Hello community, here is the log from the commit of package qemu for openSUSE:Leap:15.2 checked in at 2020-06-04 16:01:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/qemu (Old) and /work/SRC/openSUSE:Leap:15.2/.qemu.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Thu Jun 4 16:01:50 2020 rev:104 rq:810934 version:4.2.0 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/qemu/qemu.changes 2020-04-21 19:04:04.547565699 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.qemu.new.3606/qemu.changes 2020-06-04 16:03:27.535477181 +0200 @@ -1,0 +2,38 @@ +Tue May 26 15:27:03 UTC 2020 - Bruce Rogers <[email protected]> + +- Fix segfault when doing HMP wavcapture (boo#1171712) + audio-fix-wavcapture-segfault.patch + +------------------------------------------------------------------- +Fri May 15 16:33:33 UTC 2020 - Bruce Rogers <[email protected]> + +- Note: a stable patch we've already included addresses bsc#1167816 + migration-Rate-limit-inside-host-pages.patch + +------------------------------------------------------------------- +Thu Apr 30 17:18:01 UTC 2020 - Bruce Rogers <[email protected]> + +- Fix use after free in slirp networking code (CVE-2020-1983 + bsc#1170940) + Fix-use-afte-free-in-ip_reass-CVE-2020-1.patch +- Increased disk space in _constraints file from 8GB to 9GB + +------------------------------------------------------------------- +Mon Apr 27 19:35:55 UTC 2020 - Bruce Rogers <[email protected]> + +-Fix potential DoS in ATI VGA emulation (CVE-2020-11869 + bsc#1170537) + ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch + +------------------------------------------------------------------- +Wed Apr 22 15:23:15 UTC 2020 - Bruce Rogers <[email protected]> + +- Minor tweaks to patches and support doc + +------------------------------------------------------------------- +Tue Apr 21 13:24:59 UTC 2020 - Martin Liška <[email protected]> + +- Add gcc10-maybe-uninitialized.patch in order to fix + boo#1169728. + +------------------------------------------------------------------- New: ---- Fix-use-afte-free-in-ip_reass-CVE-2020-1.patch ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch audio-fix-wavcapture-segfault.patch gcc10-maybe-uninitialized.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.Em9fqK/_old 2020-06-04 16:03:29.571483994 +0200 +++ /var/tmp/diff_new_pack.Em9fqK/_new 2020-06-04 16:03:29.571483994 +0200 @@ -198,104 +198,107 @@ Patch00068: virtio-pmem-do-delete-rq_vq-in-virtio_pm.patch Patch00069: vhost-user-blk-delete-virtioqueues-in-un.patch Patch00070: hw-arm-cubieboard-use-ARM-Cortex-A8-as-t.patch -Patch00071: iotests-Fix-nonportable-use-of-od-endian.patch -Patch00072: block-qcow2-threads-fix-qcow2_decompress.patch -Patch00073: job-refactor-progress-to-separate-object.patch -Patch00074: block-block-copy-fix-progress-calculatio.patch -Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch -Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch -Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch -Patch00078: compat-disable-edid-on-correct-virtio-gp.patch -Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch -Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch -Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch -Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch -Patch00083: migration-colo-fix-use-after-free-of-loc.patch -Patch00084: migration-ram-fix-use-after-free-of-loca.patch -Patch00085: qcow2-List-autoclear-bit-names-in-header.patch -Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch -Patch00087: target-arm-Fix-PAuth-sbox-functions.patch -Patch00088: tcg-i386-Fix-INDEX_op_dup2_vec.patch -Patch00089: net-tulip-check-frame-size-and-r-w-data-.patch -Patch00090: target-i386-do-not-set-unsupported-VMX-s.patch -Patch00091: spapr-Fix-failure-path-for-attempting-to.patch -Patch00092: xen-block-Fix-double-qlist-remove-and-re.patch -Patch00093: vpc-Don-t-round-up-already-aligned-BAT-s.patch -Patch00094: target-xtensa-fix-pasto-in-pfwait.r-opco.patch -Patch00095: aio-wait-delegate-polling-of-main-AioCon.patch -Patch00096: async-use-explicit-memory-barriers.patch -Patch00097: tcg-mips-mips-sync-encode-error.patch -Patch00098: vhost-user-gpu-Release-memory-returned-b.patch -Patch00099: XXX-dont-dump-core-on-sigabort.patch -Patch00100: qemu-binfmt-conf-Modify-default-path.patch -Patch00101: qemu-cvs-gettimeofday.patch -Patch00102: qemu-cvs-ioctl_debug.patch -Patch00103: qemu-cvs-ioctl_nodirection.patch -Patch00104: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00105: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00106: linux-user-binfmt-support-host-binaries.patch -Patch00107: linux-user-Fake-proc-cpuinfo.patch -Patch00108: linux-user-use-target_ulong.patch -Patch00109: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00110: linux-user-lseek-explicitly-cast-non-set.patch -Patch00111: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00112: xen_disk-Add-suse-specific-flush-disable.patch -Patch00113: qemu-bridge-helper-reduce-security-profi.patch -Patch00114: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00115: linux-user-properly-test-for-infinite-ti.patch -Patch00116: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00117: Raise-soft-address-space-limit-to-hard-l.patch -Patch00118: increase-x86_64-physical-bits-to-42.patch -Patch00119: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00120: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00121: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00122: Switch-order-of-libraries-for-mpath-supp.patch -Patch00123: Make-installed-scripts-explicitly-python.patch -Patch00124: hw-smbios-handle-both-file-formats-regar.patch -Patch00125: xen-add-block-resize-support-for-xen-dis.patch -Patch00126: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00127: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00128: xen-ignore-live-parameter-from-xen-save-.patch -Patch00129: Conditionalize-ui-bitmap-installation-be.patch -Patch00130: tests-change-error-message-in-test-162.patch -Patch00131: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00132: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00133: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00134: configure-only-populate-roms-if-softmmu.patch -Patch00135: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00136: roms-change-cross-compiler-naming-to-be-.patch -Patch00137: tests-Disable-some-block-tests-for-now.patch -Patch00138: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00139: roms-Makefile-enable-cross-compile-for-b.patch -Patch00140: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00141: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00142: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00143: s390x-Move-initial-reset.patch -Patch00144: s390x-Move-clear-reset.patch -Patch00145: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00146: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00147: s390x-Beautify-diag308-handling.patch -Patch00148: s390x-Add-missing-vcpu-reset-functions.patch -Patch00149: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00150: s390-sclp-improve-special-wait-psw-logic.patch -Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00153: Sync-pv.patch -Patch00154: s390x-protvirt-Support-unpack-facility.patch -Patch00155: s390x-protvirt-Add-migration-blocker.patch -Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00157: s390x-protvirt-KVM-intercept-changes.patch -Patch00158: s390x-Add-SIDA-memory-ops.patch -Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00160: s390x-protvirt-SCLP-interpretation.patch -Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00163: s390x-protvirt-Disable-address-checks-fo.patch -Patch00164: s390x-protvirt-Move-IO-control-structure.patch -Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch -Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch -Patch00168: configure-remove-pkgversion-from-CONFIG_.patch +Patch00071: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00072: iotests-Fix-nonportable-use-of-od-endian.patch +Patch00073: block-qcow2-threads-fix-qcow2_decompress.patch +Patch00074: job-refactor-progress-to-separate-object.patch +Patch00075: block-block-copy-fix-progress-calculatio.patch +Patch00076: block-io-fix-bdrv_co_do_copy_on_readv.patch +Patch00077: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch +Patch00078: target-ppc-Fix-rlwinm-on-ppc64.patch +Patch00079: compat-disable-edid-on-correct-virtio-gp.patch +Patch00080: ppc-ppc405_boards-Remove-unnecessary-NUL.patch +Patch00081: block-Avoid-memleak-on-qcow2-image-info-.patch +Patch00082: block-bdrv_set_backing_bs-fix-use-after-.patch +Patch00083: hmp-vnc-Fix-info-vnc-list-leak.patch +Patch00084: migration-colo-fix-use-after-free-of-loc.patch +Patch00085: migration-ram-fix-use-after-free-of-loca.patch +Patch00086: qcow2-List-autoclear-bit-names-in-header.patch +Patch00087: sheepdog-Consistently-set-bdrv_has_zero_.patch +Patch00088: target-arm-Fix-PAuth-sbox-functions.patch +Patch00089: tcg-i386-Fix-INDEX_op_dup2_vec.patch +Patch00090: net-tulip-check-frame-size-and-r-w-data-.patch +Patch00091: target-i386-do-not-set-unsupported-VMX-s.patch +Patch00092: spapr-Fix-failure-path-for-attempting-to.patch +Patch00093: ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch +Patch00094: xen-block-Fix-double-qlist-remove-and-re.patch +Patch00095: vpc-Don-t-round-up-already-aligned-BAT-s.patch +Patch00096: target-xtensa-fix-pasto-in-pfwait.r-opco.patch +Patch00097: aio-wait-delegate-polling-of-main-AioCon.patch +Patch00098: async-use-explicit-memory-barriers.patch +Patch00099: tcg-mips-mips-sync-encode-error.patch +Patch00100: vhost-user-gpu-Release-memory-returned-b.patch +Patch00101: audio-fix-wavcapture-segfault.patch +Patch00102: XXX-dont-dump-core-on-sigabort.patch +Patch00103: qemu-binfmt-conf-Modify-default-path.patch +Patch00104: qemu-cvs-gettimeofday.patch +Patch00105: qemu-cvs-ioctl_debug.patch +Patch00106: qemu-cvs-ioctl_nodirection.patch +Patch00107: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00108: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00109: linux-user-binfmt-support-host-binaries.patch +Patch00110: linux-user-Fake-proc-cpuinfo.patch +Patch00111: linux-user-use-target_ulong.patch +Patch00112: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00113: linux-user-lseek-explicitly-cast-non-set.patch +Patch00114: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00115: xen_disk-Add-suse-specific-flush-disable.patch +Patch00116: qemu-bridge-helper-reduce-security-profi.patch +Patch00117: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00118: linux-user-properly-test-for-infinite-ti.patch +Patch00119: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00120: Raise-soft-address-space-limit-to-hard-l.patch +Patch00121: increase-x86_64-physical-bits-to-42.patch +Patch00122: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00123: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00124: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00125: Switch-order-of-libraries-for-mpath-supp.patch +Patch00126: Make-installed-scripts-explicitly-python.patch +Patch00127: hw-smbios-handle-both-file-formats-regar.patch +Patch00128: xen-add-block-resize-support-for-xen-dis.patch +Patch00129: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00130: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00131: xen-ignore-live-parameter-from-xen-save-.patch +Patch00132: Conditionalize-ui-bitmap-installation-be.patch +Patch00133: tests-change-error-message-in-test-162.patch +Patch00134: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00135: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00136: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00137: configure-only-populate-roms-if-softmmu.patch +Patch00138: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00139: roms-change-cross-compiler-naming-to-be-.patch +Patch00140: tests-Disable-some-block-tests-for-now.patch +Patch00141: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00142: roms-Makefile-enable-cross-compile-for-b.patch +Patch00143: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00144: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00145: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00146: s390x-Move-initial-reset.patch +Patch00147: s390x-Move-clear-reset.patch +Patch00148: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00149: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00150: s390x-Beautify-diag308-handling.patch +Patch00151: s390x-Add-missing-vcpu-reset-functions.patch +Patch00152: s390-sclp-improve-special-wait-psw-logic.patch +Patch00153: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00154: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00155: Sync-pv.patch +Patch00156: s390x-protvirt-Support-unpack-facility.patch +Patch00157: s390x-protvirt-Add-migration-blocker.patch +Patch00158: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00159: s390x-protvirt-KVM-intercept-changes.patch +Patch00160: s390x-Add-SIDA-memory-ops.patch +Patch00161: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00162: s390x-protvirt-SCLP-interpretation.patch +Patch00163: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00164: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00165: s390x-protvirt-Disable-address-checks-fo.patch +Patch00166: s390x-protvirt-Move-IO-control-structure.patch +Patch00167: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00168: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00169: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00170: configure-remove-pkgversion-from-CONFIG_.patch +Patch00171: gcc10-maybe-uninitialized.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -317,6 +320,7 @@ Patch09002: tcp_emu-Fix-oob-access.patch Patch09003: slirp-use-correct-size-while-emulating-c.patch Patch09004: tcp_emu-fix-unsafe-snprintf-usages.patch +Patch09005: Fix-use-afte-free-in-ip_reass-CVE-2020-1.patch # Patches applied in roms/qboot/: Patch12000: ensure-headers-included-are-compatible-w.patch Patch12001: Enable-cross-compile-prefix-for-C-compil.patch @@ -1180,6 +1184,9 @@ %patch00166 -p1 %patch00167 -p1 %patch00168 -p1 +%patch00169 -p1 +%patch00170 -p1 +%patch00171 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1200,6 +1207,7 @@ %patch09002 -p1 %patch09003 -p1 %patch09004 -p1 +%patch09005 -p1 %patch12000 -p1 %patch12001 -p1 ++++++ Fix-use-afte-free-in-ip_reass-CVE-2020-1.patch ++++++ From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <[email protected]> Date: Sat, 4 Apr 2020 22:42:13 +0200 Subject: Fix use-afte-free in ip_reass() (CVE-2020-1983) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 2faae0f778f818fadc873308f983289df697eb93 References: bsc#1170940, CVE-2020-1983 The q pointer is updated when the mbuf data is moved from m_dat to m_ext. m_ext buffer may also be realloc()'ed and moved during m_cat(): q should also be updated in this case. Reported-by: Aviv Sasson <[email protected]> Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Samuel Thibault <[email protected]> (cherry picked from commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d) Signed-off-by: Bruce Rogers <[email protected]> --- src/ip_input.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c index 8c75d91495dfdb32f00aea66acd3..bdf1f72fce73dc9ad2c2a257618a 100644 --- a/slirp/src/ip_input.c +++ b/slirp/src/ip_input.c @@ -325,8 +325,7 @@ insert: */ q = fp->frag_link.next; m = dtom(slirp, q); - - int was_ext = m->m_flags & M_EXT; + int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat); q = (struct ipasfrag *)q->ipf_next; while (q != (struct ipasfrag *)&fp->frag_link) { @@ -350,8 +349,7 @@ insert: * the old buffer (in the mbuf), so we must point ip * into the new buffer. */ - if (!was_ext && m->m_flags & M_EXT) { - int delta = (char *)q - m->m_dat; + if (m->m_flags & M_EXT) { q = (struct ipasfrag *)(m->m_ext + delta); } ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.Em9fqK/_old 2020-06-04 16:03:29.763484636 +0200 +++ /var/tmp/diff_new_pack.Em9fqK/_new 2020-06-04 16:03:29.763484636 +0200 @@ -1,5 +1,5 @@ <constraints> - <!-- All builds are fine with 8GB disk --> + <!-- All builds are fine with 9GB disk --> <overwrite> <conditions> <package>qemu</package> @@ -8,7 +8,7 @@ </conditions> <hardware> <disk> - <size unit="G">8</size> + <size unit="G">9</size> </disk> </hardware> </overwrite> ++++++ ati-vga-Fix-checks-in-ati_2d_blt-to-avoi.patch ++++++ From: BALATON Zoltan <[email protected]> Date: Mon, 6 Apr 2020 22:34:26 +0200 Subject: ati-vga: Fix checks in ati_2d_blt() to avoid crash Git-commit ac2071c3791b67fc7af78b8ceb320c01ca1b5df7: References: bsc#117037, CVE-2020-11869 In some corner cases (that never happen during normal operation but a malicious guest could program wrong values) pixman functions were called with parameters that result in a crash. Fix this and add more checks to disallow such cases. Reported-by: Ziming Zhang <[email protected]> Signed-off-by: BALATON Zoltan <[email protected]> Message-id: [email protected] Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c index 42e82311eb4433a6ee2671e9855a..23a8ae0cd8ceb7b59408c0709e2f 100644 --- a/hw/display/ati_2d.c +++ b/hw/display/ati_2d.c @@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), surface_bits_per_pixel(ds), (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); - int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? - s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); - int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? - s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); + unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? + s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); + unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? + s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); int bpp = ati_bpp_from_datatype(s); + if (!bpp) { + qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); + return; + } int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; + if (!dst_stride) { + qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); + return; + } uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? s->regs.dst_offset : s->regs.default_offset); @@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) switch (s->regs.dp_mix & GMC_ROP3_MASK) { case ROP3_SRCCOPY: { - int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? - s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); - int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? - s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); + unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? + s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); + unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? + s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); int src_stride = DEFAULT_CNTL ? s->regs.src_pitch : s->regs.default_pitch; + if (!src_stride) { + qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); + return; + } uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? s->regs.src_offset : s->regs.default_offset); @@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) dst_y * surface_stride(ds), s->regs.dst_height * surface_stride(ds)); } - s->regs.dst_x += s->regs.dst_width; - s->regs.dst_y += s->regs.dst_height; + s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? + dst_x + s->regs.dst_width : dst_x); + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? + dst_y + s->regs.dst_height : dst_y); break; } case ROP3_PATCOPY: @@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) dst_y * surface_stride(ds), s->regs.dst_height * surface_stride(ds)); } - s->regs.dst_y += s->regs.dst_height; + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? + dst_y + s->regs.dst_height : dst_y); break; } default: ++++++ audio-fix-wavcapture-segfault.patch ++++++ From: Bruce Rogers <[email protected]> Date: Thu, 21 May 2020 11:29:31 -0600 Subject: audio: fix wavcapture segfault MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: cbaf25d1f59ee13fc7542a06ea70784f2e000c04 References: boo#1171712 Commit 571a8c522e caused the HMP wavcapture command to segfault when processing audio data in audio_pcm_sw_write(), where a NULL sw->hw->pcm_ops is dereferenced. This fix checks that the pointer is valid before dereferincing it. A similar fix is also made in the parallel function audio_pcm_sw_read(). Fixes: 571a8c522e (audio: split ctl_* functions into enable_* and volume_*) Signed-off-by: Bruce Rogers <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: Gerd Hoffmann <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- audio/audio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audio/audio.c b/audio/audio.c index 56fae55047103af9fb85aa47c905..566febf7d76eba61e4db472d0fd1 100644 --- a/audio/audio.c +++ b/audio/audio.c @@ -634,7 +634,7 @@ static size_t audio_pcm_sw_read(SWVoiceIn *sw, void *buf, size_t size) total += isamp; } - if (!hw->pcm_ops->volume_in) { + if (hw->pcm_ops && !hw->pcm_ops->volume_in) { mixeng_volume (sw->buf, ret, &sw->vol); } @@ -721,7 +721,7 @@ static size_t audio_pcm_sw_write(SWVoiceOut *sw, void *buf, size_t size) if (swlim) { sw->conv (sw->buf, buf, swlim); - if (!sw->hw->pcm_ops->volume_out) { + if (sw->hw->pcm_ops && !sw->hw->pcm_ops->volume_out) { mixeng_volume (sw->buf, swlim, &sw->vol); } } ++++++ bundles.tar.xz ++++++ Binary files old/b0ca999a43a22b38158a222233d3f5881648bb4f.bundle and new/b0ca999a43a22b38158a222233d3f5881648bb4f.bundle differ Binary files old/slirp/126c04acbabd7ad32c2b018fe10dfac2a3bc1210.bundle and new/slirp/126c04acbabd7ad32c2b018fe10dfac2a3bc1210.bundle differ ++++++ gcc10-maybe-uninitialized.patch ++++++ From: Bruce Rogers <[email protected]> Date: Wed, 22 Apr 2020 08:50:55 -0600 Subject: gcc10: maybe-uninitialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit References: boo#1169728 gcc 10 needs some help to understand that indeed cpu_irqs[0] does get initialized in all cases. In this case an assert is sufficient. Reported-by: Martin Liška <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/openrisc/openrisc_sim.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c index 79e70493fc77e50556a4a92a4231..bc4b71059ff6d922e3cdc83bfc79 100644 --- a/hw/openrisc/openrisc_sim.c +++ b/hw/openrisc/openrisc_sim.c @@ -134,6 +134,7 @@ static void openrisc_sim_init(MachineState *machine) int n; unsigned int smp_cpus = machine->smp.cpus; + assert(smp_cpus >= 1 && smp_cpus <= 2); for (n = 0; n < smp_cpus; n++) { cpu = OPENRISC_CPU(cpu_create(machine->cpu_type)); if (cpu == NULL) { ++++++ pc-bios-s390x-Save-iplb-location-in-lowc.patch ++++++ --- /var/tmp/diff_new_pack.Em9fqK/_old 2020-06-04 16:03:30.075485681 +0200 +++ /var/tmp/diff_new_pack.Em9fqK/_new 2020-06-04 16:03:30.075485681 +0200 @@ -2,6 +2,7 @@ Date: Wed, 4 Mar 2020 06:42:31 -0500 Subject: pc-bios: s390x: Save iplb location in lowcore +Git-commit: 9bfc04f9ef6802fff0fc77130ff345a541783363 References: bsc#1163140, bsc#1167075 The POP states that for a list directed IPL the IPLB is stored into @@ -23,7 +24,6 @@ Reviewed-by: Christian Borntraeger <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Christian Borntraeger <[email protected]> -(cherry picked from commit 9bfc04f9ef6802fff0fc77130ff345a541783363) Signed-off-by: Liang Yan <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- ++++++ supported.x86.txt ++++++ --- /var/tmp/diff_new_pack.Em9fqK/_old 2020-06-04 16:03:30.283486376 +0200 +++ /var/tmp/diff_new_pack.Em9fqK/_new 2020-06-04 16:03:30.283486376 +0200 @@ -243,7 +243,7 @@ -bt -no-kvm-pit -- The previously unsupported machine types pc-0.13, pc-0.14, and pc-0.15 are now +- The previously unsupported machine types pc-0.13 and pc-0.14 are now deprecated. - The case of specified sockets, cores, and threads not matching the vcpu count @@ -799,16 +799,17 @@ -M [isapc|microvm|pc-0.13|pc-1.0|pc-1.1|pc-1.2|pc-1.3|pc-i440fx-1.5| pc-i440fx-1.6|pc-i440fx-2.1|pc-i440fx-2.2|pc-i440fx-2.4|pc-i440fx-2.5| pc-i440fx-2.7|pc-i440fx-2.8|pc-i440fx-2.10|pc-i440fx-2.12|pc-i440fx-3.0| - pc-1440fx-4.0|pc-q35-1.4|pc-q35-1.5|pc-q35-1.6|pc-q35-1.7|pc-q35-2.0| - pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|pc-q35-2.4|pc-q35-2.5|pc-q35-2.7| - pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|pc-q35-3.0|pc-q35-4.0|pc-q35-4.1] + pc-i440fx-4.0|pc-i440fx-4.1|pc-q35-1.4|pc-q35-1.5|pc-q35-1.6|pc-q35-1.7| + pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|pc-q35-2.4|pc-q35-2.5| + pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|pc-q35-3.0|pc-q35-4.0| + pc-q35-4.1] -machine [isapc|microvm|pc-0.13|pc-1.0|pc-1.1|pc-1.2|pc-1.3|pc-i440fx-1.5| pc-i440fx-1.6|pc-i440fx-2.1|pc-i440fx-2.2|pc-i440fx-2.4| pc-i440fx-2.5|pc-i440fx-2.7|pc-i440fx-2.8|pc-i440fx-2.10| - pc-i440fx-2.12|pc-i440fx-3.0|pc-i440fx-4.0|pc-q35-1.4|pc-q35-1.5| - pc-q35-1.6|pc-q35-1.7|pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3| - pc-q35-2.4|pc-q35-2.5|pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12| - pc-q35-3.0|pc-q35-4.0|pc-q35-4.1] + pc-i440fx-2.12|pc-i440fx-3.0|pc-i440fx-4.0|pc-i440fx-4.1|pc-q35-1.4| + pc-q35-1.5|pc-q35-1.6|pc-q35-1.7|pc-q35-2.0|pc-q35-2.1|pc-q35-2.2| + pc-q35-2.3|pc-q35-2.4|pc-q35-2.5|pc-q35-2.7|pc-q35-2.8|pc-q35-2.10| + pc-q35-2.12|pc-q35-3.0|pc-q35-4.0|pc-q35-4.1] -mtdblock file -net [dump|socket|vde] ... -netdev [dump|hubport|l2tpv3|socket|vde] ...
