+if (!(s-handler-mask (INPUT_EVENT_MASK_REL |
+ INPUT_EVENT_MASK_ABS))) {
+monitor_printf(mon, Input device '%s' is not a mouse,
+ s-handler-name);
That should be error_report (I think, Markus?).
Otherwise the
ivshmem can talk to a server over a UNIX domain socket on the host. We should
validate inputs from the server to prevent crashes or memory corruption.
Stefan Hajnoczi (2):
ivshmem: check ivshmem_read() size argument
ivshmem: validate incoming_posn value from server
hw/misc/ivshmem.c | 16
The third argument to the fd_read() callback implemented by
ivshmem_read() is the number of bytes, not a flags field. Fix this and
check we received enough bytes before accessing the buffer pointer.
Cc: Cam Macdonell c...@cs.ualberta.ca
Reported-by: Sebastian Krahmer krah...@suse.de
Check incoming_posn to avoid out-of-bounds array accesses if the ivshmem
server on the host sends invalid values.
Cc: Cam Macdonell c...@cs.ualberta.ca
Reported-by: Sebastian Krahmer krah...@suse.de
Signed-off-by: Stefan Hajnoczi stefa...@redhat.com
---
hw/misc/ivshmem.c | 9 +
1 file
On Fri, Mar 28, 2014 at 08:26:26PM -0400, Jeff Cody wrote:
On Sat, Mar 29, 2014 at 12:22:58AM +0100, Max Reitz wrote:
On 26.03.2014 13:06, Stefan Hajnoczi wrote:
+echo Test 7: Block Size != 1MB; too large test (1MB + 1)
+poke_file $TEST_IMG $bs_offset \x00\x00\x11\x00 # invalid (too
On Fri, Mar 28, 2014 at 10:55:51AM +0100, Stefan Hajnoczi wrote:
v3:
* Add Stefan Weil's test-aio fix patch [Stefan Weil]
* Patch 3 commit description s/The causes targets/This causes make targets/
[Stefan Weil]
v2:
* Use ifeq instead of using *-n [Andreas]
make check is broken on
Hi Alex,
Yes thats exactly what I was looking for. Thanks.
Qasim
On Fri, Mar 28, 2014 at 4:22 PM, Alex Bennée alex.ben...@linaro.org wrote:
Qasim Maqbool qasim.maqb...@gmail.com writes:
Hi,
I need to add a few command line options to QEMU. However, I am yet to
determine how QEMU
Public bug reported:
hi,
when i load a snapshot of month ago using loadvm namecommand, the vm system
time is past time,not recover current time.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml,
Hi,
My patch
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e3c1adf16e38714ebd761dd02517dd07760ba6d2
had been fixed this issue.
Best regards,
-Gonglei
From: qemu-devel-bounces+arei.gonglei=huawei@nongnu.org
[mailto:qemu-devel-bounces+arei.gonglei=huawei@nongnu.org] On Behalf Of
Hi Mark,
I have done some more testing on this and giving up. It is very fuzzy. Seems to
work on MacOSX and Linux hosts with Qemu 1.7 and
Qemu 2.0rc0 when the load of the system is under 2-3. If it is higher sometimes
the deadlock occur.
So I think we can close the bug and hope nobody is
On Sat, Aug 3, 2013 at 2:30 AM, Vincenzo Maffione v.maffi...@gmail.comwrote:
This patch partially implements the e1000 interrupt mitigation mechanisms.
Using a single QEMUTimer, it emulates the ITR register (which is the newer
mitigation register, recommended by Intel) and approximately
Am 31.03.2014 09:26, schrieb Stefan Hajnoczi:
On Fri, Mar 28, 2014 at 10:55:51AM +0100, Stefan Hajnoczi wrote:
v3:
* Add Stefan Weil's test-aio fix patch [Stefan Weil]
* Patch 3 commit description s/The causes targets/This causes make targets/
[Stefan Weil]
v2:
* Use ifeq instead of
Peter,
Am 23.01.2014 17:22, schrieb Peter Maydell:
Rather than requiring every new architecture to remember to add a line
to the Makefile to say that qom-test will work on it, autogenerate
the list of supported architectures by looking at the files in
default-configs (as configure does), and
Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
On 03/24/2014 05:24 PM, Alexey Kardashevskiy wrote:
btw while grepping through the code, I found dump_ppc_sprs() which prints
this (first chunk is what my patch adds and the second chunk is from
dump_ppc_sprs()):
Noone has an opinion?
Is there a better name than 'tcg_itype' ? Putting 'type' in the
name of a type is a bit redundant, and suggests it contains
a type rather than an insn.
I'm open to suggestions there as well. On x86 and ia64, it won't hold an
entire insn, so tcg_insn seemed inappropriate.
On 31 March 2014 09:10, Andreas Färber afaer...@suse.de wrote:
Am 23.01.2014 17:22, schrieb Peter Maydell:
+# Get the list of all supported sysemu targets
+SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
+ $(wildcard $(SRC_PATH)/default-configs/*-softmmu.mak)))
+
check-unit-y =
Am 31.03.2014 10:28, schrieb Peter Maydell:
On 31 March 2014 09:10, Andreas Färber afaer...@suse.de wrote:
Am 23.01.2014 17:22, schrieb Peter Maydell:
+# Get the list of all supported sysemu targets
+SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
+ $(wildcard
I've seen very similar problem on our installation. Have you tried to
run with kvm-clock explicitly disabled (either via no-kvmclock in
guest kernel or with -kvm-clock in qemu) ?
No, I haven't tried it yet (I've confirmed kvm-clock is currently
being used). I'll have a look at it.
Did it help
On 31 March 2014 09:33, Andreas Färber afaer...@suse.de wrote:
What does that prove? I said qom-test, not check-qtest-x86_64. :)
You need to run `make check-qtest-x86_64 V=1` to see it.
Ah, gotcha. I guess we do need to stick some kind of uniqueness
filter in somewhere.
thanks
-- PMM
On 03/31/2014 07:24 PM, Andreas Färber wrote:
Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
On 03/24/2014 05:24 PM, Alexey Kardashevskiy wrote:
btw while grepping through the code, I found dump_ppc_sprs() which prints
this (first chunk is what my patch adds and the second chunk is from
On Fri, Mar 28, 2014 at 11:08:58PM +0530, Prasad Joshi wrote:
Signed-off-by: Prasad Joshi prasadjoshi.li...@gmail.com
---
block/qcow2.c | 4
1 file changed, 4 insertions(+)
Thanks, applied to my block tree:
https://github.com/stefanha/qemu/commits/block
Stefan
This minimizes QEMUMachine usage, as part of machine QOM-ification.
Signed-off-by: Marcel Apfelbaum marce...@redhat.com
---
include/hw/xen/xen.h| 2 +-
include/qemu/typedefs.h | 1 +
include/sysemu/kvm.h| 2 +-
include/sysemu/qtest.h | 2 +-
kvm-all.c | 6 +++---
In order to eliminate the QEMUMachine indirection,
add its fields directly to MachineClass.
Do not remove yet qemu_machine field because it is
in use already by sparpr.
Signed-off-by: Marcel Apfelbaum marce...@redhat.com
---
include/hw/boards.h | 23 +++
1 file changed, 23
No need to go through qemu_machine field. Use
MachineClass fields directly.
Signed-off-by: Marcel Apfelbaum marce...@redhat.com
---
device-hotplug.c | 2 +-
qmp.c| 4 +--
vl.c | 103 ---
3 files changed, 63
All the references of QEMUMachine are already
replaced by MachineClass.
Signed-off-by: Marcel Apfelbaum marce...@redhat.com
---
include/hw/boards.h | 7 +++
vl.c| 3 +--
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/include/hw/boards.h b/include/hw/boards.h
No need for QEMUMachine anymore because
its fields are passed to MachineClass.
Signed-off-by: Marcel Apfelbaum marce...@redhat.com
---
hw/ppc/spapr.c | 26 +++---
1 file changed, 11 insertions(+), 15 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index
V1 - V2:
- Addressed Paolo's comments:
- replaced commas by semicolons on patch 4/5.
- Rebased to master.
This is a continuation of 'QEMU Machine as QOM object' effort.
The scope of this series is to allow machine QOM-ification
of all machines gradually, by removing the need for
* (chenliang0...@icloud.com) wrote:
It is ok, we just need to guarantee that the pages in cache are same to the
page in dest side.
Don??t care about whether they are same to src side. Because the modified
pages during this
time will be sent at next time.
It's an interesting, if
On 31 March 2014 09:50, Alexey Kardashevskiy a...@ozlabs.ru wrote:
On 03/31/2014 07:24 PM, Andreas Färber wrote:
Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
Noone has an opinion? Come on! :)
We're in Hard Freeze!!! :-| There's more important works than post-2.0
debug infos ATM.
Hi
Please, send any topic that you are interested in covering.
Thanks, Juan.
Call details:
10:00 AM to 11:00 AM EDT
Every two weeks
If you need phone number details, contact me privately.
Commit 3687d5325 accidentally resulted in our running qom-test twice
for x86_64, once directly via the wildcard, and once because x86_64
includes all the i386 qtests (which includes qom-test). Run the list
of qtests through $(sort) to remove duplicates so we only ever run
a qtest once.
On 03/31/2014 09:07 PM, Peter Maydell wrote:
On 31 March 2014 09:50, Alexey Kardashevskiy a...@ozlabs.ru wrote:
On 03/31/2014 07:24 PM, Andreas Färber wrote:
Am 31.03.2014 03:25, schrieb Alexey Kardashevskiy:
Noone has an opinion? Come on! :)
We're in Hard Freeze!!! :-| There's more
Hi,
Am 31.03.2014 12:40, schrieb Juan Quintela:
Please, send any topic that you are interested in covering.
I would like to discuss the state of the QEMU release process, please:
* -rc1 has not been tagged.
* Who besides Anthony could upload a tarball if we tag and create it?
* make-release
On Fr, 2014-03-28 at 15:37 +0100, Frederic Konrad wrote:
Hi everybody,
I didn't see anything on the list about that.
I get this bug in the current git.
I configured qemu with the following command line:
./configure --target-list=ppc-softmmu
I ran QEMU with the following command line:
On 31/03/2014 13:30, Gerd Hoffmann wrote:
On Fr, 2014-03-28 at 15:37 +0100, Frederic Konrad wrote:
Hi everybody,
I didn't see anything on the list about that.
I get this bug in the current git.
I configured qemu with the following command line:
./configure --target-list=ppc-softmmu
I ran
From: ChenLiang chenlian...@huawei.com
The logic of old code is correct. But Checking byte by byte will
consume time after an concurrency scene.
Reported-by: Dr. David Alan Gilbert dgilb...@redhat.com
Signed-off-by: ChenLiang chenlian...@huawei.com
Signed-off-by: Gonglei arei.gong...@huawei.com
From: ChenLiang chenlian...@huawei.com
It is risk if runs xbzrle_encode_buffer on changing data.
Changes since v1:
* avoid to stuck in loop
* check 8 bytes at a time after an concurrency scene
ChenLiang (2):
xbzrle: don't check the value in the vm ram repeatedly
xbzrle: check 8 bytes at a
From: ChenLiang chenlian...@huawei.com
xbzrle_encode_buffer checks the value in the vm ram repeatedly.
It is risk if runs xbzrle_encode_buffer on changing data.
And it is not necessary.
Reported-by: Dr. David Alan Gilbert dgilb...@redhat.com
Signed-off-by: ChenLiang chenlian...@huawei.com
On Mon, Mar 31, 2014 at 12:51:31PM +0200, Andreas Färber wrote:
Am 31.03.2014 12:40, schrieb Juan Quintela:
Please, send any topic that you are interested in covering.
I would like to discuss the state of the QEMU release process, please:
* -rc1 has not been tagged.
* Who besides
On Thu, Mar 27, 2014 at 02:58:32PM -, Mark Wood-Patrick wrote:
Public bug reported:
With qemu-2.0.0-rc0 on CentOS release 5.7 (Final) I get
make: *** No rule to make target `trace/generated-events.h', needed by
`Makefile'. Stop.
Please try make distclean and then ./configure and make
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
This introduces an NMI (non maskable interrupt) callback per CPU class
which QMP's nmi command may use to issue NMI on a CPU.
Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru
---
hmp-commands.hx | 4 +---
include/qom/cpu.h | 1 +
2
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru
---
target-i386/cpu.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 8fd1497..35f20e0 100644
--- a/target-i386/cpu.c
+++
Chen Gang gang.chen.5...@gmail.com writes:
Hello Maintainers:
If it is necessary to send patch v2 by me, please let me know, I
will/should send.
Not a maintainer, but if you send a v2 with an improved commit message,
I'll R-by it, which can only help getting it merged.
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru
---
target-ppc/cpu-qom.h| 1 +
target-ppc/excp_helper.c| 2 +-
target-ppc/translate_init.c | 18 ++
3 files changed, 20 insertions(+), 1 deletion(-)
diff
Gerd Hoffmann kra...@redhat.com writes:
+if (!(s-handler-mask (INPUT_EVENT_MASK_REL |
+ INPUT_EVENT_MASK_ABS))) {
+monitor_printf(mon, Input device '%s' is not a mouse,
+ s-handler-name);
That should be
On 03/28/2014 01:51 PM, Alexey Kardashevskiy wrote:
Signed-off-by: Alexey Kardashevskiy a...@ozlabs.ru
Missing patch description.
Also, this patch should be among the first in your patch set. It makes
review a lot easier on code movements like this when you always remove
and add back the
On 03/31/2014 08:38 PM, Markus Armbruster wrote:
Chen Gang gang.chen.5...@gmail.com writes:
Hello Maintainers:
If it is necessary to send patch v2 by me, please let me know, I
will/should send.
Not a maintainer, but if you send a v2 with an improved commit message,
I'll R-by it, which
On 31 March 2014 13:53, Chen Gang gang.chen.5...@gmail.com wrote:
On 03/31/2014 08:38 PM, Markus Armbruster wrote:
Chen Gang gang.chen.5...@gmail.com writes:
Hello Maintainers:
If it is necessary to send patch v2 by me, please let me know, I
will/should send.
Not a maintainer, but if you
On 03/31/2014 09:01 PM, Peter Maydell wrote:
On 31 March 2014 13:53, Chen Gang gang.chen.5...@gmail.com wrote:
On 03/31/2014 08:38 PM, Markus Armbruster wrote:
Chen Gang gang.chen.5...@gmail.com writes:
Hello Maintainers:
If it is necessary to send patch v2 by me, please let me know, I
On 31 March 2014 14:12, Chen Gang gang.chen.5...@gmail.com wrote:
Next, when I send trivial patches, I will/should cc to qemu-trivial. I
guess, most of my future patches will be trivial patches (and for me,
trivial != minor).
We describe on the wiki what we mean by 'trivial':
On 31/03/14 12:51, Andreas Färber wrote:
Hi,
Am 31.03.2014 12:40, schrieb Juan Quintela:
Please, send any topic that you are interested in covering.
I would like to discuss the state of the QEMU release process, please:
* -rc1 has not been tagged.
* Who besides Anthony could upload a
On 31 March 2014 14:21, Christian Borntraeger borntrae...@de.ibm.com wrote:
Another thing might be the release process in general. Currently it seems
that everybody tries to push everything just before the hard freeze. I had
to debug some problems introduced _after_ soft freeze. Is there some
On 03/31/2014 09:16 PM, Peter Maydell wrote:
On 31 March 2014 14:12, Chen Gang gang.chen.5...@gmail.com wrote:
Next, when I send trivial patches, I will/should cc to qemu-trivial. I
guess, most of my future patches will be trivial patches (and for me,
trivial != minor).
We describe on the
On 03/24/2014 07:24 AM, Alexey Kardashevskiy wrote:
On 03/23/2014 01:43 AM, Stuart Brady wrote:
On Sat, Mar 22, 2014 at 11:25:49PM +1100, Alexey Kardashevskiy wrote:
This adds printing of all SPR registers registered for a CPU.
This removes SPR_ prefix from SPR name to reduce the output.
Cc:
On 31 March 2014 14:26, Chen Gang gang.chen.5...@gmail.com wrote:
Next, when I send trivial patches, I will only send to qemu-trivial (not
send/cc to qemu-devel again), that will be more efficient. :-)
No, please always send to qemu-devel; just also cc qemu-trivial
(or the relevant subsystem
On Mon, Mar 31, 2014 at 6:25 AM, Peter Maydell peter.mayd...@linaro.org wrote:
On 31 March 2014 14:21, Christian Borntraeger borntrae...@de.ibm.com wrote:
Another thing might be the release process in general. Currently it seems
that everybody tries to push everything just before the hard
Changes from previous version:
Rewritten input validation in multiple patches using the new
VMSTATE_VALIDATE macro.
Addressed review comments from Peter Maydell,
Andreas Färber, Don Koch and Dr. David Alan Gilbert.
The following is the list of patches unmodified from v1:
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
vmstate.c | 97 ++-
1 file changed, 52 insertions(+), 45 deletions(-)
diff --git
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Reviewed-by: Dr. David Alan Gilbert dgilb...@redhat.com
---
include/migration/vmstate.h | 1 +
vmstate.c | 10 ++
2 files changed, 11
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i num; i++) {
vdev-vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
n-mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
/* MAC_TABLE_ENTRIES may be
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
} else if (n-mac_table.in_use) {
uint8_t *buf = g_malloc0(n-mac_table.in_use);
We are allocating buffer of size n-mac_table.in_use
qemu_get_buffer(f, buf,
CVE-2013-4532
s-tx_fifo_len is read from the wire and later used as an index into
s-tx_fifo[] when a DATA command is issued by the guest. If
s-tx_fifo_len is greater than the length of s-tx_fifo[], or less
than 0, the buffer can be overrun/underrun by arbitrary data written out
by the guest upon
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
include/migration/vmstate.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index de970ab..5b71370 100644
---
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n-max_queues 1) {
if (n-max_queues != qemu_get_be16(f)) {
error_report(virtio-net: different max_queues );
return -1;
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori anth...@codemonkey.ws
Signed-off-by: Michael S. Tsirkin m...@redhat.com
Reviewed-by: Dr. David Alan
From: Michael Roth mdr...@linux.vnet.ibm.com
CVE-2013-4534
opp-nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp-dst[]. If the value exceeds the
length of opp-dst[], MAX_CPU, opp-dst[] can be overrun with arbitrary
data from the wire.
Fix this by
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin m...@redhat.com
Reported-by: Anthony Liguori anth...@codemonkey.ws
Signed-off-by: Michael S. Tsirkin
4) CVE-2013-4529
hw/pci/pcie_aer.cpcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we
CVE-2013-4538
s-cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Signed-off-by: Michael S.
CVE-2013-4532
s-tx_frame_len is read from the wire and can later used as an index
into s-tx_fifo[] for memset() when a DATA command is issued by the guest.
In this case s-tx_frame_len is checked to avoid an overrun, but if the
value is negative a subsequently executed guest can underrun the
From: Michael Roth mdr...@linux.vnet.ibm.com
CVE-2013-6399
vdev-queue_sel is read from the wire, and later used in the
emulation code as an index into vdev-vq[]. If the value of
vdev-queue_sel exceeds the length of vdev-vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent
CVE-2013-4532
s-next_packet is read from wire as an index into s-rx[]. If
s-next_packet exceeds the length of s-rx[], the buffer can be
subsequently overrun with arbitrary data from the wire.
Fix this by failing migration if s-next_packet we read from
the wire exceeds this.
Similarly, validate
CVE-2013-4539
s-precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber afaer...@suse.de
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
CVE-2013-4533
s-rx_level is read from the wire and used to determine how many bytes
to subsequently read into s-rx_fifo[]. If s-rx_level exceeds the
length of s-rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s-rx_fifo.
From: Dmitry Fleytman dmi...@daynix.com
CVE-2013-4544
Signed-off-by: Dmitry Fleytman dmi...@daynix.com
Reported-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/net/vmxnet3.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/net/vmxnet3.c
From: Gerd Hoffmann kra...@redhat.com
CVE-2013-4541
s-setup_len and s-setup_index are fed into usb_packet_copy as
size/offset into s-data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked against data_buf size.
Il 31/03/2014 16:01, Anthony Liguori ha scritto:
merge window has been suggested before. I think it would be
a terrible idea for QEMU, personally. We're not the kernel in
many ways, notably dev community size and a greater tendency
to changes that have effects across the whole tree.
Soft +
From: Dmitry Fleytman dmi...@daynix.com
CVE-2013-4544
Signed-off-by: Dmitry Fleytman dmi...@daynix.com
Reported-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/net/vmxnet3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)req-elem, sizeof(req-elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs-cmd_vqs[n], req);
savevm will segfault if version_id vmsd-minimum_version_id
version_id = vmsd-minimum_version_id_old
This calls through a NULL pointer. This is a bug (should
exit not crash).
Reviewed-by: Andreas Färber afaer...@suse.de
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
vmstate.c | 3 +++
From: Dmitry Fleytman dmi...@daynix.com
CVE-2013-4544
Signed-off-by: Dmitry Fleytman dmi...@daynix.com
Reported-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/net/vmxnet3.c | 36 ++--
1 file changed, 34
From: Dmitry Fleytman dmi...@daynix.com
CVE-2013-4544
Signed-off-by: Dmitry Fleytman dmi...@daynix.com
Reported-by: Michael S. Tsirkin m...@redhat.com
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/net/vmxnet3.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff
On 31 March 2014 15:28, Paolo Bonzini pbonz...@redhat.com wrote:
I think it would be a good idea to separate the committer and release
manager roles. Peter is providing the community with a wonderful service,
just like you were; putting too much work on his shoulders risks getting us
in the
hi,all
from the aspect of qemu, there are file and block disk type,
what is the final difference between the two types ?
if its type is block and source is volume or physical disk, who finally
read/write the disk?
i thought block is raw format, so raw driver will do the actual r/w, am i right?
CVE-2013-4537
s-arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
hw/sd/ssi-sd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index 3273c8a..d9c4aee 100644
From: Anton Ivanov antiv...@cisco.com
This transport allows to connect a QEMU nic to a static Ethernet
over L2TPv3 tunnel. The transport supports all options present
in the Linux kernel implementation. It allows QEMU to connect
to any Linux host running kernel 3.3+, most routers and network
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth
Am 31.03.2014 16:32, schrieb Peter Maydell:
On 31 March 2014 15:28, Paolo Bonzini pbonz...@redhat.com wrote:
I think it would be a good idea to separate the committer and release
manager roles. Peter is providing the community with a wonderful service,
just like you were; putting too much
On 03/28/2014 11:57 AM, Greg Kurz wrote:
From: Rusty Russell ru...@rustcorp.com.au
virtio data structures are defined as target endian, which assumes
that's a fixed value. In fact, that actually means it's platform-specific.
The OASIS virtio 1.0 spec will fix this, by making all little endian.
* Michael S. Tsirkin (m...@redhat.com) wrote:
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
vmstate.c | 97
++-
1 file changed,
On 31 March 2014 15:16, Michael S. Tsirkin m...@redhat.com wrote:
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin m...@redhat.com
Reported-by: Anthony
From: Petar Jovanovic petar.jovano...@imgtec.com
Flags NONBLOCK and CLOEXEC can have different values on the host and the
guest, so set correct host values before calling accept4().
This fixes several issues with accept4 system call and user-mode of QEMU.
Signed-off-by: Petar Jovanovic
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
On 31 March 2014 16:09, Petar Jovanovic petar.jovano...@rt-rk.com wrote:
From: Petar Jovanovic petar.jovano...@imgtec.com
Flags NONBLOCK and CLOEXEC can have different values on the host and the
guest, so set correct host values before calling accept4().
This fixes several issues with
On Mon, Mar 31, 2014 at 04:01:34PM +0100, Dr. David Alan Gilbert wrote:
* Michael S. Tsirkin (m...@redhat.com) wrote:
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin m...@redhat.com
---
vmstate.c | 97
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
On 31 March 2014 15:17, Michael S. Tsirkin m...@redhat.com wrote:
CVE-2013-4533
s-rx_level is read from the wire and used to determine how many bytes
to subsequently read into s-rx_fifo[]. If s-rx_level exceeds the
length of s-rx_fifo[] the buffer can be overrun with arbitrary data
from the
On 31 March 2014 15:16, Michael S. Tsirkin m...@redhat.com wrote:
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no
1 - 100 of 238 matches
Mail list logo