to allocate task for scsi command. %s", diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5238.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5238.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5238.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5238.patch 2016-08-03 16:39:27.000000000 +0000 @@ -0,0 +1,33 @@ +From d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 31 May 2016 23:23:27 +0530 +Subject: [PATCH] scsi: esp: check buffer length before reading scsi command + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi +command into a buffer. Add check to validate command length against +buffer size to avoid any overrun. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/esp.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/esp.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/esp.c 2016-08-03 12:39:25.826092428 -0400 ++++ qemu-2.5+dfsg/hw/scsi/esp.c 2016-08-03 12:39:25.822092391 -0400 +@@ -96,6 +96,9 @@ + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; ++ if (dmalen > TI_BUFSZ) { ++ return 0; ++ } + memcpy(buf, s->ti_buf, dmalen); + buf[0] = buf[2] >> 5; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5337.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5337.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5337.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5337.patch 2016-08-03 16:39:41.000000000 +0000 @@ -0,0 +1,29 @@ +From 844864fbae66935951529408831c2f22367a57b6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 7 Jun 2016 16:44:03 +0530 +Subject: [PATCH] scsi: megasas: null terminate bios version buffer + +While reading information via 'megasas_ctrl_get_info' routine, +a local bios version buffer isn't null terminated. Add the +terminating null byte to avoid any OOB access. + +Reported-by: Li Qiang +Reviewed-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/megasas.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/megasas.c 2016-08-03 12:39:38.630208850 -0400 ++++ qemu-2.5+dfsg/hw/scsi/megasas.c 2016-08-03 12:39:38.626208814 -0400 +@@ -772,6 +772,7 @@ + + ptr = memory_region_get_ram_ptr(&pci_dev->rom); + memcpy(biosver, ptr + 0x41, 31); ++ biosver[31] = 0; + memcpy(info.image_component[1].name, "BIOS", 4); + memcpy(info.image_component[1].version, biosver, + strlen((const char *)biosver)); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5338.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5338.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5338.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5338.patch 2016-08-03 16:39:53.000000000 +0000 @@ -0,0 +1,68 @@ +From ff589551c8e8e9e95e211b9d8daafb4ed39f1aec Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 6 Jun 2016 22:04:43 +0530 +Subject: [PATCH] scsi: esp: check TI buffer index before read/write + +The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte +FIFO buffers. One is used to handle commands and other is for +information transfer. Three control variables 'ti_rptr', +'ti_wptr' and 'ti_size' are used to control r/w access to the +information transfer buffer ti_buf[TI_BUFSZ=16]. In that, + +'ti_rptr' is used as read index, where read occurs. +'ti_wptr' is a write index, where write would occur. +'ti_size' indicates total bytes to be read from the buffer. + +While reading/writing to this buffer, index could exceed its +size. Add check to avoid OOB r/w access. + +Reported-by: Huawei PSIRT +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/esp.c | 20 +++++++++----------- + 1 files changed, 9 insertions(+), 11 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/esp.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/esp.c 2016-08-03 12:39:51.074322061 -0400 ++++ qemu-2.5+dfsg/hw/scsi/esp.c 2016-08-03 12:39:51.070322025 -0400 +@@ -401,19 +401,17 @@ + trace_esp_mem_readb(saddr, s->rregs[saddr]); + switch (saddr) { + case ESP_FIFO: +- if (s->ti_size > 0) { ++ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { ++ /* Data out. */ ++ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n"); ++ s->rregs[ESP_FIFO] = 0; ++ esp_raise_irq(s); ++ } else if (s->ti_rptr < s->ti_wptr) { + s->ti_size--; +- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { +- /* Data out. */ +- qemu_log_mask(LOG_UNIMP, +- "esp: PIO data read not implemented\n"); +- s->rregs[ESP_FIFO] = 0; +- } else { +- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; +- } ++ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; + esp_raise_irq(s); + } +- if (s->ti_size == 0) { ++ if (s->ti_rptr == s->ti_wptr) { + s->ti_rptr = 0; + s->ti_wptr = 0; + } +@@ -457,7 +455,7 @@ + } else { + trace_esp_error_fifo_overrun(); + } +- } else if (s->ti_size == TI_BUFSZ - 1) { ++ } else if (s->ti_wptr == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { + s->ti_size++; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5403-2.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5403-2.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5403-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5403-2.patch 2016-11-07 17:34:19.000000000 +0000 @@ -0,0 +1,51 @@ +Backport of: + +From bccdef6b1a204db0f41ffb6e24ce373e4d7890d4 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Mon, 15 Aug 2016 13:54:15 +0100 +Subject: [PATCH] virtio: recalculate vq->inuse after migration + +The vq->inuse field is not migrated. Many devices don't hold +VirtQueueElements across migration so it doesn't matter that vq->inuse +starts at 0 on the destination QEMU. + +At least virtio-serial, virtio-blk, and virtio-balloon migrate while +holding VirtQueueElements. For these devices we need to recalculate +vq->inuse upon load so the value is correct. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Cornelia Huck +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/virtio/virtio.c | 15 +++++++++++++++ + 1 files changed, 15 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/virtio/virtio.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/virtio/virtio.c 2016-11-07 12:33:49.170824732 -0500 ++++ qemu-2.5+dfsg/hw/virtio/virtio.c 2016-11-07 12:34:16.319128898 -0500 +@@ -1518,6 +1518,21 @@ + vdev->vq[i].last_avail_idx, nheads); + return -1; + } ++ ++ /* ++ * Some devices migrate VirtQueueElements that have been popped ++ * from the avail ring but not yet returned to the used ring. ++ */ ++ vdev->vq[i].inuse = vdev->vq[i].last_avail_idx - ++ vring_used_idx(&vdev->vq[i]); ++ if (vdev->vq[i].inuse > vdev->vq[i].vring.num) { ++ error_report("VQ %d size 0x%x < last_avail_idx 0x%x - " ++ "used_idx 0x%x", ++ i, vdev->vq[i].vring.num, ++ vdev->vq[i].last_avail_idx, ++ vring_used_idx(&vdev->vq[i])); ++ return -1; ++ } + } + } + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5403-3.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5403-3.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5403-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5403-3.patch 2016-11-07 15:50:43.000000000 +0000 @@ -0,0 +1,31 @@ +From 58a83c61496eeb0d31571a07a51bc1947e3379ac Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Mon, 15 Aug 2016 13:54:16 +0100 +Subject: [PATCH] virtio: decrement vq->inuse in virtqueue_discard() + +virtqueue_discard() moves vq->last_avail_idx back so the element can be +popped again. It's necessary to decrement vq->inuse to avoid "leaking" +the element count. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Cornelia Huck +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/virtio/virtio.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/virtio/virtio.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/virtio/virtio.c 2016-11-07 10:50:40.761490803 -0500 ++++ qemu-2.5+dfsg/hw/virtio/virtio.c 2016-11-07 10:50:40.761490803 -0500 +@@ -271,6 +271,7 @@ + unsigned int len) + { + vq->last_avail_idx--; ++ vq->inuse--; + virtqueue_unmap_sg(vq, elem, len); + } + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5403-4.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5403-4.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5403-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5403-4.patch 2016-11-07 15:50:49.000000000 +0000 @@ -0,0 +1,46 @@ +From 4b7f91ed0270a371e1933efa21ba600b6da23ab9 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Wed, 7 Sep 2016 11:51:25 -0400 +Subject: [PATCH] virtio: zero vq->inuse in virtio_reset() + +vq->inuse must be zeroed upon device reset like most other virtqueue +fields. + +In theory, virtio_reset() just needs assert(vq->inuse == 0) since +devices must clean up in-flight requests during reset (requests cannot +not be leaked!). + +In practice, it is difficult to achieve vq->inuse == 0 across reset +because balloon, blk, 9p, etc implement various different strategies for +cleaning up requests. Most devices call g_free(elem) directly without +telling virtio.c that the VirtQueueElement is cleaned up. Therefore +vq->inuse is not decremented during reset. + +This patch zeroes vq->inuse and trusts that devices are not leaking +VirtQueueElements across reset. + +I will send a follow-up series that refactors request life-cycle across +all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but +this more invasive approach is not appropriate for stable trees. + +Signed-off-by: Stefan Hajnoczi +Cc: qemu-stable +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Ladi Prosek +--- + hw/virtio/virtio.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/virtio/virtio.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/virtio/virtio.c 2016-11-07 10:50:47.541566765 -0500 ++++ qemu-2.5+dfsg/hw/virtio/virtio.c 2016-11-07 10:50:47.529566630 -0500 +@@ -684,6 +684,7 @@ + vdev->vq[i].signalled_used_valid = false; + vdev->vq[i].notification = true; + vdev->vq[i].vring.num = vdev->vq[i].vring.num_default; ++ vdev->vq[i].inuse = 0; + } + } + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-5403.patch qemu-2.5+dfsg/debian/patches/CVE-2016-5403.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-5403.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-5403.patch 2016-08-03 16:40:06.000000000 +0000 @@ -0,0 +1,62 @@ +From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Tue, 19 Jul 2016 13:07:13 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits, causing unbounded memory allocation in QEMU. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is not allowed by the +VIRTIO 1.0 specification. + +In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification +says: + + 1. The driver places the buffer into free descriptor(s) in the + descriptor table, chaining as necessary + +and + + Note that the above code does not take precautions against the + available ring buffer wrapping around: this is not possible since the + ring buffer is the same size as the descriptor table, so step (1) will + prevent such a condition. + +This implies that placing more buffers into the virtqueue than the +descriptor table size is not allowed. + +QEMU is missing the check to prevent this case. Processing a request +allocates a VirtQueueElement leading to unbounded memory allocation +controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 +Marvel Team, China. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi +--- + hw/virtio/virtio.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/virtio/virtio.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/virtio/virtio.c 2016-08-03 12:40:03.674436754 -0400 ++++ qemu-2.5+dfsg/hw/virtio/virtio.c 2016-08-03 12:40:03.670436717 -0400 +@@ -515,6 +515,11 @@ + + max = vq->vring.num; + ++ if (vq->inuse >= vq->vring.num) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { + vring_set_avail_event(vq, vq->last_avail_idx); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6351.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6351.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6351.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6351.patch 2016-08-03 16:40:40.000000000 +0000 @@ -0,0 +1,93 @@ +Description: fix oob write access while reading ESP command +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 +Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=cc96677469388bad3d66479379735cf75db069e3 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832621 + +Index: qemu-2.5+dfsg/hw/scsi/esp.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/esp.c 2016-08-03 12:40:33.338707014 -0400 ++++ qemu-2.5+dfsg/hw/scsi/esp.c 2016-08-03 12:40:33.334706977 -0400 +@@ -247,6 +247,8 @@ + len = s->dma_left; + if (s->do_cmd) { + trace_esp_do_dma(s->cmdlen, len); ++ assert (s->cmdlen <= sizeof(s->cmdbuf) && ++ len <= sizeof(s->cmdbuf) - s->cmdlen); + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + s->ti_size = 0; + s->cmdlen = 0; +@@ -346,7 +348,7 @@ + s->dma_counter = dmalen; + + if (s->do_cmd) +- minlen = (dmalen < 32) ? dmalen : 32; ++ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; + else if (s->ti_size < 0) + minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; + else +@@ -450,7 +452,7 @@ + break; + case ESP_FIFO: + if (s->do_cmd) { +- if (s->cmdlen < TI_BUFSZ) { ++ if (s->cmdlen < ESP_CMDBUF_SZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + trace_esp_error_fifo_overrun(); +@@ -573,7 +575,7 @@ + + const VMStateDescription vmstate_esp = { + .name ="esp", +- .version_id = 3, ++ .version_id = 4, + .minimum_version_id = 3, + .fields = (VMStateField[]) { + VMSTATE_BUFFER(rregs, ESPState), +@@ -584,7 +586,8 @@ + VMSTATE_BUFFER(ti_buf, ESPState), + VMSTATE_UINT32(status, ESPState), + VMSTATE_UINT32(dma, ESPState), +- VMSTATE_BUFFER(cmdbuf, ESPState), ++ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), ++ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), + VMSTATE_UINT32(cmdlen, ESPState), + VMSTATE_UINT32(do_cmd, ESPState), + VMSTATE_UINT32(dma_left, ESPState), +Index: qemu-2.5+dfsg/include/hw/scsi/esp.h +=================================================================== +--- qemu-2.5+dfsg.orig/include/hw/scsi/esp.h 2016-08-03 12:40:33.338707014 -0400 ++++ qemu-2.5+dfsg/include/hw/scsi/esp.h 2016-08-03 12:40:33.334706977 -0400 +@@ -14,6 +14,7 @@ + + #define ESP_REGS 16 + #define TI_BUFSZ 16 ++#define ESP_CMDBUF_SZ 32 + + typedef struct ESPState ESPState; + +@@ -31,7 +32,7 @@ + SCSIBus bus; + SCSIDevice *current_dev; + SCSIRequest *current_req; +- uint8_t cmdbuf[TI_BUFSZ]; ++ uint8_t cmdbuf[ESP_CMDBUF_SZ]; + uint32_t cmdlen; + uint32_t do_cmd; + +Index: qemu-2.5+dfsg/include/migration/vmstate.h +=================================================================== +--- qemu-2.5+dfsg.orig/include/migration/vmstate.h 2016-08-03 12:40:33.338707014 -0400 ++++ qemu-2.5+dfsg/include/migration/vmstate.h 2016-08-03 12:40:33.334706977 -0400 +@@ -777,8 +777,11 @@ + #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ + VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) + ++#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ ++ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) ++ + #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ +- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) ++ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) + + #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ + VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6833.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6833.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6833.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6833.patch 2016-11-07 15:54:17.000000000 +0000 @@ -0,0 +1,33 @@ +From 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 8 Aug 2016 18:08:31 +0530 +Subject: [PATCH] net: vmxnet3: check for device_active before write + +Vmxnet3 device emulator does not check if the device is active, +before using it for write. It leads to a use after free issue, +if the vmxnet3_io_bar0_write routine is called after the device is +deactivated. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Acked-by: Dmitry Fleytman +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/vmxnet3.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/vmxnet3.c 2016-11-07 10:54:15.751899520 -0500 ++++ qemu-2.5+dfsg/hw/net/vmxnet3.c 2016-11-07 10:54:15.747899476 -0500 +@@ -1128,6 +1128,10 @@ + { + VMXNET3State *s = opaque; + ++ if (!s->device_active) { ++ return; ++ } ++ + if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD, + VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) { + int tx_queue_idx = diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6834.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6834.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6834.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6834.patch 2016-11-07 15:54:25.000000000 +0000 @@ -0,0 +1,35 @@ +From 3b9717a62bf5882abaf6602c077cdbe63dffc35e Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 4 Aug 2016 13:00:14 +0530 +Subject: [PATCH] net: check fragment length during fragmentation + +Network transport abstraction layer supports packet fragmentation. +While fragmenting a packet, it checks for more fragments from +packet length and current fragment length. It is susceptible +to an infinite loop, if the current fragment length is zero. +Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Dmitry Fleytman +CC: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +(cherry picked from commit ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05) +Signed-off-by: Michael Roth +--- + hw/net/vmxnet_tx_pkt.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:23.347984625 -0500 ++++ qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:23.347984625 -0500 +@@ -543,7 +543,7 @@ + + fragment_offset += fragment_len; + +- } while (more_frags); ++ } while (fragment_len && more_frags); + + return true; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6835.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6835.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6835.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6835.patch 2016-11-07 15:54:32.000000000 +0000 @@ -0,0 +1,33 @@ +From 93060258ae748573ca7197204125a2670047896d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 9 Aug 2016 16:49:47 +0530 +Subject: [PATCH] net: vmxnet: check IP header length + +Vmxnet3 device emulator when parsing packet headers does not check +for IP header length. It could lead to a OOB access when reading +further packet data. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Dmitry Fleytman +Signed-off-by: Michael Roth +--- + hw/net/vmxnet_tx_pkt.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:30.316062695 -0500 ++++ qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:30.316062695 -0500 +@@ -177,6 +177,11 @@ + } + + l3_hdr->iov_len = IP_HDR_GET_LEN(l3_hdr->iov_base); ++ if(l3_hdr->iov_len < sizeof(struct ip_header)) ++ { ++ l3_hdr->iov_len = 0; ++ return false; ++ } + pkt->l4proto = ((struct ip_header *) l3_hdr->iov_base)->ip_p; + + /* copy optional IPv4 header data */ diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6836.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6836.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6836.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6836.patch 2016-11-07 15:54:39.000000000 +0000 @@ -0,0 +1,30 @@ +From fdda170e50b8af062cf5741e12c4fb5e57a2eacf Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 11 Aug 2016 00:42:20 +0530 +Subject: [PATCH] net: vmxnet: initialise local tx descriptor + +In Vmxnet3 device emulator while processing transmit(tx) queue, +when it reaches end of packet, it calls vmxnet3_complete_packet. +In that local 'txcq_descr' object is not initialised, which could +leak host memory bytes a guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Dmitry Fleytman +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/vmxnet3.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/vmxnet3.c 2016-11-07 10:54:37.404142108 -0500 ++++ qemu-2.5+dfsg/hw/net/vmxnet3.c 2016-11-07 10:54:37.396142018 -0500 +@@ -499,6 +499,7 @@ + + VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); + ++ memset(&txcq_descr, 0, sizeof(txcq_descr)); + txcq_descr.txdIdx = tx_ridx; + txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-6888.patch qemu-2.5+dfsg/debian/patches/CVE-2016-6888.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-6888.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-6888.patch 2016-11-07 15:54:46.000000000 +0000 @@ -0,0 +1,36 @@ +From cb3677cd50dcb07e74d0113337e40e9e3e14d728 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 22 Aug 2016 13:11:57 +0530 +Subject: [PATCH] net: vmxnet: use g_new for pkt initialisation + +When vmxnet transport abstraction layer initialises pkt, +the maximum fragmentation count is not checked. This could lead +to an integer overflow causing a NULL pointer dereference. +Replace g_malloc() with g_new() to catch the multiplication +overflow. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Acked-by: Dmitry Fleytman +Signed-off-by: Michael Roth +--- + hw/net/vmxnet_tx_pkt.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:43.924215158 -0500 ++++ qemu-2.5+dfsg/hw/net/vmxnet_tx_pkt.c 2016-11-07 10:54:43.916215068 -0500 +@@ -59,10 +59,9 @@ + { + struct VmxnetTxPkt *p = g_malloc0(sizeof *p); + +- p->vec = g_malloc((sizeof *p->vec) * +- (max_frags + VMXNET_TX_PKT_PL_START_FRAG)); ++ p->vec = g_new(struct iovec, max_frags + VMXNET_TX_PKT_PL_START_FRAG); + +- p->raw = g_malloc((sizeof *p->raw) * max_frags); ++ p->raw = g_new(struct iovec, max_frags); + + p->max_payload_frags = max_frags; + p->max_raw_frags = max_frags; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7116-1.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7116-1.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7116-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7116-1.patch 2016-11-07 16:19:06.000000000 +0000 @@ -0,0 +1,181 @@ +Backport of: + +From 917e9a9816f34787391059c89ba5fb770fe22028 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 30 Aug 2016 19:11:05 +0200 +Subject: [PATCH] 9pfs: forbid illegal path names + +Empty path components don't make sense for most commands and may cause +undefined behavior, depending on the backend. + +Also, the walk request described in the 9P spec [1] clearly shows that +the client is supposed to send individual path components: the official +linux client never sends portions of path containing the / character for +example. + +Moreover, the 9P spec [2] also states that a system can decide to restrict +the set of supported characters used in path components, with an explicit +mention "to remove slashes from name components". + +This patch introduces a new name_is_illegal() helper that checks the +names sent by the client are not empty and don't contain unwanted chars. +Since 9pfs is only supported on linux hosts, only the / character is +checked at the moment. When support for other hosts (AKA. win32) is added, +other chars may need to be blacklisted as well. + +If a client sends an illegal path component, the request will fail and +ENOENT is returned to the client. + +[1] http://man.cat-v.org/plan_9/5/walk +[2] http://man.cat-v.org/plan_9/5/intro + +Suggested-by: Peter Maydell +Backport of: + +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Peter Maydell +(cherry picked from commit fff39a7ad09da07ef490de05c92c91f22f8002f2) +Signed-off-by: Michael Roth +--- + hw/9pfs/9p.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 56 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 10:56:38.673500790 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 10:56:38.669500745 -0500 +@@ -1227,6 +1227,11 @@ + return offset; + } + ++static bool name_is_illegal(const char *name) ++{ ++ return !*name || strchr(name, '/') != NULL; ++} ++ + static void v9fs_walk(void *opaque) + { + int name_idx; +@@ -1260,6 +1265,10 @@ + if (err < 0) { + goto out_nofid; + } ++ if (name_is_illegal(wnames[i].data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } + offset += err; + } + } else if (nwnames > P9_MAXWELEM) { +@@ -1454,6 +1463,11 @@ + } + trace_v9fs_lcreate(pdu->tag, pdu->id, dfid, flags, mode, gid); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, dfid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2044,6 +2058,11 @@ + } + trace_v9fs_create(pdu->tag, pdu->id, fid, name.data, perm, mode); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -EINVAL; +@@ -2209,6 +2228,11 @@ + } + trace_v9fs_symlink(pdu->tag, pdu->id, dfid, name.data, symname.data, gid); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -EINVAL; +@@ -2284,6 +2308,11 @@ + } + trace_v9fs_link(pdu->tag, pdu->id, dfid, oldfid, name.data); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -ENOENT; +@@ -2366,6 +2395,12 @@ + if (err < 0) { + goto out_nofid; + } ++ ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -EINVAL; +@@ -2472,6 +2507,12 @@ + if (err < 0) { + goto out_nofid; + } ++ ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2584,6 +2625,11 @@ + goto out_err; + } + ++ if (name_is_illegal(old_name.data) || name_is_illegal(new_name.data)) { ++ err = -ENOENT; ++ goto out_err; ++ } ++ + v9fs_path_write_lock(s); + err = v9fs_complete_renameat(pdu, olddirfid, + &old_name, newdirfid, &new_name); +@@ -2796,6 +2842,11 @@ + } + trace_v9fs_mknod(pdu->tag, pdu->id, fid, mode, major, minor); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2949,6 +3000,11 @@ + } + trace_v9fs_mkdir(pdu->tag, pdu->id, fid, name.data, mode, gid); + ++ if (name_is_illegal(name.data)) { ++ err = -ENOENT; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7116-2.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7116-2.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7116-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7116-2.patch 2016-11-07 15:58:05.000000000 +0000 @@ -0,0 +1,160 @@ +Backport of: + +From b5191b2df7dc92a7a4f7fb4d18c37cf8aae38894 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 30 Aug 2016 19:13:11 +0200 +Subject: [PATCH] 9pfs: forbid . and .. in file names + +According to the 9P spec http://man.cat-v.org/plan_9/5/open about the +create request: + +The names . and .. are special; it is illegal to create files with these +names. + +This patch causes the create and lcreate requests to fail with EINVAL if +the file name is either "." or "..". + +Even if it isn't explicitly written in the spec, this patch extends the +checking to all requests that may cause a directory entry to be created: + + - mknod + - rename + - renameat + - mkdir + - link + - symlink + +The unlinkat request also gets patched for consistency (even if +rmdir("foo/..") is expected to fail according to POSIX.1-2001). + +The various error values come from the linux manual pages. + +Suggested-by: Peter Maydell +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Peter Maydell +(cherry picked from commit 805b5d98c649d26fc44d2d7755a97f18e62b438a) +Signed-off-by: Michael Roth +--- + hw/9pfs/9p.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 51 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 10:58:00.738420232 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 10:58:00.730420142 -0500 +@@ -1468,6 +1468,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, dfid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2063,6 +2068,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -EINVAL; +@@ -2233,6 +2243,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -EINVAL; +@@ -2313,6 +2328,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -ENOENT; +@@ -2401,6 +2421,16 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data)) { ++ err = -EINVAL; ++ goto out_nofid; ++ } ++ ++ if (!strcmp("..", name.data)) { ++ err = -ENOTEMPTY; ++ goto out_nofid; ++ } ++ + dfidp = get_fid(pdu, dfid); + if (dfidp == NULL) { + err = -EINVAL; +@@ -2513,6 +2543,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EISDIR; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; +@@ -2630,6 +2665,12 @@ + goto out_err; + } + ++ if (!strcmp(".", old_name.data) || !strcmp("..", old_name.data) || ++ !strcmp(".", new_name.data) || !strcmp("..", new_name.data)) { ++ err = -EISDIR; ++ goto out_err; ++ } ++ + v9fs_path_write_lock(s); + err = v9fs_complete_renameat(pdu, olddirfid, + &old_name, newdirfid, &new_name); +@@ -2847,6 +2888,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; +@@ -3005,6 +3051,11 @@ + goto out_nofid; + } + ++ if (!strcmp(".", name.data) || !strcmp("..", name.data)) { ++ err = -EEXIST; ++ goto out_nofid; ++ } ++ + fidp = get_fid(pdu, fid); + if (fidp == NULL) { + err = -ENOENT; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7116-3.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7116-3.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7116-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7116-3.patch 2016-11-07 15:58:41.000000000 +0000 @@ -0,0 +1,127 @@ +Backport of: + +From 85d0a53c583656e5e37a8317f9119933c796847f Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Tue, 30 Aug 2016 17:02:27 +0200 +Subject: [PATCH] 9pfs: handle walk of ".." in the root directory + +The 9P spec at http://man.cat-v.org/plan_9/5/intro says: + +All directories must support walks to the directory .. (dot-dot) meaning +parent directory, although by convention directories contain no explicit +entry for .. or . (dot). The parent of the root directory of a server's +tree is itself. + +This means that a client cannot walk further than the root directory +exported by the server. In other words, if the client wants to walk +"/.." or "/foo/../..", the server should answer like the request was +to walk "/". + +This patch just does that: +- we cache the QID of the root directory at attach time +- during the walk we compare the QID of each path component with the root + QID to detect if we're in a "/.." situation +- if so, we skip the current component and go to the next one + +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Signed-off-by: Peter Maydell +(cherry picked from commit 56f101ecce0eafd09e2daf1c4eeb1377d6959261) +Signed-off-by: Michael Roth +--- + hw/9pfs/9p.c | 40 +++++++++++++++++++++++++++++++--------- + hw/9pfs/9p.h | 1 + + 2 files changed, 32 insertions(+), 9 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 10:58:39.158850689 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 10:58:39.146850554 -0500 +@@ -979,6 +979,7 @@ + goto out; + } + err += offset; ++ memcpy(&s->root_qid, &qid, sizeof(qid)); + trace_v9fs_attach_return(pdu->tag, pdu->id, + qid.type, qid.version, qid.path); + /* +@@ -1232,6 +1233,14 @@ + return !*name || strchr(name, '/') != NULL; + } + ++static bool not_same_qid(const V9fsQID *qid1, const V9fsQID *qid2) ++{ ++ return ++ qid1->type != qid2->type || ++ qid1->version != qid2->version || ++ qid1->path != qid2->path; ++} ++ + static void v9fs_walk(void *opaque) + { + int name_idx; +@@ -1247,6 +1256,7 @@ + V9fsFidState *newfidp = NULL; + V9fsPDU *pdu = opaque; + V9fsState *s = pdu->s; ++ V9fsQID qid; + + err = pdu_unmarshal(pdu, offset, "ddw", &fid, &newfid, &nwnames); + if (err < 0) { +@@ -1280,6 +1290,12 @@ + err = -ENOENT; + goto out_nofid; + } ++ ++ err = fid_to_qid(pdu, fidp, &qid); ++ if (err < 0) { ++ goto out; ++ } ++ + v9fs_path_init(&dpath); + v9fs_path_init(&path); + /* +@@ -1289,16 +1305,22 @@ + v9fs_path_copy(&dpath, &fidp->path); + v9fs_path_copy(&path, &fidp->path); + for (name_idx = 0; name_idx < nwnames; name_idx++) { +- err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, &path); +- if (err < 0) { +- goto out; +- } +- err = v9fs_co_lstat(pdu, &path, &stbuf); +- if (err < 0) { +- goto out; ++ if (not_same_qid(&pdu->s->root_qid, &qid) || ++ strcmp("..", wnames[name_idx].data)) { ++ err = v9fs_co_name_to_path(pdu, &dpath, wnames[name_idx].data, ++ &path); ++ if (err < 0) { ++ goto out; ++ } ++ ++ err = v9fs_co_lstat(pdu, &path, &stbuf); ++ if (err < 0) { ++ goto out; ++ } ++ stat_to_qid(&stbuf, &qid); ++ v9fs_path_copy(&dpath, &path); + } +- stat_to_qid(&stbuf, &qids[name_idx]); +- v9fs_path_copy(&dpath, &path); ++ memcpy(&qids[name_idx], &qid, sizeof(qid)); + } + if (fid == newfid) { + BUG_ON(fidp->fid_type != P9_FID_NONE); +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.h +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.h 2016-11-07 10:58:39.158850689 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.h 2016-11-07 10:58:39.150850599 -0500 +@@ -219,6 +219,7 @@ + int32_t root_fid; + Error *migration_blocker; + V9fsConf fsconf; ++ V9fsQID root_qid; + } V9fsState; + + typedef struct V9fsStatState { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7116-4.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7116-4.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7116-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7116-4.patch 2016-11-07 15:59:35.000000000 +0000 @@ -0,0 +1,52 @@ +Backport of: + +From 5e2c6fe7cc5314c13d96069328b603c40dc12b41 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 16 Sep 2016 11:44:49 +0200 +Subject: [PATCH] 9pfs: fix potential segfault during walk +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the call to fid_to_qid() returns an error, we will call v9fs_path_free() +on uninitialized paths. + +It is a regression introduced by the following commit: + +56f101ecce0e 9pfs: handle walk of ".." in the root directory + +Let's fix this by initializing dpath and path before calling fid_to_qid(). + +Signed-off-by: Greg Kurz +Reviewed-by: Cédric Le Goater +[groug: updated the changelog to indicate this is regression and to provide + the offending commit SHA1] +Signed-off-by: Greg Kurz + +(cherry picked from commit 13fd08e631ec0c3ff5ad1bdcb6a4474c7d9a024f) +Signed-off-by: Michael Roth +--- + hw/9pfs/9p.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 10:59:33.423458660 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 10:59:33.415458571 -0500 +@@ -1291,13 +1291,14 @@ + goto out_nofid; + } + ++ v9fs_path_init(&dpath); ++ v9fs_path_init(&path); ++ + err = fid_to_qid(pdu, fidp, &qid); + if (err < 0) { + goto out; + } + +- v9fs_path_init(&dpath); +- v9fs_path_init(&path); + /* + * Both dpath and path initially poin to fidp. + * Needed to handle request with nwnames == 0 diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7155.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7155.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7155.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7155.patch 2016-11-07 15:59:44.000000000 +0000 @@ -0,0 +1,83 @@ +From da99530e410349d672e792e820b355a648d430fa Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 31 Aug 2016 12:19:29 +0530 +Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor rings + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the page count for these rings to +an arbitrary value, leading to infinite loop or OOB access. +Add check to avoid it. + +Reported-by: Tom Victor +Signed-off-by: Prasad J Pandit +Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753) +Signed-off-by: Michael Roth +--- + hw/scsi/vmw_pvscsi.c | 19 +++++++++---------- + 1 files changed, 9 insertions(+), 10 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/vmw_pvscsi.c 2016-11-07 10:59:42.659562140 -0500 ++++ qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c 2016-11-07 10:59:42.655562095 -0500 +@@ -126,7 +126,7 @@ + return log; + } + +-static int ++static void + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -134,10 +134,6 @@ + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + +- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) +- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { +- return -1; +- } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -169,8 +165,6 @@ + + /* Flush ring state page changes */ + smp_wmb(); +- +- return 0; + } + + static int +@@ -720,7 +714,7 @@ + + trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); + for (i = 0; i < rc->cmpRingNumPages; i++) { +- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); ++ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); + } + } + +@@ -753,11 +747,16 @@ + + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + +- pvscsi_dbg_dump_tx_rings_config(rc); +- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ if (!rc->reqRingNumPages ++ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES ++ || !rc->cmpRingNumPages ++ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { + return PVSCSI_COMMAND_PROCESSING_FAILED; + } + ++ pvscsi_dbg_dump_tx_rings_config(rc); ++ pvscsi_ring_init_data(&s->rings, rc); ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7156.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7156.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7156.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7156.patch 2016-11-07 15:59:52.000000000 +0000 @@ -0,0 +1,61 @@ +From 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 6 Sep 2016 02:20:43 +0530 +Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list + +In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very +long time or go into an infinite loop due to two different bugs: + +1) the request descriptor data length is defined to be 64 bit. While +building SG list from a request descriptor, it gets truncated to 32bit +in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop +situation large 'dataLen' values when data_length is cast to uint32_t and +chunk_size becomes always zero. Fix this by removing the incorrect cast. + +2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the +element has a zero length. Get out of the loop early when this happens, +by introducing an upper limit on the number of SG list elements. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/vmw_pvscsi.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/vmw_pvscsi.c 2016-11-07 10:59:50.355648365 -0500 ++++ qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c 2016-11-07 10:59:50.347648276 -0500 +@@ -39,6 +39,8 @@ + #define PVSCSI_MAX_DEVS (64) + #define PVSCSI_MSIX_NUM_VECTORS (1) + ++#define PVSCSI_MAX_SG_ELEM 2048 ++ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +@@ -602,17 +604,16 @@ + static void + pvscsi_convert_sglist(PVSCSIRequest *r) + { +- int chunk_size; ++ uint32_t chunk_size, elmcnt = 0; + uint64_t data_length = r->req.dataLen; + PVSCSISGState sg = r->sg; +- while (data_length) { +- while (!sg.resid) { ++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { ++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { + pvscsi_get_next_sg_elem(&sg); + trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, + r->sg.resid); + } +- assert(data_length > 0); +- chunk_size = MIN((unsigned) data_length, sg.resid); ++ chunk_size = MIN(data_length, sg.resid); + if (chunk_size) { + qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7161.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7161.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7161.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7161.patch 2016-11-07 16:02:30.000000000 +0000 @@ -0,0 +1,32 @@ +From a0d1cbdacff5df4ded16b753b38fdd9da6092968 Mon Sep 17 00:00:00 2001 +From: chaojianhu +Date: Tue, 9 Aug 2016 11:52:54 +0800 +Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite + +The .receive callback of xlnx.xps-ethernetlite doesn't check the length +of data before calling memcpy. As a result, the NetClientState object in +heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite +will be affected. + +Reported-by: chaojianhu +Signed-off-by: chaojianhu +Signed-off-by: Jason Wang +--- + hw/net/xilinx_ethlite.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/xilinx_ethlite.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/xilinx_ethlite.c 2016-11-07 11:02:27.945413976 -0500 ++++ qemu-2.5+dfsg/hw/net/xilinx_ethlite.c 2016-11-07 11:02:27.941413931 -0500 +@@ -194,6 +194,10 @@ + } + + D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); ++ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { ++ D(qemu_log("ethlite packet is too big, size=%x\n", size)); ++ return -1; ++ } + memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); + + s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7170.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7170.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7170.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7170.patch 2016-11-07 16:02:38.000000000 +0000 @@ -0,0 +1,42 @@ +From 167d97a3def77ee2dbf6e908b0ecbfe2103977db Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 8 Sep 2016 18:15:54 +0530 +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/vmware_vga.c | 12 +++++++----- + 1 files changed, 7 insertions(+), 5 deletions(-) + +Index: qemu-2.5+dfsg/hw/display/vmware_vga.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/vmware_vga.c 2016-11-07 11:02:35.901503114 -0500 ++++ qemu-2.5+dfsg/hw/display/vmware_vga.c 2016-11-07 11:02:35.897503070 -0500 +@@ -674,11 +674,13 @@ + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +- if (cursor.width > 256 || +- cursor.height > 256 || +- cursor.bpp > 32 || +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++ if (cursor.width > 256 ++ || cursor.height > 256 ++ || cursor.bpp > 32 ++ || SVGA_BITMAP_SIZE(x, y) ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7421.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7421.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7421.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7421.patch 2016-11-07 16:02:46.000000000 +0000 @@ -0,0 +1,35 @@ +From d251157ac1928191af851d199a9ff255d330bec9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 14 Sep 2016 15:09:12 +0530 +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size + +Vmware Paravirtual SCSI emulator while processing IO requests +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' +always returned positive value. Limit IO loop to the ring size. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +--- + hw/scsi/vmw_pvscsi.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/scsi/vmw_pvscsi.c 2016-11-07 11:02:44.409598438 -0500 ++++ qemu-2.5+dfsg/hw/scsi/vmw_pvscsi.c 2016-11-07 11:02:44.401598348 -0500 +@@ -221,8 +221,11 @@ + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + +- if (ready_ptr != mgr->consumed_ptr) { ++ if (ready_ptr != mgr->consumed_ptr ++ && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = + mgr->consumed_ptr++ & mgr->txr_len_mask; + uint32_t next_ready_page = diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7466.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7466.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7466.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7466.patch 2016-11-07 16:05:54.000000000 +0000 @@ -0,0 +1,29 @@ +From b53dd4495ced2432a0b652ea895e651d07336f7e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 13 Sep 2016 03:20:03 -0700 +Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit + +If the xhci uses msix, it doesn't free the corresponding +memory, thus leading a memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-xhci.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/hcd-xhci.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/hcd-xhci.c 2016-11-07 11:05:52.179702183 -0500 ++++ qemu-2.5+dfsg/hw/usb/hcd-xhci.c 2016-11-07 11:05:52.175702138 -0500 +@@ -3683,8 +3683,7 @@ + /* destroy msix memory region */ + if (dev->msix_table && dev->msix_pba + && dev->msix_entry_used) { +- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); +- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); ++ msix_uninit(dev, &xhci->mem, &xhci->mem); + } + + usb_bus_release(&xhci->bus); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7908.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7908.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7908.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7908.patch 2016-11-07 16:06:01.000000000 +0000 @@ -0,0 +1,49 @@ +From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Paolo Bonzini +Signed-off-by: Jason Wang +--- + hw/net/mcf_fec.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/mcf_fec.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/mcf_fec.c 2016-11-07 11:05:59.203780880 -0500 ++++ qemu-2.5+dfsg/hw/net/mcf_fec.c 2016-11-07 11:05:59.191780746 -0500 +@@ -22,6 +22,7 @@ + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -148,7 +149,7 @@ + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -156,7 +157,7 @@ + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7909.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7909.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7909.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7909.patch 2016-11-07 16:06:08.000000000 +0000 @@ -0,0 +1,34 @@ +From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 30 Sep 2016 00:27:33 +0530 +Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/pcnet.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/pcnet.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/pcnet.c 2016-11-07 11:06:06.811866119 -0500 ++++ qemu-2.5+dfsg/hw/net/pcnet.c 2016-11-07 11:06:06.807866076 -0500 +@@ -1428,8 +1428,11 @@ + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-7994.patch qemu-2.5+dfsg/debian/patches/CVE-2016-7994.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-7994.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-7994.patch 2016-11-07 16:06:15.000000000 +0000 @@ -0,0 +1,32 @@ +From cb3a0522b694cc5bb6424497b3f828ccd28fd1dd Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sun, 18 Sep 2016 19:07:11 -0700 +Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +In virtio gpu resource create dispatch, if the pixman format is zero +it doesn't free the resource object allocated previously. Thus leading +a host memory leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/display/virtio-gpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/display/virtio-gpu.c 2016-11-07 11:06:13.399939931 -0500 ++++ qemu-2.5+dfsg/hw/display/virtio-gpu.c 2016-11-07 11:06:13.399939931 -0500 +@@ -322,6 +322,7 @@ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: host couldn't handle guest format %d\n", + __func__, c2d.format); ++ g_free(res); + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8576.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8576.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8576.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8576.patch 2016-11-07 16:09:31.000000000 +0000 @@ -0,0 +1,65 @@ +From 05f43d44e4bc26611ce25fd7d726e483f73363ce Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 10 Oct 2016 12:46:22 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Needed to avoid we run in circles forever in case the guest builds +an endless loop with link trbs. + +Reported-by: Li Qiang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 files changed, 10 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/usb/hcd-xhci.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/usb/hcd-xhci.c 2016-11-07 11:09:29.290134653 -0500 ++++ qemu-2.5+dfsg/hw/usb/hcd-xhci.c 2016-11-07 11:09:29.286134609 -0500 +@@ -52,6 +52,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -996,6 +998,7 @@ + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1022,6 +1025,9 @@ + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1039,6 +1045,7 @@ + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1054,6 +1061,9 @@ + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8577.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8577.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8577.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8577.patch 2016-11-07 16:10:18.000000000 +0000 @@ -0,0 +1,38 @@ +Backport of: + +From e95c9a493a5a8d6f969e86c9f19f80ffe6587e19 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:10:16.790666841 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:10:16.786666796 -0500 +@@ -1784,14 +1784,15 @@ + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8578.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8578.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8578.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8578.patch 2016-11-07 16:11:30.000000000 +0000 @@ -0,0 +1,57 @@ +Backport of: + +From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: allocate space for guest originated empty strings + +If a guest sends an empty string paramater to any 9P operation, the current +code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. + +This is unfortunate because it can cause NULL pointer dereference to happen +at various locations in the 9pfs code. And we don't want to check str->data +everywhere we pass it to strcmp() or any other function which expects a +dereferenceable pointer. + +This patch enforces the allocation of genuine C empty strings instead, so +callers don't have to bother. + +Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if +the returned string is empty. It now uses v9fs_string_size() since +name.data cannot be NULL anymore. + +Signed-off-by: Li Qiang +[groug, rewritten title and changelog, + fix empty string check in v9fs_xattrwalk()] +Signed-off-by: Greg Kurz +--- + fsdev/9p-iov-marshal.c | 2 +- + hw/9pfs/9p.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +Index: qemu-2.5+dfsg/fsdev/virtio-9p-marshal.c +=================================================================== +--- qemu-2.5+dfsg.orig/fsdev/virtio-9p-marshal.c 2016-11-07 11:11:27.875463265 -0500 ++++ qemu-2.5+dfsg/fsdev/virtio-9p-marshal.c 2016-11-07 11:11:27.867463174 -0500 +@@ -165,7 +165,7 @@ + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:11:27.875463265 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:11:27.867463174 -0500 +@@ -3134,7 +3134,7 @@ + goto out; + } + v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); +- if (name.data == NULL) { ++ if (!v9fs_string_size(&name)) { + /* + * listxattr request. Get the size first + */ diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8668.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8668.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8668.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8668.patch 2016-11-07 16:11:42.000000000 +0000 @@ -0,0 +1,33 @@ +From 8caed3d564672e8bc6d2e4c6a35228afd01f4723 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 14:40:55 +0530 +Subject: [PATCH] net: rocker: set limit to DMA buffer size + +Rocker network switch emulator has test registers to help debug +DMA operations. While testing host DMA access, a buffer address +is written to register 'TEST_DMA_ADDR' and its size is written to +register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT +test, if DMA buffer size was greater than 'INT_MAX', it leads to +an invalid buffer access. Limit the DMA buffer size to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Reviewed-by: Jiri Pirko +Signed-off-by: Jason Wang +--- + hw/net/rocker/rocker.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/net/rocker/rocker.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/net/rocker/rocker.c 2016-11-07 11:11:40.227601656 -0500 ++++ qemu-2.5+dfsg/hw/net/rocker/rocker.c 2016-11-07 11:11:40.223601611 -0500 +@@ -852,7 +852,7 @@ + rocker_msix_irq(r, val); + break; + case ROCKER_TEST_DMA_SIZE: +- r->test_dma_size = val; ++ r->test_dma_size = val & 0xFFFF; + break; + case ROCKER_TEST_DMA_ADDR + 4: + r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8909.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8909.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8909.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8909.patch 2016-11-07 16:11:49.000000000 +0000 @@ -0,0 +1,35 @@ +From 0c0fc2b5fd534786051889459848764edd798050 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 20 Oct 2016 13:10:24 +0530 +Subject: [PATCH] audio: intel-hda: check stream entry count during transfer + +Intel HDA emulator uses stream of buffers during DMA data +transfers. Each entry has buffer length and buffer pointer +position, which are used to derive bytes to 'copy'. If this +length and buffer pointer were to be same, 'copy' could be +set to zero(0), leading to an infinite loop. Add check to +avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Reviewed-by: Stefan Hajnoczi +Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/intel-hda.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/audio/intel-hda.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/audio/intel-hda.c 2016-11-07 11:11:47.279680666 -0500 ++++ qemu-2.5+dfsg/hw/audio/intel-hda.c 2016-11-07 11:11:47.275680621 -0500 +@@ -414,7 +414,8 @@ + } + + left = len; +- while (left > 0) { ++ s = st->bentries; ++ while (left > 0 && s-- > 0) { + copy = left; + if (copy > st->bsize - st->lpib) + copy = st->bsize - st->lpib; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-8910.patch qemu-2.5+dfsg/debian/patches/CVE-2016-8910.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-8910.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-8910.patch 2016-11-07 16:11:52.000000000 +0000 @@ -0,0 +1,31 @@ +From c7c35916692fe010fef25ac338443d3fe40be225 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 21 Oct 2016 17:39:29 +0530 +Subject: [PATCH] net: rtl8139: limit processing of ring descriptors + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rtl8139.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.6.1+dfsg/hw/net/rtl8139.c +=================================================================== +--- qemu-2.6.1+dfsg.orig/hw/net/rtl8139.c 2016-11-07 09:30:13.755409813 -0500 ++++ qemu-2.6.1+dfsg/hw/net/rtl8139.c 2016-11-07 09:30:13.751409768 -0500 +@@ -2379,7 +2379,7 @@ + { + int txcount = 0; + +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9101.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9101.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9101.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9101.patch 2016-11-07 16:12:00.000000000 +0000 @@ -0,0 +1,30 @@ +From 2634ab7fe29b3f75d0865b719caf8f310d634aae Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 8 Oct 2016 05:07:25 -0700 +Subject: [PATCH] net: eepro100: fix memory leak in device uninit + +The exit dispatch of eepro100 network card device doesn't free +the 's->vmstate' field which was allocated in device realize thus +leading a host memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Jason Wang +--- + hw/net/eepro100.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index bab4dbf..4bf71f2 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev) + EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev); + + vmstate_unregister(&pci_dev->qdev, s->vmstate, s); ++ g_free(s->vmstate); + eeprom93xx_free(&pci_dev->qdev, s->eeprom); + qemu_del_nic(s->nic); + } +-- +1.7.0.4 + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9102.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9102.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9102.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9102.patch 2016-11-07 16:13:29.000000000 +0000 @@ -0,0 +1,33 @@ +Backport of: + +From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate + +The 'fs.xattr.value' field in V9fsFidState object doesn't consider the +situation that this field has been allocated previously. Every time, it +will be allocated directly. This leads to a host memory leak issue if +the client sends another Txattrcreate message with the same fid number +before the fid from the previous time got clunked. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, updated the changelog to indicate how the leak can occur] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:13:27.464803124 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:13:27.456803034 -0500 +@@ -3243,6 +3243,7 @@ + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); ++ g_free(xattr_fidp->fs.xattr.value); + xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9103.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9103.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9103.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9103.patch 2016-11-07 16:13:05.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From eb687602853b4ae656e9236ee4222609f3a6887d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix information leak in xattr read + +9pfs uses g_malloc() to allocate the xattr memory space, if the guest +reads this memory before writing to it, this will leak host heap memory +to the guest. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:13:03.516534811 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:13:03.512534766 -0500 +@@ -3243,7 +3243,7 @@ + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); + out_nofid: diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9104.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9104.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9104.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9104.patch 2016-11-07 16:16:05.000000000 +0000 @@ -0,0 +1,89 @@ +Backport of: + +From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 12:00:40 +0100 +Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Reviewed-By: Guido Günther +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 files changed, 12 insertions(+), 20 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:14:03.841210679 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:15:41.870308981 -0500 +@@ -1601,18 +1601,15 @@ + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1937,23 +1934,18 @@ + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9105.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9105.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9105.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9105.patch 2016-11-07 16:16:51.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From 4c1586787ff43c9acd18a56c12d720e3e6be9f7c Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_link + +The v9fs_link() function keeps a reference on the source fid object. This +causes a memory leak since the reference never goes down to 0. This patch +fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:16:49.427065876 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:16:49.411065696 -0500 +@@ -2364,6 +2364,7 @@ + if (!err) { + err = offset; + } ++ put_fid(pdu, oldfidp); + out: + put_fid(pdu, dfidp); + out_nofid: diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2016-9106.patch qemu-2.5+dfsg/debian/patches/CVE-2016-9106.patch --- qemu-2.5+dfsg/debian/patches/CVE-2016-9106.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2016-9106.patch 2016-11-14 12:30:35.000000000 +0000 @@ -0,0 +1,32 @@ +Backport of: + +From fdfcc9aeea1492f4b819a24c94dfb678145b1bf9 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_write + +If an error occurs when marshalling the transfer length to the guest, the +v9fs_write() function doesn't free an IO vector, thus leading to a memory +leak. This patch fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: qemu-2.5+dfsg/hw/9pfs/virtio-9p.c +=================================================================== +--- qemu-2.5+dfsg.orig/hw/9pfs/virtio-9p.c 2016-11-07 11:17:11.351311512 -0500 ++++ qemu-2.5+dfsg/hw/9pfs/virtio-9p.c 2016-11-07 11:17:11.347311467 -0500 +@@ -2040,7 +2040,7 @@ + offset = 7; + err = pdu_marshal(pdu, offset, "d", total); + if (err < 0) { +- goto out; ++ goto out_qiov; + } + err += offset; + trace_v9fs_write_return(pdu->tag, pdu->id, total, err); diff -Nru qemu-2.5+dfsg/debian/patches/series qemu-2.5+dfsg/debian/patches/series --- qemu-2.5+dfsg/debian/patches/series 2016-04-11 20:16:40.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/series 2016-11-07 16:16:55.000000000 +0000 @@ -28,3 +28,66 @@ block-set-device-list-tqe-prev-to-NULL vhost-user-interrupt-management-fixes.patch qemu-seccomp-sysinfo.patch +CVE-2016-2391.patch +CVE-2016-2392.patch +CVE-2016-2538.patch +CVE-2016-2841.patch +CVE-2016-2857.patch +CVE-2016-2858.patch +CVE-2016-3710.patch +CVE-2016-3712.patch +CVE-2016-4001.patch +CVE-2016-4002.patch +CVE-2016-4020.patch +CVE-2016-4037.patch +ubuntu/arm-qmp-add-query-gic-capabilities-interface.patch +ubuntu/arm-enhance-kvm_arm_create_scratch_host_vcpu.patch +ubuntu/kvm-add-kvm_device_supported-helper-function.patch +ubuntu/arm-implement-query-gic-capabilities.patch +CVE-2016-4439.patch +CVE-2016-4441.patch +CVE-2016-4454.patch +CVE-2016-4453.patch +CVE-2016-4952.patch +CVE-2016-5105.patch +CVE-2016-5106.patch +CVE-2016-5107.patch +CVE-2016-5126.patch +CVE-2016-5238.patch +CVE-2016-5337.patch +CVE-2016-5338.patch +CVE-2016-5403.patch +CVE-2016-6351.patch +CVE-2016-5403-2.patch +CVE-2016-5403-3.patch +CVE-2016-5403-4.patch +CVE-2016-6833.patch +CVE-2016-6834.patch +CVE-2016-6835.patch +CVE-2016-6836.patch +CVE-2016-6888.patch +CVE-2016-7116-1.patch +CVE-2016-7116-2.patch +CVE-2016-7116-3.patch +CVE-2016-7116-4.patch +CVE-2016-7155.patch +CVE-2016-7156.patch +CVE-2016-7161.patch +CVE-2016-7170.patch +CVE-2016-7421.patch +CVE-2016-7466.patch +CVE-2016-7908.patch +CVE-2016-7909.patch +CVE-2016-7994.patch +CVE-2016-8576.patch +CVE-2016-8577.patch +CVE-2016-8578.patch +CVE-2016-8668.patch +CVE-2016-8909.patch +CVE-2016-8910.patch +CVE-2016-9101.patch +CVE-2016-9103.patch +CVE-2016-9102.patch +CVE-2016-9104.patch +CVE-2016-9105.patch +CVE-2016-9106.patch diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/arm-enhance-kvm_arm_create_scratch_host_vcpu.patch qemu-2.5+dfsg/debian/patches/ubuntu/arm-enhance-kvm_arm_create_scratch_host_vcpu.patch --- qemu-2.5+dfsg/debian/patches/ubuntu/arm-enhance-kvm_arm_create_scratch_host_vcpu.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/ubuntu/arm-enhance-kvm_arm_create_scratch_host_vcpu.patch 2016-06-03 20:23:51.000000000 +0000 @@ -0,0 +1,78 @@ +From: Peter Xu +Date: Wed, 30 Mar 2016 17:27:24 +0100 +Subject: [PATCH] arm: enhance kvm_arm_create_scratch_host_vcpu + +Support passing NULL for the first parameter (with the same effect +as passing an empty array) and for the third parameter (meaning +that we should not attempt to init the vcpu). + +Signed-off-by: Peter Xu +Acked-by: Sergey Fedorov +Message-id: 1458788142-17509-3-git-send-email-peterx@redhat.com +[PMM: tweaked commit message, comment] +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +Origin: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2f340e9c24e3af17ad376d27a41830387999c285 +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1566564 +Last-Updated: 2016-05-19 + +diff --git a/target-arm/kvm.c b/target-arm/kvm.c +index 969ab0b..3671032 100644 +--- a/target-arm/kvm.c ++++ b/target-arm/kvm.c +@@ -62,13 +62,18 @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try, + goto err; + } + ++ if (!init) { ++ /* Caller doesn't want the VCPU to be initialized, so skip it */ ++ goto finish; ++ } ++ + ret = ioctl(vmfd, KVM_ARM_PREFERRED_TARGET, init); + if (ret >= 0) { + ret = ioctl(cpufd, KVM_ARM_VCPU_INIT, init); + if (ret < 0) { + goto err; + } +- } else { ++ } else if (cpus_to_try) { + /* Old kernel which doesn't know about the + * PREFERRED_TARGET ioctl: we know it will only support + * creating one kind of guest CPU which is its preferred +@@ -85,8 +90,15 @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try, + if (ret < 0) { + goto err; + } ++ } else { ++ /* Treat a NULL cpus_to_try argument the same as an empty ++ * list, which means we will fail the call since this must ++ * be an old kernel which doesn't support PREFERRED_TARGET. ++ */ ++ goto err; + } + ++finish: + fdarray[0] = kvmfd; + fdarray[1] = vmfd; + fdarray[2] = cpufd; +diff --git a/target-arm/kvm_arm.h b/target-arm/kvm_arm.h +index 07f0c72..345233c 100644 +--- a/target-arm/kvm_arm.h ++++ b/target-arm/kvm_arm.h +@@ -124,9 +124,12 @@ void kvm_arm_reset_vcpu(ARMCPU *cpu); + * kvm_arm_create_scratch_host_vcpu: + * @cpus_to_try: array of QEMU_KVM_ARM_TARGET_* values (terminated with + * QEMU_KVM_ARM_TARGET_NONE) to try as fallback if the kernel does not +- * know the PREFERRED_TARGET ioctl ++ * know the PREFERRED_TARGET ioctl. Passing NULL is the same as passing ++ * an empty array. + * @fdarray: filled in with kvmfd, vmfd, cpufd file descriptors in that order +- * @init: filled in with the necessary values for creating a host vcpu ++ * @init: filled in with the necessary values for creating a host ++ * vcpu. If NULL is provided, will not init the vCPU (though the cpufd ++ * will still be set up). + * + * Create a scratch vcpu in its own VM of the type preferred by the host + * kernel (as would be used for '-cpu host'), for purposes of probing it diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/arm-implement-query-gic-capabilities.patch qemu-2.5+dfsg/debian/patches/ubuntu/arm-implement-query-gic-capabilities.patch --- qemu-2.5+dfsg/debian/patches/ubuntu/arm-implement-query-gic-capabilities.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/ubuntu/arm-implement-query-gic-capabilities.patch 2016-06-03 20:23:51.000000000 +0000 @@ -0,0 +1,88 @@ +From: Peter Xu +Date: Wed, 30 Mar 2016 17:27:24 +0100 +Subject: [PATCH] arm: implement query-gic-capabilities + +For emulated GIC capabilities, currently only gicv2 is supported. We +need to add gicv3 in when emulated gicv3 ready. For KVM accelerated ARM +VM, we detect the capability bits by creating a scratch VM. + +Signed-off-by: Peter Xu +Acked-by: Sergey Fedorov +Message-id: 1458788142-17509-5-git-send-email-peterx@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +Origin: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=db31e49a565fc4c165fd98201721b313c3412c1f +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1566564 +Last-Updated: 2016-05-19 + +diff --git a/target-arm/monitor.c b/target-arm/monitor.c +index 4c9bef3..1ee59a2 100644 +--- a/target-arm/monitor.c ++++ b/target-arm/monitor.c +@@ -21,8 +21,64 @@ + */ + #include "qemu/osdep.h" + #include "qmp-commands.h" ++#include "hw/boards.h" ++#include "kvm_arm.h" ++ ++static GICCapability *gic_cap_new(int version) ++{ ++ GICCapability *cap = g_new0(GICCapability, 1); ++ cap->version = version; ++ /* by default, support none */ ++ cap->emulated = false; ++ cap->kernel = false; ++ return cap; ++} ++ ++static GICCapabilityList *gic_cap_list_add(GICCapabilityList *head, ++ GICCapability *cap) ++{ ++ GICCapabilityList *item = g_new0(GICCapabilityList, 1); ++ item->value = cap; ++ item->next = head; ++ return item; ++} ++ ++static inline void gic_cap_kvm_probe(GICCapability *v2, GICCapability *v3) ++{ ++#ifdef CONFIG_KVM ++ int fdarray[3]; ++ ++ if (!kvm_arm_create_scratch_host_vcpu(NULL, fdarray, NULL)) { ++ return; ++ } ++ ++ /* Test KVM GICv2 */ ++ if (kvm_device_supported(fdarray[1], KVM_DEV_TYPE_ARM_VGIC_V2)) { ++ v2->kernel = true; ++ } ++ ++ /* Test KVM GICv3 */ ++ if (kvm_device_supported(fdarray[1], KVM_DEV_TYPE_ARM_VGIC_V3)) { ++ v3->kernel = true; ++ } ++ ++ kvm_arm_destroy_scratch_host_vcpu(fdarray); ++#endif ++} + + GICCapabilityList *qmp_query_gic_capabilities(Error **errp) + { +- return NULL; ++ GICCapabilityList *head = NULL; ++ GICCapability *v2 = gic_cap_new(2), *v3 = gic_cap_new(3); ++ ++ v2->emulated = true; ++ /* TODO: we'd change to true after we get emulated GICv3. */ ++ v3->emulated = false; ++ ++ gic_cap_kvm_probe(v2, v3); ++ ++ head = gic_cap_list_add(head, v2); ++ head = gic_cap_list_add(head, v3); ++ ++ return head; + } diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/arm-qmp-add-query-gic-capabilities-interface.patch qemu-2.5+dfsg/debian/patches/ubuntu/arm-qmp-add-query-gic-capabilities-interface.patch --- qemu-2.5+dfsg/debian/patches/ubuntu/arm-qmp-add-query-gic-capabilities-interface.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/ubuntu/arm-qmp-add-query-gic-capabilities-interface.patch 2016-06-03 20:23:51.000000000 +0000 @@ -0,0 +1,194 @@ +From: Peter Xu +Date: Wed, 30 Mar 2016 17:27:24 +0100 +Subject: [PATCH] arm: qmp: add query-gic-capabilities interface + +This patch add "query-gic-capabilities" but does not implement it. The +command is ARM-only. The command will return a list of GICCapability +structs that describes all GIC versions that current QEMU and system +support. + +Libvirt is possibly the first consumer of this new command. + +Before this patch, a libvirt user can successfully configure all kinds +of GIC devices for ARM guests, no matter whether current QEMU/kernel +supports them. If the specified GIC version/type is not supported, the +user will get an ambiguous "QEMU boot failure" error when trying to start +the VM. This is not user-friendly. + +With this patch, libvirt should be able to query which type (and which +version) of GIC device is supported. Using this information, libvirt +can warn the user during configuration of guests when specified GIC +device type is not supported. Or better, we can just list those versions +that we support, and filter out the unsupported ones. + +For example, if we got the query result: + +{"return": [{"emulated": false, "version": 3, "kernel": true}, + {"emulated": true, "version": 2, "kernel": false}]} + +then it means that we support emulated GIC version 2 using: + + qemu-system-aarch64 -M virt,accel=tcg,gic-version=2 ... + +or KVM-accelerated GIC version 3 using: + + qemu-system-aarch64 -M virt,accel=kvm,gic-version=3 ... + +If we specify other explicit GIC versions rather than the above, QEMU +will not be able to boot. + +The community is working on a more generic way to query these kinds of +information about valid values of machine properties. However, due to +the importance of supporting this specific use case, weecided to first +implement this ad-hoc one; then when the generic method is ready, we +can move on to that one smoothly. + +Signed-off-by: Peter Xu +Reviewed-by: Eric Blake +Message-id: 1458788142-17509-2-git-send-email-peterx@redhat.com +[PMM: tweaked commit message a bit; monitor.o is CONFIG_SOFTMMU only] +Signed-off-by: Peter Maydell + +Origin: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ae50a7702c871638c5b650f501325031dfc511cb +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1566564 +Last-Updated: 2016-05-19 + +Index: qemu.debian/monitor.c +=================================================================== +--- qemu.debian.orig/monitor.c ++++ qemu.debian/monitor.c +@@ -4243,3 +4243,11 @@ void qmp_dump_skeys(const char *filename + error_setg(errp, QERR_FEATURE_DISABLED, "dump-skeys"); + } + #endif ++ ++#ifndef TARGET_ARM ++GICCapabilityList *qmp_query_gic_capabilities(Error **errp) ++{ ++ error_setg(errp, QERR_FEATURE_DISABLED, "query-gic-capabilities"); ++ return NULL; ++} ++#endif +Index: qemu.debian/qapi-schema.json +=================================================================== +--- qemu.debian.orig/qapi-schema.json ++++ qemu.debian/qapi-schema.json +@@ -3971,3 +3971,39 @@ + ## + { 'enum': 'ReplayMode', + 'data': [ 'none', 'record', 'play' ] } ++ ++## ++# @GICCapability: ++# ++# The struct describes capability for a specific GIC (Generic ++# Interrupt Controller) version. These bits are not only decided by ++# QEMU/KVM software version, but also decided by the hardware that ++# the program is running upon. ++# ++# @version: version of GIC to be described. Currently, only 2 and 3 ++# are supported. ++# ++# @emulated: whether current QEMU/hardware supports emulated GIC ++# device in user space. ++# ++# @kernel: whether current QEMU/hardware supports hardware ++# accelerated GIC device in kernel. ++# ++# Since: 2.6 ++## ++{ 'struct': 'GICCapability', ++ 'data': { 'version': 'int', ++ 'emulated': 'bool', ++ 'kernel': 'bool' } } ++ ++## ++# @query-gic-capabilities: ++# ++# This command is ARM-only. It will return a list of GICCapability ++# objects that describe its capability bits. ++# ++# Returns: a list of GICCapability objects. ++# ++# Since: 2.6 ++## ++{ 'command': 'query-gic-capabilities', 'returns': ['GICCapability'] } +Index: qemu.debian/qmp-commands.hx +=================================================================== +--- qemu.debian.orig/qmp-commands.hx ++++ qemu.debian/qmp-commands.hx +@@ -4745,3 +4745,30 @@ Example: + {"type": 0, "out-pport": 0, "pport": 0, "vlan-id": 3840, + "pop-vlan": 1, "id": 251658240} + ]} ++ ++EQMP ++ ++#if defined TARGET_ARM ++ { ++ .name = "query-gic-capabilities", ++ .args_type = "", ++ .mhandler.cmd_new = qmp_marshal_query_gic_capabilities, ++ }, ++#endif ++ ++SQMP ++query-gic-capabilities ++--------------- ++ ++Return a list of GICCapability objects, describing supported GIC ++(Generic Interrupt Controller) versions. ++ ++Arguments: None ++ ++Example: ++ ++-> { "execute": "query-gic-capabilities" } ++<- { "return": [{ "version": 2, "emulated": true, "kernel": false }, ++ { "version": 3, "emulated": false, "kernel": true } ] } ++ ++EQMP +Index: qemu.debian/target-arm/monitor.c +=================================================================== +--- /dev/null ++++ qemu.debian/target-arm/monitor.c +@@ -0,0 +1,28 @@ ++/* ++ * QEMU monitor.c for ARM. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++#include "qemu/osdep.h" ++#include "qmp-commands.h" ++ ++GICCapabilityList *qmp_query_gic_capabilities(Error **errp) ++{ ++ return NULL; ++} +Index: qemu.debian/target-arm/Makefile.objs +=================================================================== +--- qemu.debian.orig/target-arm/Makefile.objs ++++ qemu.debian/target-arm/Makefile.objs +@@ -1,5 +1,5 @@ + obj-y += arm-semi.o +-obj-$(CONFIG_SOFTMMU) += machine.o ++obj-$(CONFIG_SOFTMMU) += machine.o monitor.o + obj-$(CONFIG_KVM) += kvm.o + obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o + obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/define-ubuntu-machine-types.patch qemu-2.5+dfsg/debian/patches/ubuntu/define-ubuntu-machine-types.patch --- qemu-2.5+dfsg/debian/patches/ubuntu/define-ubuntu-machine-types.patch 2016-03-15 23:16:54.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/ubuntu/define-ubuntu-machine-types.patch 2016-11-14 12:25:50.000000000 +0000 @@ -1,8 +1,29 @@ -Index: qemu/hw/i386/pc_piix.c -=================================================================== ---- qemu.orig/hw/i386/pc_piix.c -+++ qemu/hw/i386/pc_piix.c -@@ -473,7 +473,7 @@ static void pc_i440fx_2_5_machine_option +Description: Carry Ubuntu specific machine types + +Since Ubuntu is a downstream of qemu carrying patches it needs custom machine +types to be able to identify and manage the delta that might affect machine +types. + +This is an important piece to keep cross release migration supported for any +downstream. + +Since the p->t transition these types are mostly stable copies of the upstream +type (in the past this was more unstable upstream, so there was more delta), +but they need to stay specific to reflect the delta we have. And even more so +to have something to base off for affecting SRU changes. + +Package maintainers please see https://wiki.ubuntu.com/QemuKVMMigration when +maintaining this patch on SRU, merge or other packaging activity. + +Original-Author: Serge Hallyn +Original-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1304107 +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1621042 +Forwarded: no + +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -473,7 +473,7 @@ { pc_i440fx_machine_options(m); m->alias = "pc"; @@ -11,7 +32,7 @@ } DEFINE_I440FX_MACHINE(v2_5, "pc-i440fx-2.5", NULL, -@@ -1057,3 +1057,47 @@ static void xenfv_machine_options(Machin +@@ -1057,3 +1057,54 @@ DEFINE_PC_MACHINE(xenfv, "xenfv", pc_xen_hvm_init, xenfv_machine_options); #endif @@ -19,20 +40,20 @@ +/* Ubuntu machine types */ +static void pc_trusty_machine_options(MachineClass *m) +{ -+ pc_i440fx_machine_options(m); ++ pc_i440fx_2_0_machine_options(m); + m->desc = "Ubuntu 14.04 PC (i440FX + PIIX, 1996)"; +} +DEFINE_I440FX_MACHINE(trusty, "pc-i440fx-trusty", pc_compat_2_0, -+ pc_trusty_machine_options) ++ pc_trusty_machine_options) + +static void pc_utopic_machine_options(MachineClass *m) +{ -+ pc_i440fx_machine_options(m); ++ pc_i440fx_2_1_machine_options(m); + m->desc = "Ubuntu 14.10 PC (i440FX + PIIX, 1996)"; + m->default_display = "std"; +} -+DEFINE_I440FX_MACHINE(utopic, "pc-i440fx-utopic", pc_compat_2_0, -+ pc_utopic_machine_options) ++DEFINE_I440FX_MACHINE(utopic, "pc-i440fx-utopic", pc_compat_2_1, ++ pc_utopic_machine_options) + +static void pc_vivid_machine_options(MachineClass *m) +{ @@ -40,12 +61,10 @@ + pc_i440fx_machine_options(m); + m->desc = "Ubuntu 15.04 PC (i440FX + PIIX, 1996)", + m->default_display = "std"; -+ m->alias = "ubuntu"; -+ m->is_default = 1; +} + +DEFINE_I440FX_MACHINE(vivid, "pc-i440fx-vivid", pc_compat_2_3, -+ pc_vivid_machine_options); ++ pc_vivid_machine_options); + +static void pc_wily_machine_options(MachineClass *m) +{ @@ -53,9 +72,121 @@ + pc_i440fx_machine_options(m); + m->desc = "Ubuntu 15.04 PC (i440FX + PIIX, 1996)", + m->default_display = "std"; ++} ++ ++DEFINE_I440FX_MACHINE(wily, "pc-i440fx-wily", pc_compat_2_3, ++ pc_wily_machine_options); ++ ++static void pc_xenial_machine_options(MachineClass *m) ++{ ++ pc_i440fx_2_5_machine_options(m); ++ m->desc = "Ubuntu 16.04 PC (i440FX + PIIX, 1996)", + m->alias = "ubuntu"; + m->is_default = 1; +} + -+DEFINE_I440FX_MACHINE(wily, "pc-i440fx-wily", pc_compat_2_3, -+ pc_wily_machine_options); ++DEFINE_I440FX_MACHINE(xenial, "pc-i440fx-xenial", NULL, ++ pc_xenial_machine_options); +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -485,3 +485,14 @@ + + DEFINE_Q35_MACHINE(v1_4, "pc-q35-1.4", pc_compat_1_4, + pc_q35_1_4_machine_options); ++ ++/* Ubuntu machine types */ ++static void pc_q35_xenial_machine_options(MachineClass *m) ++{ ++ pc_q35_2_5_machine_options(m); ++ m->desc = "Ubuntu 16.04 PC (Q35 + ICH9, 2009)"; ++ /* The ubuntu alias and default is on a i440fx type */ ++ m->alias = NULL; ++} ++DEFINE_Q35_MACHINE(xenial, "pc-q35-xenial", NULL, ++ pc_q35_xenial_machine_options); +--- a/hw/ppc/spapr.c ++++ b/hw/ppc/spapr.c +@@ -2439,8 +2439,6 @@ + + mc->name = "pseries-2.5"; + mc->desc = "pSeries Logical Partition (PAPR compliant) v2.5"; +- mc->alias = "pseries"; +- mc->is_default = 1; + smc->dr_lmb_enabled = true; + } + +@@ -2450,6 +2448,25 @@ + .class_init = spapr_machine_2_5_class_init, + }; + ++/* Ubuntu machine types */ ++static void spapr_machine_xenial_class_init(ObjectClass *oc, void *data) ++{ ++ MachineClass *mc = MACHINE_CLASS(oc); ++ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(oc); ++ ++ mc->name = "pseries-xenial"; ++ mc->desc = "Ubuntu 16.04 pSeries Logical Partition (PAPR compliant)"; ++ mc->alias = "pseries"; ++ mc->is_default = 1; ++ smc->dr_lmb_enabled = true; ++} ++ ++static const TypeInfo spapr_machine_xenial_info = { ++ .name = MACHINE_TYPE_NAME("pseries-xenial"), ++ .parent = TYPE_SPAPR_MACHINE, ++ .class_init = spapr_machine_xenial_class_init, ++}; ++ + static void spapr_machine_register_types(void) + { + type_register_static(&spapr_machine_info); +@@ -2458,6 +2475,7 @@ + type_register_static(&spapr_machine_2_3_info); + type_register_static(&spapr_machine_2_4_info); + type_register_static(&spapr_machine_2_5_info); ++ type_register_static(&spapr_machine_xenial_info); + } + + type_init(spapr_machine_register_types) +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -297,9 +297,7 @@ + { + MachineClass *mc = MACHINE_CLASS(oc); + +- mc->alias = "s390-ccw-virtio"; + mc->desc = "VirtIO-ccw based S390 machine v2.5"; +- mc->is_default = 1; + } + + static const TypeInfo ccw_machine_2_5_info = { +@@ -308,11 +306,28 @@ + .class_init = ccw_machine_2_5_class_init, + }; + ++/* Ubuntu machine types */ ++static void ccw_machine_xenial_class_init(ObjectClass *oc, void *data) ++{ ++ MachineClass *mc = MACHINE_CLASS(oc); ++ ++ mc->alias = "s390-ccw-virtio"; ++ mc->desc = "Ubuntu 16.04 VirtIO-ccw based S390 machine"; ++ mc->is_default = 1; ++} ++ ++static const TypeInfo ccw_machine_xenial_info = { ++ .name = MACHINE_TYPE_NAME("s390-ccw-virtio-xenial"), ++ .parent = TYPE_S390_CCW_MACHINE, ++ .class_init = ccw_machine_xenial_class_init, ++}; ++ + static void ccw_machine_register_types(void) + { + type_register_static(&ccw_machine_info); + type_register_static(&ccw_machine_2_4_info); + type_register_static(&ccw_machine_2_5_info); ++ type_register_static(&ccw_machine_xenial_info); + } + + type_init(ccw_machine_register_types) diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/kvm-add-kvm_device_supported-helper-function.patch qemu-2.5+dfsg/debian/patches/ubuntu/kvm-add-kvm_device_supported-helper-function.patch --- qemu-2.5+dfsg/debian/patches/ubuntu/kvm-add-kvm_device_supported-helper-function.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/ubuntu/kvm-add-kvm_device_supported-helper-function.patch 2016-06-03 20:23:51.000000000 +0000 @@ -0,0 +1,63 @@ +From: Peter Xu +Date: Wed, 30 Mar 2016 17:27:24 +0100 +Subject: [PATCH] kvm: add kvm_device_supported() helper function + +This can be used when probing whether KVM support specific device. Here, +a raw vmfd is used. + +Signed-off-by: Peter Xu +Acked-by: Sergey Fedorov +Message-id: 1458788142-17509-4-git-send-email-peterx@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +Origin: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=29039acf585615c6c37f8a1863a0a318ddd455cc +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1566564 +Last-Updated: 2016-05-19 + +diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h +index 6695fa7..0e18f15 100644 +--- a/include/sysemu/kvm.h ++++ b/include/sysemu/kvm.h +@@ -306,6 +306,15 @@ void kvm_device_access(int fd, int group, uint64_t attr, + */ + int kvm_create_device(KVMState *s, uint64_t type, bool test); + ++/** ++ * kvm_device_supported - probe whether KVM supports specific device ++ * ++ * @vmfd: The fd handler for VM ++ * @type: type of device ++ * ++ * @return: true if supported, otherwise false. ++ */ ++bool kvm_device_supported(int vmfd, uint64_t type); + + /* Arch specific hooks */ + +diff --git a/kvm-all.c b/kvm-all.c +index 44c0464..e7b66df 100644 +--- a/kvm-all.c ++++ b/kvm-all.c +@@ -2339,6 +2339,21 @@ int kvm_create_device(KVMState *s, uint64_t type, bool test) + return test ? 0 : create_dev.fd; + } + ++bool kvm_device_supported(int vmfd, uint64_t type) ++{ ++ struct kvm_create_device create_dev = { ++ .type = type, ++ .fd = -1, ++ .flags = KVM_CREATE_DEVICE_TEST, ++ }; ++ ++ if (ioctl(vmfd, KVM_CHECK_EXTENSION, KVM_CAP_DEVICE_CTRL) <= 0) { ++ return false; ++ } ++ ++ return (ioctl(vmfd, KVM_CREATE_DEVICE, &create_dev) >= 0); ++} ++ + int kvm_set_one_reg(CPUState *cs, uint64_t id, void *source) + { + struct kvm_one_reg reg;