Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2019-05-17 23:41:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Fri May 17 23:41:17 2019 rev:155 rq:703262 version:4.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2019-05-10 09:11:42.591362461 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.5148/qemu-linux-user.changes 2019-05-17 23:41:32.421966299 +0200 @@ -1,0 +2,28 @@ +Wed May 15 19:36:50 UTC 2019 - Bruce Rogers <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 +* Patches added: + 0044-hw-intc-exynos4210_gic-provide-more.patch + +------------------------------------------------------------------- +Tue May 14 21:01:06 UTC 2019 - Bruce Rogers <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 +* Patches dropped: + 0041-qxl-fix-Waddress-of-packed-member.patch +* Patches added: + 0041-qxl-avoid-unaligned-pointer-reads-w.patch + 0042-libvhost-user-fix-Waddress-of-packe.patch + 0043-target-i386-define-md-clear-bit.patch + +------------------------------------------------------------------- +Fri May 10 19:14:02 UTC 2019 - Bruce Rogers <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 +* Patches renamed: + 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch + -> 0036-sockets-avoid-string-truncation-war.patch + 0039-linux-user-uname-Fix-GCC-9-build-wa.patch + -> 0039-linux-user-avoid-string-truncation-.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2019-05-10 09:11:42.759362941 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.5148/qemu-testsuite.changes 2019-05-17 23:41:32.469966272 +0200 @@ -1,0 +2,46 @@ +Wed May 15 19:36:49 UTC 2019 - Bruce Rogers <[email protected]> + +- Yet another gcc9 related code fix (bsc#1121464) + 0044-hw-intc-exynos4210_gic-provide-more.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + +------------------------------------------------------------------- +Tue May 14 21:01:05 UTC 2019 - Bruce Rogers <[email protected]> + +- Switch to now upstreamed version of patch and add one more + gcc9 related patch +* Patches renamed: + 0041-qxl-fix-Waddress-of-packed-member.patch + -> 0041-qxl-avoid-unaligned-pointer-reads-w.patch + 0042-libvhost-user-fix-Waddress-of-packe.patch +- Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127 + CVE-2018-12130 CVE-2019-11091 bsc#1111331) + 0043-target-i386-define-md-clear-bit.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + +------------------------------------------------------------------- +Sat May 11 14:58:50 UTC 2019 - Bruce Rogers <[email protected]> + +- Correct logic of which ipxe patches get included based on + suse_version. We were wrongly excluding a gcc9 related patch for + example + +------------------------------------------------------------------- +Fri May 10 19:14:01 UTC 2019 - Bruce Rogers <[email protected]> + +- Switch to now upstreamed version of some patches +* Patches renamed: + 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch + -> 0036-sockets-avoid-string-truncation-war.patch + 0039-linux-user-uname-Fix-GCC-9-build-wa.patch + -> 0039-linux-user-avoid-string-truncation-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + +------------------------------------------------------------------- +Thu May 9 14:51:24 UTC 2019 - Bruce Rogers <[email protected]> + +- Create /usr/share/qemu/firmware and /etc/qemu/firmware directories + in support of the firmware descriptor feature now in use as of + libvirt v5.2 + +------------------------------------------------------------------- qemu.changes: same change Old: ---- 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch 0039-linux-user-uname-Fix-GCC-9-build-wa.patch 0041-qxl-fix-Waddress-of-packed-member.patch New: ---- 0036-sockets-avoid-string-truncation-war.patch 0039-linux-user-avoid-string-truncation-.patch 0041-qxl-avoid-unaligned-pointer-reads-w.patch 0042-libvhost-user-fix-Waddress-of-packe.patch 0043-target-i386-define-md-clear-bit.patch 0044-hw-intc-exynos4210_gic-provide-more.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu-linux-user.spec ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.077965389 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.081965387 +0200 @@ -69,12 +69,15 @@ Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch Patch0035: 0035-tests-change-error-message-in-test-.patch -Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch +Patch0036: 0036-sockets-avoid-string-truncation-war.patch Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch -Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch +Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch +Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -146,6 +149,9 @@ %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 %build %define _lto_cflags %{nil} ++++++ qemu-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.105965374 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.109965371 +0200 @@ -179,12 +179,15 @@ Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch Patch0035: 0035-tests-change-error-message-in-test-.patch -Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch +Patch0036: 0036-sockets-avoid-string-truncation-war.patch Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch -Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch +Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch +Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -993,6 +996,9 @@ %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 pushd roms/seabios %patch1100 -p1 @@ -1006,9 +1012,9 @@ %patch1200 -p1 %if 0%{?suse_version} <= 1320 %patch1201 -p1 +%endif %patch1202 -p1 %patch1203 -p1 -%endif %ifarch aarch64 %patch1204 -p1 %endif @@ -1401,12 +1407,14 @@ done %endif %find_lang %name +install -d -m 0755 %{buildroot}%_datadir/%name/firmware +install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins +install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py -mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name %if 0%{?is_opensuse} == 0 install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt @@ -1583,9 +1591,11 @@ %_mandir/man7/qemu-qmp-ref.7.gz %_mandir/man7/qemu-ga-ref.7.gz %dir %_datadir/%name +%dir %_datadir/%name/firmware %_datadir/%name/keymaps %_datadir/%name/trace-events-all %dir %_sysconfdir/%name +%dir %_sysconfdir/%name/firmware %_datadir/%name/qemu-ifup %dir %_libexecdir/supportconfig %dir %_libexecdir/supportconfig/plugins ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.137965356 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.141965354 +0200 @@ -179,12 +179,15 @@ Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch Patch0035: 0035-tests-change-error-message-in-test-.patch -Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch +Patch0036: 0036-sockets-avoid-string-truncation-war.patch Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch -Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch +Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch +Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -993,6 +996,9 @@ %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 pushd roms/seabios %patch1100 -p1 @@ -1006,9 +1012,9 @@ %patch1200 -p1 %if 0%{?suse_version} <= 1320 %patch1201 -p1 +%endif %patch1202 -p1 %patch1203 -p1 -%endif %ifarch aarch64 %patch1204 -p1 %endif @@ -1401,12 +1407,14 @@ done %endif %find_lang %name +install -d -m 0755 %{buildroot}%_datadir/%name/firmware +install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins +install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py -mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name %if 0%{?is_opensuse} == 0 install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt @@ -1583,9 +1591,11 @@ %_mandir/man7/qemu-qmp-ref.7.gz %_mandir/man7/qemu-ga-ref.7.gz %dir %_datadir/%name +%dir %_datadir/%name/firmware %_datadir/%name/keymaps %_datadir/%name/trace-events-all %dir %_sysconfdir/%name +%dir %_sysconfdir/%name/firmware %_datadir/%name/qemu-ifup %dir %_libexecdir/supportconfig %dir %_libexecdir/supportconfig/plugins ++++++ 0036-sockets-avoid-string-truncation-war.patch ++++++ From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> Date: Wed, 1 May 2019 15:50:52 +0100 Subject: sockets: avoid string truncation warnings when copying UNIX path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In file included from /usr/include/string.h:494, from include/qemu/osdep.h:101, from util/qemu-sockets.c:18: In function ‘strncpy’, inlined from ‘unix_connect_saddr.isra.0’ at util/qemu-sockets.c:925:5: /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ specified bound 108 equals destination size [-Wstringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘strncpy’, inlined from ‘unix_listen_saddr.isra.0’ at util/qemu-sockets.c:880:5: /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ specified bound 108 equals destination size [-Wstringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We are already validating the UNIX socket path length earlier in the functions. If we save this string length when we first check it, then we can simply use memcpy instead of strcpy later, avoiding the gcc truncation warnings. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> (cherry picked from commit 2d2023c3b99edb33ad4bb9791f70456ea1a1c049) Signed-off-by: Bruce Rogers <[email protected]> --- util/qemu-sockets.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index 9705051690..ba6335e71a 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -830,6 +830,7 @@ static int unix_listen_saddr(UnixSocketAddress *saddr, int sock, fd; char *pathbuf = NULL; const char *path; + size_t pathlen; sock = qemu_socket(PF_UNIX, SOCK_STREAM, 0); if (sock < 0) { @@ -845,7 +846,8 @@ static int unix_listen_saddr(UnixSocketAddress *saddr, path = pathbuf = g_strdup_printf("%s/qemu-socket-XXXXXX", tmpdir); } - if (strlen(path) > sizeof(un.sun_path)) { + pathlen = strlen(path); + if (pathlen > sizeof(un.sun_path)) { error_setg(errp, "UNIX socket path '%s' is too long", path); error_append_hint(errp, "Path must be less than %zu bytes\n", sizeof(un.sun_path)); @@ -877,7 +879,7 @@ static int unix_listen_saddr(UnixSocketAddress *saddr, memset(&un, 0, sizeof(un)); un.sun_family = AF_UNIX; - strncpy(un.sun_path, path, sizeof(un.sun_path)); + memcpy(un.sun_path, path, pathlen); if (bind(sock, (struct sockaddr*) &un, sizeof(un)) < 0) { error_setg_errno(errp, errno, "Failed to bind socket to %s", path); @@ -901,6 +903,7 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp) { struct sockaddr_un un; int sock, rc; + size_t pathlen; if (saddr->path == NULL) { error_setg(errp, "unix connect: no path specified"); @@ -913,7 +916,8 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp) return -1; } - if (strlen(saddr->path) > sizeof(un.sun_path)) { + pathlen = strlen(saddr->path); + if (pathlen > sizeof(un.sun_path)) { error_setg(errp, "UNIX socket path '%s' is too long", saddr->path); error_append_hint(errp, "Path must be less than %zu bytes\n", sizeof(un.sun_path)); @@ -922,7 +926,7 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp) memset(&un, 0, sizeof(un)); un.sun_family = AF_UNIX; - strncpy(un.sun_path, saddr->path, sizeof(un.sun_path)); + memcpy(un.sun_path, saddr->path, pathlen); /* connect to peer */ do { ++++++ 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.285965275 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.293965270 +0200 @@ -1,12 +1,9 @@ From: Alistair Francis <[email protected]> Date: Sat, 4 May 2019 07:58:35 -0600 Subject: hw/usb/hcd-xhci: Fix GCC 9 build warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit Fix this build warning with GCC 9 on Fedora 30: -hw/usb/hcd-xhci.c:3339:66: error: %d directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=] +hw/usb/hcd-xhci.c:3339:66: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=] 3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1); | ^~ hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647] @@ -15,7 +12,7 @@ In file included from /usr/include/stdio.h:867, from /home/alistair/qemu/include/qemu/osdep.h:99, from hw/usb/hcd-xhci.c:21: -/usr/include/bits/stdio2.h:67:10: note: __builtin___snprintf_chk output between 13 and 22 bytes into a destination of size 16 +/usr/include/bits/stdio2.h:67:10: note: '__builtin___snprintf_chk' output between 13 and 22 bytes into a destination of size 16 67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 68 | __bos (__s), __fmt, __va_arg_pack ()); ++++++ 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.301965266 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.301965266 +0200 @@ -1,12 +1,9 @@ From: Alistair Francis <[email protected]> Date: Sat, 4 May 2019 07:58:55 -0600 Subject: hw/usb/dev-mtp: Fix GCC 9 build warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit Fix this warning with GCC 9 on Fedora 30: -hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of struct <anonymous> may result in an unaligned pointer value [-Werror=address-of-packed-member] +hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1715 | dataset->filename); | ~~~~~~~^~~~~~~~~~ ++++++ 0039-linux-user-avoid-string-truncation-.patch ++++++ From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> Date: Wed, 1 May 2019 15:46:46 +0100 Subject: linux-user: avoid string truncation warnings in uname field copying MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In file included from /usr/include/string.h:494, from include/qemu/osdep.h:101, from linux-user/uname.c:20: In function ‘strncpy’, inlined from ‘sys_uname’ at linux-user/uname.c:94:3: /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin_strncpy’ output may be truncated copying 64 bytes from a string of length 64 [-Wstringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We don't care where the NUL terminator in the original uname field was. It suffices to copy the entire original field and simply force a NUL terminator at the end of the new field. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> [BR: Played with indent to avoid error from checkpatch.pl] (cherry picked from commit b2acfb55962bc8caeaa50a5158da2f701f2c1f7c) Signed-off-by: Bruce Rogers <[email protected]> --- linux-user/uname.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/linux-user/uname.c b/linux-user/uname.c index 313b79dbad..0c6ddf2ad9 100644 --- a/linux-user/uname.c +++ b/linux-user/uname.c @@ -72,9 +72,8 @@ const char *cpu_to_uname_machine(void *cpu_env) #define COPY_UTSNAME_FIELD(dest, src) \ do { \ - /* __NEW_UTS_LEN doesn't include terminating null */ \ - (void) strncpy((dest), (src), __NEW_UTS_LEN); \ - (dest)[__NEW_UTS_LEN] = '\0'; \ + memcpy((dest), (src), MIN(sizeof(src), sizeof(dest))); \ + (dest)[sizeof(dest) - 1] = '\0'; \ } while (0) int sys_uname(struct new_utsname *buf) ++++++ 0040-linux-user-elfload-Fix-GCC-9-build-.patch ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.329965251 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.329965251 +0200 @@ -1,20 +1,25 @@ From: Alistair Francis <[email protected]> -Date: Sat, 4 May 2019 07:59:23 -0600 +Date: Tue, 30 Apr 2019 23:29:01 +0000 Subject: linux-user/elfload: Fix GCC 9 build warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix this warning when building with GCC9 on Fedora 30: -In function strncpy, - inlined from fill_psinfo at /home/alistair/qemu/linux-user/elfload.c:3208:12, - inlined from fill_note_info at /home/alistair/qemu/linux-user/elfload.c:3390:5, - inlined from elf_core_dump at /home/alistair/qemu/linux-user/elfload.c:3539:9: -/usr/include/bits/string_fortified.h:106:10: error: __builtin_strncpy specified bound 16 equals destination size [-Werror=stringop-truncation] +In function ‘strncpy’, + inlined from ‘fill_psinfo’ at /home/alistair/qemu/linux-user/elfload.c:3208:12, + inlined from ‘fill_note_info’ at /home/alistair/qemu/linux-user/elfload.c:3390:5, + inlined from ‘elf_core_dump’ at /home/alistair/qemu/linux-user/elfload.c:3539:9: +/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 16 equals destination size [-Werror=stringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Alistair Francis <[email protected]> +Reviewed-by: Laurent Vivier <[email protected]> +Reviewed-by: Richard Henderson <[email protected]> +Message-Id: <c4d2b1de9efadcf1c900b91361af9302823a72a9.1556666645.git.alistair.fran...@wdc.com> +Signed-off-by: Laurent Vivier <[email protected]> +(cherry picked from commit d7eb2b928a855a2e8038e8e75f7edf1a12226bd3) Signed-off-by: Bruce Rogers <[email protected]> --- linux-user/elfload.c | 2 +- ++++++ 0041-qxl-avoid-unaligned-pointer-reads-w.patch ++++++ From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <[email protected]> Date: Fri, 12 Apr 2019 13:16:26 +0100 Subject: qxl: avoid unaligned pointer reads/writes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The SPICE_RING_PROD_ITEM() macro is initializing a local 'uint64_t *' variable to point to the 'el' field inside the QXLReleaseRing struct. This uint64_t field is not guaranteed aligned as the struct is packed. Code should not take the address of fields within a packed struct. Changing the SPICE_RING_PROD_ITEM() macro to avoid taking the address of the field is impractical. It is clearer to just remove the macro and inline its functionality in the three call sites that need it. Signed-off-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> (cherry picked from commit 94932c95c10400acd286fd768a6b411e7ebbec8f) Signed-off-by: Bruce Rogers <[email protected]> --- hw/display/qxl.c | 55 +++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index c8ce5781e0..5c38e6e906 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -33,24 +33,6 @@ #include "qxl.h" -/* - * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as - * such can be changed by the guest, so to avoid a guest trigerrable - * abort we just qxl_set_guest_bug and set the return to NULL. Still - * it may happen as a result of emulator bug as well. - */ -#undef SPICE_RING_PROD_ITEM -#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \ - uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \ - if (prod >= ARRAY_SIZE((r)->items)) { \ - qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \ - "%u >= %zu", prod, ARRAY_SIZE((r)->items)); \ - ret = NULL; \ - } else { \ - ret = &(r)->items[prod].el; \ - } \ - } - #undef SPICE_RING_CONS_ITEM #define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \ @@ -414,7 +396,8 @@ static void init_qxl_rom(PCIQXLDevice *d) static void init_qxl_ram(PCIQXLDevice *d) { uint8_t *buf; - uint64_t *item; + uint32_t prod; + QXLReleaseRing *ring; buf = d->vga.vram_ptr; d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset)); @@ -426,9 +409,12 @@ static void init_qxl_ram(PCIQXLDevice *d) SPICE_RING_INIT(&d->ram->cmd_ring); SPICE_RING_INIT(&d->ram->cursor_ring); SPICE_RING_INIT(&d->ram->release_ring); - SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); - assert(item); - *item = 0; + + ring = &d->ram->release_ring; + prod = ring->prod & SPICE_RING_INDEX_MASK(ring); + assert(prod < ARRAY_SIZE(ring->items)); + ring->items[prod].el = 0; + qxl_ring_set_dirty(d); } @@ -732,7 +718,7 @@ static int interface_req_cmd_notification(QXLInstance *sin) static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) { QXLReleaseRing *ring = &d->ram->release_ring; - uint64_t *item; + uint32_t prod; int notify; #define QXL_FREE_BUNCH_SIZE 32 @@ -759,11 +745,15 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) if (notify) { qxl_send_events(d, QXL_INTERRUPT_DISPLAY); } - SPICE_RING_PROD_ITEM(d, ring, item); - if (!item) { + + ring = &d->ram->release_ring; + prod = ring->prod & SPICE_RING_INDEX_MASK(ring); + if (prod >= ARRAY_SIZE(ring->items)) { + qxl_set_guest_bug(d, "SPICE_RING_PROD_ITEM indices mismatch " + "%u >= %zu", prod, ARRAY_SIZE(ring->items)); return; } - *item = 0; + ring->items[prod].el = 0; d->num_free_res = 0; d->last_release = NULL; qxl_ring_set_dirty(d); @@ -775,7 +765,8 @@ static void interface_release_resource(QXLInstance *sin, { PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl); QXLReleaseRing *ring; - uint64_t *item, id; + uint32_t prod; + uint64_t id; if (ext.group_id == MEMSLOT_GROUP_HOST) { /* host group -> vga mode update request */ @@ -792,16 +783,18 @@ static void interface_release_resource(QXLInstance *sin, * pci bar 0, $command.release_info */ ring = &qxl->ram->release_ring; - SPICE_RING_PROD_ITEM(qxl, ring, item); - if (!item) { + prod = ring->prod & SPICE_RING_INDEX_MASK(ring); + if (prod >= ARRAY_SIZE(ring->items)) { + qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " + "%u >= %zu", prod, ARRAY_SIZE(ring->items)); return; } - if (*item == 0) { + if (ring->items[prod].el == 0) { /* stick head into the ring */ id = ext.info->id; ext.info->next = 0; qxl_ram_set_dirty(qxl, &ext.info->next); - *item = id; + ring->items[prod].el = id; qxl_ring_set_dirty(qxl); } else { /* append item to the list */ ++++++ 0042-libvhost-user-fix-Waddress-of-packe.patch ++++++ From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <[email protected]> Date: Fri, 3 May 2019 15:00:29 +0200 Subject: libvhost-user: fix -Waddress-of-packed-member MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec_postcopy’: /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:546:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] 546 | VhostUserMemory *memory = &vmsg->payload.memory; | ^~~~~~~~~~~~~~~~~~~~~ /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec’: /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:688:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] 688 | VhostUserMemory *memory = &vmsg->payload.memory; | ^~~~~~~~~~~~~~~~~~~~~ /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_vring_addr_exec’: /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:817:36: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] 817 | struct vhost_vring_addr *vra = &vmsg->payload.addr; | ^~~~~~~~~~~~~~~~~~~ Signed-off-by: Marc-André Lureau <[email protected]> Message-id: [email protected] Signed-off-by: Gerd Hoffmann <[email protected]> (cherry picked from commit d288eef3a0a8ac46cc45808b50d73606476148b0) Signed-off-by: Bruce Rogers <[email protected]> --- contrib/libvhost-user/libvhost-user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c index e08d6c7b97..dcf4a969f2 100644 --- a/contrib/libvhost-user/libvhost-user.c +++ b/contrib/libvhost-user/libvhost-user.c @@ -542,7 +542,7 @@ static bool vu_set_mem_table_exec_postcopy(VuDev *dev, VhostUserMsg *vmsg) { int i; - VhostUserMemory *memory = &vmsg->payload.memory; + VhostUserMemory m = vmsg->payload.memory, *memory = &m; dev->nregions = memory->nregions; DPRINT("Nregions: %d\n", memory->nregions); @@ -684,7 +684,7 @@ static bool vu_set_mem_table_exec(VuDev *dev, VhostUserMsg *vmsg) { int i; - VhostUserMemory *memory = &vmsg->payload.memory; + VhostUserMemory m = vmsg->payload.memory, *memory = &m; for (i = 0; i < dev->nregions; i++) { VuDevRegion *r = &dev->regions[i]; @@ -813,7 +813,7 @@ vu_set_vring_num_exec(VuDev *dev, VhostUserMsg *vmsg) static bool vu_set_vring_addr_exec(VuDev *dev, VhostUserMsg *vmsg) { - struct vhost_vring_addr *vra = &vmsg->payload.addr; + struct vhost_vring_addr addr = vmsg->payload.addr, *vra = &addr; unsigned int index = vra->index; VuVirtq *vq = &dev->vq[index]; ++++++ 0043-target-i386-define-md-clear-bit.patch ++++++ From: Paolo Bonzini <[email protected]> Date: Fri, 1 Mar 2019 21:40:52 +0100 Subject: target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Add the new feature, and pass it down to Hypervisor.framework guests. Signed-off-by: Paolo Bonzini <[email protected]> [BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091] Signed-off-by: Bruce Rogers <[email protected]> --- target/i386/cpu.c | 2 +- target/i386/cpu.h | 1 + target/i386/hvf/x86_cpuid.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d6bb57d210..4ea78a4939 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, + NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 572290c3d6..d3bd0943ec 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ +#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c index 4d957fe896..b453552fb4 100644 --- a/target/i386/hvf/x86_cpuid.c +++ b/target/i386/hvf/x86_cpuid.c @@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, } ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; - edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; + edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ + CPUID_7_0_EDX_MD_CLEAR; } else { ebx = 0; ecx = 0; ++++++ 0044-hw-intc-exynos4210_gic-provide-more.patch ++++++ From: Bruce Rogers <[email protected]> Date: Wed, 15 May 2019 13:32:01 -0600 Subject: hw/intc/exynos4210_gic: provide more room when formatting alias names sprintf related parameter validation complains about the size of the buffer being written to in exynos4210_gic_realize(). Provide a bit more space to avoid the following warning: /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c: In function 'exynos4210_gic_realize': /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:36: error: '%x' directive writing between 1 and 7 bytes into a region of size between 4 and 28 [-Werror=format-overflow=] 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i); | ^~ /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:33: note: directive argument in the range [0, 29020050] 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i); | ^~~~~~ In file included from /usr/include/stdio.h:867, from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99, from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23: /usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 32 bytes into a destination of size 28 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | __bos (__s), __fmt, __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:37: error: '%x' directive writing between 1 and 7 bytes into a region of size between 3 and 28 [-Werror=format-overflow=] 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i); | ^~ /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:34: note: directive argument in the range [0, 29020050] 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i); | ^~~~~~ In file included from /usr/include/stdio.h:867, from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99, from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23: /usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 33 bytes into a destination of size 28 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | __bos (__s), __fmt, __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Bruce Rogers <[email protected]> --- hw/intc/exynos4210_gic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/intc/exynos4210_gic.c b/hw/intc/exynos4210_gic.c index 69f9c18d73..4770950c94 100644 --- a/hw/intc/exynos4210_gic.c +++ b/hw/intc/exynos4210_gic.c @@ -288,8 +288,8 @@ static void exynos4210_gic_realize(DeviceState *dev, Error **errp) SysBusDevice *sbd = SYS_BUS_DEVICE(obj); const char cpu_prefix[] = "exynos4210-gic-alias_cpu"; const char dist_prefix[] = "exynos4210-gic-alias_dist"; - char cpu_alias_name[sizeof(cpu_prefix) + 3]; - char dist_alias_name[sizeof(cpu_prefix) + 3]; + char cpu_alias_name[sizeof(cpu_prefix) + 7]; + char dist_alias_name[sizeof(cpu_prefix) + 8]; SysBusDevice *gicbusdev; uint32_t i; ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.Yrb9wo/_old 2019-05-17 23:41:34.561965124 +0200 +++ /var/tmp/diff_new_pack.Yrb9wo/_new 2019-05-17 23:41:34.561965124 +0200 @@ -923,9 +923,9 @@ %patch1200 -p1 %if 0%{?suse_version} <= 1320 %patch1201 -p1 +%endif %patch1202 -p1 %patch1203 -p1 -%endif %ifarch aarch64 %patch1204 -p1 %endif @@ -1318,12 +1318,14 @@ done %endif %find_lang %name +install -d -m 0755 %{buildroot}%_datadir/%name/firmware +install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins +install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py -mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name %if 0%{?is_opensuse} == 0 install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt @@ -1500,9 +1502,11 @@ %_mandir/man7/qemu-qmp-ref.7.gz %_mandir/man7/qemu-ga-ref.7.gz %dir %_datadir/%name +%dir %_datadir/%name/firmware %_datadir/%name/keymaps %_datadir/%name/trace-events-all %dir %_sysconfdir/%name +%dir %_sysconfdir/%name/firmware %_datadir/%name/qemu-ifup %dir %_libexecdir/supportconfig %dir %_libexecdir/supportconfig/plugins
