Re: [Qemu-devel] [PATCH] i2c-ddc: fix oob read
On 08.01.19 11:23, Gerd Hoffmann wrote: > Suggested-by: Michael Hanselmann > Signed-off-by: Gerd Hoffmann Looks good to me. Reviewed-by: Michael Hanselmann signature.asc Description: OpenPGP digital signature
Re: [Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes
Hi Paolo On 28.12.18 14:52, Paolo Bonzini wrote: > On 27/12/18 12:51, Michael Hanselmann wrote: >> The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions >> to limit the length of data written. If a caller were able to manipulate >> the "len" parameter they could potentially write before or after the >> target buffer. >> --- >> hw/i2c/smbus_eeprom.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c >> index f18aa3de35..74fa1c328c 100644 >> --- a/hw/i2c/smbus_eeprom.c >> +++ b/hw/i2c/smbus_eeprom.c >> @@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t >> cmd, uint8_t *buf, int l >> It is a block write without a length byte. Fortunately we >> get the full block anyway. */ >> /* TODO: Should this set the current location? */ >> +len &= 0xff; >> if (cmd + len > 256) >> n = 256 - cmd; >> else >> > > Note that len is limited to 33 bytes (smbus_do_write and smbus_i2c_send). In practice it turns out to be the case. I thought I had discovered an out-of-bounds write because hw/i2c/smbus.c:smbus_i2c_recv increases dev->data_len unconditionally. The I2C controller implemented in hw/i2c/aspeed_i2c.c and used by certain ARM board emulations allows fine-grained control of the communication which allowed me to increase data_len easily (up to and beyond an overflow if intended). It was only the state machine in smbus.c which made it impossible to actually get to a usable point in my experiment (increasing data_len requires SMBUS_WRITE_DATA->SMBUS_READ_DATA, then the communication must be stopped via NACK to avoid resetting data_len in I2C_FINISH, but there's no way from SMBUS_DONE to SMBUS_WRITE_DATA). Adding bitwise-and for 0xff defuses this particular situation regardless of what state an attacker can bring the emulated devices into. Best regards, Michael signature.asc Description: OpenPGP digital signature
Re: [Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes
Hi Philippe On 27.12.18 20:03, Philippe Mathieu-Daudé wrote: > On Thu, Dec 27, 2018 at 12:53 PM Michael Hanselmann wrote: > The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions > to limit the length of data written. If a caller were able to manipulate > the "len" parameter they could potentially write before or after the > target buffer. > > You forgot to sign your commit: > "Signed-off-by: Michael Hanselmann " Indeed I did and I'm sorry. Signed-off-by: Michael Hanselmann >> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c >> index f18aa3de35..74fa1c328c 100644 >> --- a/hw/i2c/smbus_eeprom.c >> +++ b/hw/i2c/smbus_eeprom.c >> @@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t >> cmd, uint8_t *buf, int l >> It is a block write without a length byte. Fortunately we >> get the full block anyway. */ >> /* TODO: Should this set the current location? */ >> +len &= 0xff; >> if (cmd + len > 256) > > Corey Minyard sent a cleanup series [1] because this device model is > known to be unsafe and need rewrite. > There is a particular patch [2] which add the SMBUS_EEPROM_SIZE definition. > He also provided a intent at cleaning this problem here [3] where > Peter suggested to split it in fewer patches. I agree with the assessment that the code as-is has room for improvement, especially when it comes to the hardcoded sizes. My patch is purely on top of the master branch (ca. QEMU 3.1.0). Best regards, Michael signature.asc Description: OpenPGP digital signature
[Qemu-devel] [PATCH] smbus_eeprom: Limit data writes to 255 bytes
The "eeprom_write_data" function in "smbus_eeprom.c" had no provisions to limit the length of data written. If a caller were able to manipulate the "len" parameter they could potentially write before or after the target buffer. --- hw/i2c/smbus_eeprom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c index f18aa3de35..74fa1c328c 100644 --- a/hw/i2c/smbus_eeprom.c +++ b/hw/i2c/smbus_eeprom.c @@ -76,6 +76,7 @@ static void eeprom_write_data(SMBusDevice *dev, uint8_t cmd, uint8_t *buf, int l It is a block write without a length byte. Fortunately we get the full block anyway. */ /* TODO: Should this set the current location? */ +len &= 0xff; if (cmd + len > 256) n = 256 - cmd; else -- 2.11.0
[Qemu-devel] [PATCH] usb-mtp: Limit filename to object information size
The filename length in MTP metadata is specified by the guest. By
trusting it directly it'd theoretically be possible to get the host to
write memory parts outside the filename buffer into a filename. In
practice though there are usually NUL bytes stopping the string
operations.
Also use the opportunity to not assign the filename member twice.
Signed-off-by: Michael Hanselmann
---
hw/usb/dev-mtp.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..360ca65ee4 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -1705,7 +1705,7 @@ free:
s->write_pending = false;
}
-static void usb_mtp_write_metadata(MTPState *s)
+static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen)
{
MTPData *d = s->data_out;
ObjectInfo *dataset = (ObjectInfo *)d->data;
@@ -1717,7 +1717,8 @@ static void usb_mtp_write_metadata(MTPState *s)
assert(!s->write_pending);
assert(p != NULL);
-filename = utf16_to_str(dataset->length, dataset->filename);
+filename = utf16_to_str(MIN(dataset->length, dlen - offsetof(ObjectInfo,
filename)),
+dataset->filename);
if (strchr(filename, '/')) {
usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
@@ -1733,7 +1734,6 @@ static void usb_mtp_write_metadata(MTPState *s)
s->dataset.filename = filename;
s->dataset.format = dataset->format;
s->dataset.size = dataset->size;
-s->dataset.filename = filename;
s->write_pending = true;
if (s->dataset.format == FMT_ASSOCIATION) {
@@ -1802,7 +1802,7 @@ static void usb_mtp_get_data(MTPState *s, mtp_container
*container,
if (d->offset == d->length) {
/* The operation might have already failed */
if (!s->result) {
-usb_mtp_write_metadata(s);
+usb_mtp_write_metadata(s, dlen);
}
usb_mtp_data_free(s->data_out);
s->data_out = NULL;
--
2.11.0
Re: [Qemu-devel] [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
On 13.12.18 13:25, Gerd Hoffmann wrote: > Open files and directories with O_NOFOLLOW to avoid symlinks attacks. > While being at it also add O_CLOEXEC. > > usb-mtp only handles regular files and directories and ignores > everything else, so users should not see a difference. > > Because qemu ignores symlinks carrying out an successfull symlink attack Minor typo: s/successfull/successful/ > requires swapping an existing file or directory below rootdir for a > symlink and winning the race against the inotify notification to qemu. > > Note that the impact of this bug is rather low when qemu is managed by > libvirt due to qemu running sandboxed, so there isn't much you can gain > access to that way. > > Fixes: CVE-2018-pjp-please-get-one > Cc: Prasad J Pandit > Cc: Bandan Das > Reported-by: Michael Hanselmann > Signed-off-by: Gerd Hoffmann Thanks for the patch! Reviewed-by: Michael Hanselmann Best regards, Michael
Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
On 06.12.18 09:48, P J P wrote: > While performing block transfer write in smb_ioport_writeb(), > 'smb_index' is incremented and used to index smb_data[] array. > Check 'smb_index' value to avoid OOB access. > > Reported-by: Michael Hanselmann Considering that Li Qiang had already published his exploit for a couple of hours (at the time of writing the URL is returning an HTTP 404 though I'd seen it earlier) and with the patch being public I decided to also publish my report: https://hansmi.ch/articles/2018-12-qemu-pm-smbus-oob I'd like to thank Prasad and his colleagues at Red Hat for the quick response to my report (patch committed within less than 18 hours). Best regards, Michael -- https://hansmi.ch/ signature.asc Description: OpenPGP digital signature
Re: [Qemu-devel] [PATCH] i2c: pm_smbus: check smb_index before block transfer write
On 06.12.18 09:48, P J P wrote: > Reported-by: Michael Hanselmann > Signed-off-by: Prasad J Pandit Reviewed-by: Michael Hanselmann Best regards, Michael
Re: [Qemu-devel] [PATCH for-3.1 2/2] usb-mtp: outlaw slashes in filenames
On 01.12.18 12:55, Philippe Mathieu-Daudé wrote: > On 30/11/18 20:58, Eric Blake wrote: >> On 11/30/18 1:08 PM, Philippe Mathieu-Daudé wrote: >>> On 30/11/18 12:12, Gerd Hoffmann wrote: >>>> Slash is unix directory separator, so they are not allowed in filenames. >>>> Note this also stops the classic escape via "../". >>>> >>>> Fixes: CVE-2018-16867 >>>> Reported-by: Michael Hanselmann (hansmi.ch) >>> >>> It's common for scripts to match '', can you write this one as >>> Michael Hanselmann ? >> >> That's not an email address, though. Do we have an email for Michael, or >> just a username? >> > > I did not notice hehe :) > > Per the gpg key: Michael Hanselmann > Per git commits: Michael Hanselmann It'd be for this one. Thanks for asking! Best regards, Michael -- https://hansmi.ch/ signature.asc Description: OpenPGP digital signature
Re: [Qemu-devel] [PATCH] Update i440FX/PIIX3 emulation
Hi Avi
On Wed, Oct 31, 2007 at 03:17:04PM +0200, Avi Kivity wrote:
--- bios/acpi-dsdt.dsl 28 Sep 2006 18:56:20 - 1.1
+++ bios/acpi-dsdt.dsl 30 Oct 2007 23:52:22 -
@@ -369,7 +369,7 @@ DefinitionBlock (
Method (_STA, 0, NotSerialized)
{
Store (0x0B, Local0)
-If (And (0x80, PRQ0, Local1))
+If (And (0x80, PRQ0, Local0))
{
Store (0x09, Local0)
}
Can you explain this?
The original code seems to return either 0xb (present, enabled, functional)
or 0x9 (present, functional). The new code seems to return either 0x9
(present, functional) or 0 (if PRQ0 had its seventh bit clear).
Am I reading the code incorrectly?
It looks like you're correct. Here's the same function from a HP
Pavilion laptop:
Method (_STA, 0, NotSerialized)
{
If (And (PIRH, 0x80))
{
Return (0x09)
}
Return (0x0B)
}
Basically this means I have to go back to debug this stuff.
Sorry for the false alarm,
Michael
--
http://hansmi.ch/
Re: [Qemu-devel] [PATCH] Update i440FX/PIIX3 emulation
On Thu, Oct 25, 2007 at 12:42:22AM +0200, Michael Hanselmann wrote:
The patch below updates the i440FX/PIIX3 emulation. It does:
I never got any reaction to that patch. Is it still awaiting review?
This does not yet remove the workaround introduced by Igor Lvovsky's
patch. However, I'm working on that since it, despite my earlier mail,
seems to help with my ACPI shutdown problem.
So, I found the bug causing this behaviour. It turned out to be a
wrongly named variable in the ACPI DSDT from Bochs. See the patch for
Bochs below. I already sent it to the bochs-developers list[1].
qemu/pc-bios/bios.bin needs to be rebuilt from Bochs' code,
qemu/pc-bios/bios.diff and my patch.
The second patch below reverts the changes made by Igor Lvovsky. After
applying the patch to the BIOS, ACPI IRQs finally reach the system.
Finding this bug took me about the free time of four weeks. However, I
learned a lot about the internals of a PC. :-)
Thanks,
Michael
[1]
http://sourceforge.net/mailarchive/forum.php?thread_name=20071031000835.GA20915%40hansmi.chforum_name=bochs-developers
---
Index: bios/acpi-dsdt.dsl
===
RCS file: /cvsroot/bochs/bochs/bios/acpi-dsdt.dsl,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 acpi-dsdt.dsl
--- bios/acpi-dsdt.dsl 28 Sep 2006 18:56:20 - 1.1
+++ bios/acpi-dsdt.dsl 30 Oct 2007 23:52:22 -
@@ -369,7 +369,7 @@ DefinitionBlock (
Method (_STA, 0, NotSerialized)
{
Store (0x0B, Local0)
-If (And (0x80, PRQ0, Local1))
+If (And (0x80, PRQ0, Local0))
{
Store (0x09, Local0)
}
@@ -416,7 +416,7 @@ DefinitionBlock (
Method (_STA, 0, NotSerialized)
{
Store (0x0B, Local0)
-If (And (0x80, PRQ1, Local1))
+If (And (0x80, PRQ1, Local0))
{
Store (0x09, Local0)
}
@@ -463,7 +463,7 @@ DefinitionBlock (
Method (_STA, 0, NotSerialized)
{
Store (0x0B, Local0)
-If (And (0x80, PRQ2, Local1))
+If (And (0x80, PRQ2, Local0))
{
Store (0x09, Local0)
}
@@ -510,7 +510,7 @@ DefinitionBlock (
Method (_STA, 0, NotSerialized)
{
Store (0x0B, Local0)
-If (And (0x80, PRQ3, Local1))
+If (And (0x80, PRQ3, Local0))
{
Store (0x09, Local0)
}
---
diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index 7c7d0f3..eabff8e 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -269,7 +269,6 @@ static void piix3_set_irq(qemu_irq *pic, int irq_num, int
level)
{
int i, pic_irq, pic_level;
-piix3_dev-config[0x60 + irq_num] = ~0x80;
pci_irq_levels[irq_num] = level;
/* now we change the pic irq level according to the piix irq mappings */
[Qemu-devel] [PATCH] Update i440FX/PIIX3 emulation
The patch below updates the i440FX/PIIX3 emulation. It does:
- Add links to all datasheets containing the specifications
- Combine initialization functions for the PIIX, PIIX3 and PIIX4 chips
- Break apart long lists of magic values and name them
- Set more registers to their default values from the specs
Signed-off-by: Michael Hanselmann [EMAIL PROTECTED]
---
This does not yet remove the workaround introduced by Igor Lvovsky's
patch. However, I'm working on that since it, despite my earlier mail,
seems to help with my ACPI shutdown problem.
Greets,
Michael
Index: hw/piix_pci.c
===
RCS file: /sources/qemu/qemu/hw/piix_pci.c,v
retrieving revision 1.12
diff -u -p -r1.12 piix_pci.c
--- hw/piix_pci.c 20 Oct 2007 20:36:52 - 1.12
+++ hw/piix_pci.c 24 Oct 2007 22:39:41 -
@@ -22,12 +22,37 @@
* THE SOFTWARE.
*/
+/*
+ * Datasheets:
+ * - 82371FB (PIIX) and 82371SB (PIIX3) PCI ISA IDE Xcelerator
+ * http://www.intel.com/design/intarch/datashts/290550.htm
+ * - 82371AB PCI-TO-ISA/IDE Xcelerator (PIIX4)
+ * http://www.intel.com/design/intarch/datashts/290562.htm
+ * - 82371SB (PIIX3) PCIset Specification Update
+ * http://www.intel.com/design/chipsets/specupdt/297658.htm
+ * - 82371EB (PIIX4E) Specification Update
+ * http://developer.intel.com/design/chipsets/specupdt/290635.htm
+ * - 82371AB PIIX4, 82371EB PIIX4E and 82371MB PIIX4M Specification Update
+ * http://www.intel.com/design/chipsets/specupdt/297738.htm
+ * - 440FX PCIset - 82441FX PCI and Memory Controller (PMC) and 82442FX Data
+ * Bus Accelerator (DBX) Datasheet
+ * http://developer.intel.com/design/chipsets/datashts/290549.htm
+ * - 440FX PCIset 82441FX (PMC) and 82442FX (DBX) Specification Update
+ * http://developer.intel.com/design/chipsets/specupdt/297654.htm
+ */
+
#include vl.h
typedef uint32_t pci_addr_t;
#include pci_host.h
typedef PCIHostState I440FXState;
+enum PCIChip {
+PIIX,
+PIIX3,
+PIIX4
+};
+
static void i440fx_addr_writel(void* opaque, uint32_t addr, uint32_t val)
{
I440FXState *s = opaque;
@@ -178,16 +203,52 @@ PCIBus *i440fx_init(PCIDevice **pi440fx_
d = pci_register_device(b, i440FX, sizeof(PCIDevice), 0,
NULL, i440fx_write_config);
-d-config[0x00] = 0x86; // vendor_id
+/* Vendor Identification */
+d-config[0x00] = 0x86; /* Intel */
d-config[0x01] = 0x80;
-d-config[0x02] = 0x37; // device_id
+
+/* Device Identification */
+d-config[0x02] = 0x37;
d-config[0x03] = 0x12;
-d-config[0x08] = 0x02; // revision
+
+/* PCI Command Register */
+d-config[0x04] = 0x06;
+d-config[0x05] = 0x00;
+
+/* PCI Status Register */
+d-config[0x06] = 0x00; /* Default would be 0x80, but we don't support
+ fast back-to-back transactions as described
+ in the 440FX datasheet. */
+d-config[0x07] = 0x02;
+
+/* Revision Identification */
+d-config[0x08] = 0x02;
+
+/* Class Code */
d-config[0x0a] = 0x00; // class_sub = host2pci
d-config[0x0b] = 0x06; // class_base = PCI_bridge
-d-config[0x0e] = 0x00; // header_type
-d-config[0x72] = 0x02; /* SMRAM */
+/* Header Type */
+d-config[0x0e] = 0x00;
+
+/* PMC Configuration */
+d-config[0x50] = 0x02;
+d-config[0x51] = 0x00;
+
+/* DBX Buffer Control */
+d-config[0x53] = 0x80;
+
+/* DRAM Control */
+d-config[0x57] = 0x01;
+
+/* DRAM Timing */
+d-config[0x58] = 0x10;
+
+/* CPU Latency Timer */
+d-config[0x71] = 0x10;
+
+/* System Management RAM Control */
+d-config[0x72] = 0x02;
register_savevm(I440FX, 0, 1, i440fx_save, i440fx_load, d);
*pi440fx_state = d;
@@ -208,7 +269,7 @@ static void piix3_set_irq(qemu_irq *pic,
{
int i, pic_irq, pic_level;
-piix3_dev-config[0x60 + irq_num] = ~0x80; // enable bit
+piix3_dev-config[0x60 + irq_num] = ~0x80;
pci_irq_levels[irq_num] = level;
/* now we change the pic irq level according to the piix irq mappings */
@@ -226,160 +287,195 @@ static void piix3_set_irq(qemu_irq *pic,
}
}
-static void piix3_reset(PCIDevice *d)
+static void piix_save(QEMUFile* f, void *opaque)
{
-uint8_t *pci_conf = d-config;
+PCIDevice *d = opaque;
+pci_device_save(d, f);
+}
-pci_conf[0x04] = 0x07; // master, memory and I/O
-pci_conf[0x05] = 0x00;
-pci_conf[0x06] = 0x00;
-pci_conf[0x07] = 0x02; // PCI_status_devsel_medium
-pci_conf[0x4c] = 0x4d;
-pci_conf[0x4e] = 0x03;
-pci_conf[0x4f] = 0x00;
-pci_conf[0x60] = 0x80;
-pci_conf[0x69] = 0x02;
-pci_conf[0x70] = 0x80;
-pci_conf[0x76] = 0x0c;
-pci_conf[0x77] = 0x0c;
-pci_conf[0x78] = 0x02;
-pci_conf[0x79] = 0x00;
-pci_conf[0x80] = 0x00;
-pci_conf[0x82] = 0x00;
-pci_conf[0xa0] = 0x08;
-pci_conf[0xa2] = 0x00;
-pci_conf[0xa3] = 0x00;
-pci_conf[0xa4
Re: [Qemu-devel] qemu/hw piix_pci.c
On Mon, Oct 22, 2007 at 12:52:30AM -0700, Igor Lvovsky wrote: My last patch can be temporary workaround and now we can get the ACPI interrupts without disrupt anything else, but I'll try to find full solution for this issue. Interestingly, Linux doesn't receive any interrupts from ACPI, too. There must be something wrong with the hardware emulation. At [1] you can find a question I sent to this list, but didn't get a response. Just yesterday I started working on it again and it still doesn't work, even with your patch. Before I start going through all the ACPI specs and the Linux driver's code, do you have an idea what might be the problem? Thanks, Michael [1] http://lists.gnu.org/archive/html/qemu-devel/2007-06/msg00450.html -- http://hansmi.ch/
Re: [Qemu-devel] What is the best way to control qemu on a remote box?
On Fri, Jul 27, 2007 at 09:22:08AM -0700, n schembr wrote: Is system_powerdown a better way to stop the host? Is system_powerdown a soft operation like the atx powersupply? It did not work with a smoothwall guest. It would, but is not implemented for x86. I've been working on it using ACPI, but gave up after an enquiry about IRQ handling on this list hasn't been answered and a related patch has been ignored. Greets, Michael -- http://hansmi.ch/ pgpxZrVIMQHQI.pgp Description: PGP signature
Re: [Qemu-devel] [PATCH] Implement ACPI specs 3.0, 4.7.2.5
On Tue, Jun 26, 2007 at 10:32:23PM +0200, Michael Hanselmann wrote: The patch below implements ACPI_ENABLE and ACPI_DISABLE as described in section 4.7.2.5 of the ACPI 3.0 specs. Has this patch been ignored by accident or is there something wrong with it? Thanks, Michael -- http://hansmi.ch/
[Qemu-devel] Problem with triggering interrupts
Hello
I'm trying to implement the “system_powerdown” command for i386/x86_64.
After way too much time, I've now to hope for someone else being able to
help me, I just don't get it anymore. Due to the available
infrastructure, I decided to use an ACPI power button event. You can
find my current patches for qemu and the bochs BIOS below.
The code itself sets the interrupt, but unfortunately, it never reaches
the system inside qemu. For tests, I tried setting sci_level = 1, and
suddenly, it gets received and shuts down the system. Does anyone know
what I'm doing wrong here?
Thanks a lot,
Michael
---
diff -u -b -B -r1.254 vl.h
--- vl.h25 Jun 2007 10:57:10 - 1.254
+++ vl.h28 Jun 2007 19:56:45 -
@@ -136,11 +136,12 @@
void qemu_system_reset_request(void);
void qemu_system_shutdown_request(void);
void qemu_system_powerdown_request(void);
-#if !defined(TARGET_SPARC)
+#if defined(TARGET_I386) || defined(TARGET_X86_64) || \
+defined(TARGET_SPARC)
+void qemu_system_powerdown(void);
+#else
// Please implement a power failure function to signal the OS
#define qemu_system_powerdown() do{}while(0)
-#else
-void qemu_system_powerdown(void);
#endif
void main_loop_wait(int timeout);
Index: hw/acpi.c
===
RCS file: /sources/qemu/qemu/hw/acpi.c,v
retrieving revision 1.12
diff -u -b -B -r1.12 acpi.c
--- hw/acpi.c 28 May 2007 21:01:02 - 1.12
+++ hw/acpi.c 28 Jun 2007 19:56:45 -
@@ -98,6 +98,26 @@
}
}
+#if defined(TARGET_I386) || defined(TARGET_X86_64)
+static PIIX4PMState *powerdown_piix4 = NULL;
+
+void qemu_system_powerdown(void)
+{
+PIIX4PMState *s;
+
+if (powerdown_piix4 == NULL) {
+return;
+}
+
+s = powerdown_piix4;
+
+if (s-pmen PWRBTN_EN) {
+s-pmsts |= PWRBTN_EN;
+pm_update_sci(s);
+}
+}
+#endif
+
static void pm_tmr_timer(void *opaque)
{
PIIX4PMState *s = opaque;
@@ -495,5 +515,12 @@
register_savevm(piix4_pm, 0, 1, pm_save, pm_load, s);
s-smbus = i2c_init_bus();
+
+#if defined(TARGET_I386) || defined(TARGET_X86_64)
+if (powerdown_piix4 == NULL) {
+powerdown_piix4 = s;
+}
+#endif
+
return s-smbus;
}
diff -rpu bochs-20070617.orig/bios/rombios32.c bochs-20070617/bios/rombios32.c
--- bochs-20070617.orig/bios/rombios32.c2007-06-17 09:37:11.0
+0200
+++ bochs-20070617/bios/rombios32.c 2007-06-28 21:59:18.0 +0200
@@ -861,6 +861,11 @@ static void mptable_init(void)
int ioapic_id, i, len;
int mp_config_table_size;
+#ifdef BX_QEMU
+if (smp_cpus = 1)
+return;
+#endif
+
#ifdef BX_USE_EBDA_TABLES
mp_config_table = (uint8_t *)(ram_size - ACPI_DATA_SIZE -
MPTABLE_MAX_SIZE);
#else
@@ -1285,6 +1290,7 @@ void acpi_bios_init(void)
rsdp-checksum = acpi_checksum((void *)rsdp, 20);
/* RSDT */
+memset(rsdt, 0, sizeof(*rsdt));
rsdt-table_offset_entry[0] = cpu_to_le32(fadt_addr);
rsdt-table_offset_entry[1] = cpu_to_le32(madt_addr);
acpi_build_table_header((struct acpi_table_header *)rsdt,
@@ -1310,7 +1316,7 @@ void acpi_bios_init(void)
fadt-plvl3_lat = cpu_to_le16(50);
fadt-plvl3_lat = cpu_to_le16(50);
/* WBINVD + PROC_C1 + PWR_BUTTON + SLP_BUTTON + FIX_RTC */
-fadt-flags = cpu_to_le32((1 0) | (1 2) | (1 4) | (1 5) | (1
6));
+fadt-flags = cpu_to_le32((1 0) | (1 2) | (0 4) | (1 5) | (1
6));
acpi_build_table_header((struct acpi_table_header *)fadt, FACP,
sizeof(*fadt));
diff -rpu bochs-20070617.orig/bios/rombios.h bochs-20070617/bios/rombios.h
--- bochs-20070617.orig/bios/rombios.h 2007-02-20 10:36:55.0 +0100
+++ bochs-20070617/bios/rombios.h 2007-06-17 21:59:46.0 +0200
@@ -19,7 +19,7 @@
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
/* define it to include QEMU specific code */
-//#define BX_QEMU
+#define BX_QEMU
#ifndef LEGACY
# define BX_ROMBIOS32 1
[Qemu-devel] [PATCH] Implement ACPI specs 3.0, 4.7.2.5
The patch below implements ACPI_ENABLE and ACPI_DISABLE as described in
section 4.7.2.5 of the ACPI 3.0 specs.
Signed-off-by: Michael Hanselmann [EMAIL PROTECTED]
Greets,
Michael
---
Index: hw/acpi.c
===
RCS file: /sources/qemu/qemu/hw/acpi.c,v
retrieving revision 1.12
diff -u -b -B -r1.12 acpi.c
--- hw/acpi.c 28 May 2007 21:01:02 - 1.12
+++ hw/acpi.c 26 Jun 2007 20:29:19 -
@@ -54,6 +54,9 @@
#define SUS_EN (1 13)
+#define ACPI_ENABLE 0xf1
+#define ACPI_DISABLE 0xf0
+
#define SMBHSTSTS 0x00
#define SMBHSTCNT 0x02
#define SMBHSTCMD 0x03
@@ -216,6 +219,14 @@
#endif
if (addr == 0) {
s-apmc = val;
+
+/* ACPI specs 3.0, 4.7.2.5 */
+if (val == ACPI_ENABLE) {
+s-pmcntrl |= SCI_EN;
+} else if (val == ACPI_DISABLE) {
+s-pmcntrl = ~SCI_EN;
+}
+
if (s-dev.config[0x5b] (1 1)) {
cpu_interrupt(first_cpu, CPU_INTERRUPT_SMI);
}
[Qemu-devel] [PATCH] Implement ^W in readline.c
Hello
The patch below implements ^W (Ctrl+W) in readline.c, allowing it to be
used in the monitor.
Signed-off-by: Michael Hanselmann [EMAIL PROTECTED]
Greets,
Michael
---
Index: readline.c
===
RCS file: /sources/qemu/qemu/readline.c,v
retrieving revision 1.1
diff -u -b -B -r1.1 readline.c
--- readline.c 1 Aug 2004 21:52:19 - 1.1
+++ readline.c 22 Jun 2007 22:17:47 -
@@ -156,6 +156,45 @@
}
}
+static void term_backword(void)
+{
+int start;
+
+if (term_cmd_buf_index == 0 || term_cmd_buf_index term_cmd_buf_size) {
+return;
+}
+
+start = term_cmd_buf_index - 1;
+
+/* find first word (backwards) */
+while (start 0) {
+if (!isspace(term_cmd_buf[start])) {
+break;
+}
+
+--start;
+}
+
+/* find first space (backwards) */
+while (start 0) {
+if (isspace(term_cmd_buf[start])) {
+++start;
+break;
+}
+
+--start;
+}
+
+/* remove word */
+if (start term_cmd_buf_index) {
+memmove(term_cmd_buf + start,
+term_cmd_buf + term_cmd_buf_index,
+term_cmd_buf_size - term_cmd_buf_index);
+term_cmd_buf_size -= term_cmd_buf_index - start;
+term_cmd_buf_index = start;
+}
+}
+
static void term_bol(void)
{
term_cmd_buf_index = 0;
@@ -338,6 +377,10 @@
/* NOTE: readline_start can be called here */
term_readline_func(term_readline_opaque, term_cmd_buf);
break;
+case 23:
+/* ^W */
+term_backword();
+break;
case 27:
term_esc_state = IS_ESC;
break;
