[Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14

[Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14

[Michael Roth]

Hi everyone,

The following new patches are queued for QEMU stable v1.7.2:

  https://github.com/mdroth/qemu/commits/stable-1.7-staging

The release is planned for 2014-07-21:

  http://wiki.qemu.org/Planning/1.7

Please respond here or CC qemu-stable@nongnu.org on any patches
you think should be included in the release.

Testing/feedback is greatly appreciated.


As you maybe have noticed, the 1.7.2 stable release is late by
almost an entire release cycle. There were some important fixes
planned for 1.7.2 however, so hopefully better late than never.
Due to the delay the patch queue for this release is quite a bit
longer than usual, so anyone interested in this release is highly
encouraged to review/test.

2.0.1 has similarly slipped by half a release cycle, so 2.0.1 will
be going out during the originally planned date release date for
2.0.2, and is the only planned stable release for the 2.0 series:

  http://wiki.qemu.org/Planning/2.0

My apologies for the delays. For 2.1.x, we should be back on track
for the normal stable release schedule (2.1.1 midway through 2.2
development, and 2.1.2 roughly coinciding with 2.2 release).

Thanks! 

----------------------------------------------------------------
Alexander Graf (3):
      kvmclock: Ensure time in migration never goes backward
      KVM: Fix GSI number space limit
      virtio-serial: don't migrate the config space

Alexey Kardashevskiy (1):
      spapr_pci: Fix number of returned vectors in ibm, change-msi

Andreas Färber (2):
      sdhci: Fix misuse of qemu_free_irqs()
      hw: Fix qemu_allocate_irqs() leaks

Benoît Canet (2):
      ide: Correct improper smart self test counter reset in ide core.
      block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file.

ChenLiang (1):
      migration: remove duplicate code

Cornelia Huck (1):
      s390x/css: handle emw correctly for tsch

Cédric Le Goater (1):
      virtio-net: byteswap virtio-net header

David Hildenbrand (1):
      s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG

Dmitry Fleytman (4):
      vmxnet3: validate interrupt indices coming from guest
      vmxnet3: validate queues configuration coming from guest
      vmxnet3: validate interrupt indices read on migration
      vmxnet3: validate queues configuration read on migration

Dr. David Alan Gilbert (1):
      Fix vmstate_info_int32_le comparison/assign

Edgar E. Iglesias (1):
      target-arm: Make vbar_write 64bit friendly on 32bit hosts

Eduardo Habkost (1):
      target-i386: Filter FEAT_7_0_EBX TCG features too

Fam Zheng (2):
      scsi: Change scsi sense buf size to 252
      curl: check data size before memcpy to local buffer. (CVE-2014-0144)

Gal Hammer (1):
      char: restore read callback on a reattached (hotplug) chardev

Gonglei (1):
      qga: Fix handle fd leak in acquire_privilege()

Hani Benhabiles (5):
      usb: Fix usb-bt-dongle initialization.
      nbd: Don't export a block device with no medium.
      nbd: Don't validate from and len in NBD_CMD_DISC.
      nbd: Close socket on negotiation failure.
      nbd: Shutdown socket before closing.

Hannes Reinecke (1):
      megasas: Implement LD_LIST_QUERY

Hu Tao (1):
      qcow2: fix offset overflow in qcow2_alloc_clusters_at()

Jeff Cody (3):
      vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
      vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
      vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)

Kevin Wolf (35):
      qcow2: Flush metadata during read-only reopen
      block: Use BDRV_O_NO_BACKING where appropriate
      qemu-iotests: Support for bochs format
      bochs: Unify header structs and make them QEMU_PACKED
      bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
      bochs: Check catalog_size header field (CVE-2014-0143)
      bochs: Check extent_size header field (CVE-2014-0142)
      bochs: Fix bitmap offset calculation
      vpc: Validate block size (CVE-2014-0142)
      qcow2: Check header_length (CVE-2014-0144)
      qcow2: Check backing_file_offset (CVE-2014-0144)
      qcow2: Check refcount table size (CVE-2014-0144)
      qcow2: Validate refcount table offset
      qcow2: Validate snapshot table offset/size (CVE-2014-0144)
      qcow2: Validate active L1 table offset and size (CVE-2014-0144)
      qcow2: Fix backing file name length check
      qcow2: Zero-initialise first cluster for new images
      qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
      qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
      qcow2: Check new refcount table size on growth
      qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
      qcow2: Protect against some integer overflows in bdrv_check
      qcow2: Fix new L1 table size check (CVE-2014-0143)
      block: Limit request size (CVE-2014-0143)
      qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
      qcow2: Fix copy_sectors() with VM state
      qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
      qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
      parallels: Fix catalog size integer overflow (CVE-2014-0143)
      parallels: Sanity check for s->tracks (CVE-2014-0142)
      qcow1: Make padding in the header explicit
      qcow1: Check maximum cluster size
      qcow1: Validate L2 table size (CVE-2014-0222)
      qcow1: Validate image size (CVE-2014-0223)
      qcow1: Stricter backing file length check

Le Tan (1):
      pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()

Marcelo Tosatti (1):
      kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation

Markus Armbruster (10):
      scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b
      virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path
      blockdev: Plug memory leak in blockdev_init()
      blockdev: Plug memory leak in drive_init()
      block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR
      block/vvfat: Plug memory leak in check_directory_consistency()
      block/vvfat: Plug memory leak in read_directory()
      block/sheepdog: Plug memory leak in sd_snapshot_create()
      qemu-img: Plug memory leak in convert command
      vnc: Fix tight_detect_smooth_image() for lossless case

Max Filippov (1):
      target-xtensa: fix cross-page jumps/calls at the end of TB

Max Reitz (1):
      block-commit: speed is an optional parameter

Michael R. Hines (1):
      rdma: bug fixes

Michael Roth (3):
      virtio: avoid buffer overrun on incoming migration
      openpic: avoid buffer overrun on incoming migration
      qapi: zero-initialize all QMP command parameters

Michael S. Tsirkin (27):
      acpi: fix tables for no-hpet configuration
      vmstate: reduce code duplication
      vmstate: add VMS_MUST_EXIST
      vmstate: add VMSTATE_VALIDATE
      virtio-net: fix buffer overflow on invalid state load
      virtio-net: out-of-bounds buffer write on invalid state load
      virtio-net: out-of-bounds buffer write on load
      virtio: out-of-bounds buffer write on invalid state load
      ahci: fix buffer overrun on invalid state load
      hpet: fix buffer overrun on invalid state load
      hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
      pl022: fix buffer overun on invalid state load
      vmstate: fix buffer overflow in target-arm/machine.c
      virtio: validate num_sg when mapping
      pxa2xx: avoid buffer overrun on incoming migration
      ssi-sd: fix buffer overrun on invalid state load
      ssd0323: fix buffer overun on invalid state load
      tsc210x: fix buffer overrun on invalid state load
      zaurus: fix buffer overrun on invalid state load
      virtio-scsi: fix buffer overrun on invalid state load
      vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
      usb: sanity check setup_index+setup_len in post_load
      virtio: validate config_len on load
      stellaris_enet: block migration
      pci-assign: limit # of msix vectors
      virtio: allow mapping up to max queue size
      vhost: fix resource leak in error handling

Michael Tokarev (1):
      po/Makefile: fix $SRC_PATH reference

Paolo Bonzini (2):
      mirror: fix throttling delay calculation
      target-i386: fix set of registers zeroed on reset

Peter Crosthwaite (1):
      arm: translate.c: Fix smlald Instruction

Peter Lieven (2):
      block/iscsi: fix deadlock on scsi check condition
      migration: catch unknown flags in ram_load

Peter Maydell (9):
      hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
      hw/net/stellaris_enet: Correct handling of packet padding
      savevm: Ignore minimum_version_id_old if there is no load_state_old
      linux-user/elfload.c: Fix incorrect ARM HWCAP bits
      linux-user/elfload.c: Update ARM HWCAP bits
      linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
      linux-user: Don't overrun guest buffer in sched_getaffinity
      target-arm: Fix errors in writes to generic timer control registers
      coroutine-win32.c: Add noinline attribute to work around gcc bug

Richard Henderson (3):
      target-i386: Fix CC_OP_CLR vs PF
      target-i386: Fix ucomis and comis memory access
      tcg-i386: Fix win64 qemu store

Stefan Fritsch (1):
      virtio-net: Do not filter VLANs without F_CTRL_VLAN

Stefan Hajnoczi (18):
      qom: Avoid leaking str and bool properties on failure
      tap: avoid deadlocking rx
      mirror: fix early wake from sleep due to aio
      qemu-iotests: add ./check -cloop support
      qemu-iotests: add cloop input validation tests
      block/cloop: validate block_size header field (CVE-2014-0144)
      block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
      block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
      block/cloop: refuse images with bogus offsets (CVE-2014-0144)
      block/cloop: fix offsets[] size off-by-one
      dmg: coding style and indentation cleanup
      dmg: prevent out-of-bounds array access on terminator
      dmg: drop broken bdrv_pread() loop
      dmg: use appropriate types when reading chunks
      dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
      dmg: use uint64_t consistently for sectors and lengths
      dmg: prevent chunk buffer overflow (CVE-2014-0145)
      aio: fix qemu_bh_schedule() bh->ctx race condition

Stefan Weil (3):
      tests: Fix 'make test' for i686 hosts (build regression)
      configure: Don't use __int128_t for clang versions before 3.2
      cputlb: Fix regression with TCG interpreter (bug 1310324)

Thomas Huth (2):
      s390x/virtio-hcall: Add range check for hypervisor call
      s390x/helper: Added format control bit to MMU translation

Ulrich Obergfell (1):
      scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c

 arch_init.c                                            |  96 ++++----
 async.c                                                |  14 +-
 block.c                                                |  40 ++--
 block/bochs.c                                          | 109 +++++----
 block/cloop.c                                          |  81 ++++++-
 block/curl.c                                           |   5 +
 block/dmg.c                                            | 275 +++++++++++++---------
 block/iscsi.c                                          |   5 +-
 block/mirror.c                                         |  37 +--
 block/parallels.c                                      |  14 +-
 block/qapi.c                                           |   1 +
 block/qcow.c                                           |  43 +++-
 block/qcow2-cluster.c                                  |  11 +-
 block/qcow2-refcount.c                                 | 119 ++++++----
 block/qcow2-snapshot.c                                 |  35 +--
 block/qcow2.c                                          | 198 ++++++++++++----
 block/qcow2.h                                          |  48 +++-
 block/sheepdog.c                                       |   4 +-
 block/vdi.c                                            |  31 ++-
 block/vhdx.c                                           |  12 +-
 block/vmdk.c                                           |   2 +-
 block/vpc.c                                            |  32 ++-
 block/vvfat.c                                          |   6 +-
 blockdev-nbd.c                                         |   9 +-
 blockdev.c                                             |  11 +-
 configure                                              |   5 +
 coroutine-win32.c                                      |  13 +-
 cputlb.c                                               |   6 +-
 docs/migration.txt                                     |  12 +-
 hw/arm/omap1.c                                         |  14 +-
 hw/arm/omap2.c                                         |   2 +-
 hw/arm/pxa2xx.c                                        |  12 +-
 hw/arm/spitz.c                                         |   4 +-
 hw/arm/z2.c                                            |   2 +-
 hw/char/virtio-serial-bus.c                            |  16 +-
 hw/core/irq.c                                          |   4 +-
 hw/display/ssd0323.c                                   |  24 ++
 hw/dma/omap_dma.c                                      |   4 +-
 hw/gpio/zaurus.c                                       |  10 +
 hw/i386/acpi-build.c                                   |   7 +-
 hw/i386/kvm/clock.c                                    |  52 ++++
 hw/i386/kvm/pci-assign.c                               |  12 +-
 hw/ide/ahci.c                                          |   2 +-
 hw/ide/core.c                                          |   2 +-
 hw/ide/microdrive.c                                    |   2 +-
 hw/input/tsc210x.c                                     |  12 +
 hw/intc/openpic.c                                      |  16 +-
 hw/misc/cbus.c                                         |   6 +-
 hw/net/stellaris_enet.c                                |  23 +-
 hw/net/virtio-net.c                                    |  43 +++-
 hw/net/vmxnet3.c                                       |  58 ++++-
 hw/pci/pci.c                                           |   6 +-
 hw/pci/pcie_aer.c                                      |  10 +-
 hw/pcmcia/pxa2xx.c                                     |   2 +-
 hw/ppc/spapr_pci.c                                     |  16 ++
 hw/s390x/css.c                                         |  24 +-
 hw/s390x/s390-virtio-hcall.c                           |  11 +-
 hw/scsi/megasas.c                                      |  17 ++
 hw/scsi/mfi.h                                          |   9 +
 hw/scsi/scsi-bus.c                                     |   2 +-
 hw/scsi/scsi-disk.c                                    |   2 +-
 hw/scsi/scsi-generic.c                                 |   2 -
 hw/scsi/spapr_vscsi.c                                  |   1 -
 hw/scsi/virtio-scsi.c                                  |  12 +-
 hw/sd/omap_mmc.c                                       |   2 +-
 hw/sd/sdhci.c                                          |   8 +-
 hw/sd/ssi-sd.c                                         |   9 +
 hw/sh4/sh7750.c                                        |   3 +-
 hw/ssi/pl022.c                                         |  14 ++
 hw/timer/hpet.c                                        |  13 +
 hw/timer/omap_gptimer.c                                |   4 +-
 hw/usb/bus.c                                           |   4 +-
 hw/usb/dev-bluetooth.c                                 |  24 +-
 hw/virtio/vhost.c                                      |  10 +-
 hw/virtio/virtio.c                                     |  25 +-
 include/hw/scsi/scsi.h                                 |   2 +-
 include/hw/virtio/virtio-net.h                         |   4 +-
 include/migration/vmstate.h                            |  11 +-
 kvm-all.c                                              |   2 +-
 linux-user/elfload.c                                   | 115 +++++++--
 linux-user/syscall.c                                   |  16 ++
 migration-rdma.c                                       |  20 +-
 migration.c                                            |   2 +-
 nbd.c                                                  |   7 +-
 net/tap.c                                              |   7 +-
 po/Makefile                                            |   4 +-
 qemu-char.c                                            |  17 +-
 qemu-img.c                                             |   2 +-
 qemu-nbd.c                                             |   5 +-
 qga/commands-win32.c                                   |   6 +-
 qom/object.c                                           |  14 +-
 savevm.c                                               | 136 ++++++-----
 scripts/qapi-commands.py                               |   2 +-
 target-arm/helper.c                                    |   8 +-
 target-arm/machine.c                                   |   2 +-
 target-arm/translate.c                                 |  34 ++-
 target-i386/cc_helper.c                                |   2 +-
 target-i386/cpu.c                                      |   5 +-
 target-i386/cpu.h                                      |   4 +-
 target-i386/translate.c                                |  46 +++-
 target-s390x/cpu.h                                     |   4 +
 target-s390x/helper.c                                  |  70 ++++--
 target-s390x/kvm.c                                     |  28 +++
 target-xtensa/translate.c                              |   4 +-
 tcg/i386/tcg-target.c                                  |   3 +-
 tests/qemu-iotests/026.out                             |   6 +-
 tests/qemu-iotests/029                                 |  40 +++-
 tests/qemu-iotests/029.out                             |  17 ++
 tests/qemu-iotests/039                                 |  20 ++
 tests/qemu-iotests/039.out                             |  11 +
 tests/qemu-iotests/044.out                             |   2 +-
 tests/qemu-iotests/075                                 | 106 +++++++++
 tests/qemu-iotests/075.out                             |  38 +++
 tests/qemu-iotests/076                                 |  76 ++++++
 tests/qemu-iotests/076.out                             |  18 ++
 tests/qemu-iotests/078                                 |  87 +++++++
 tests/qemu-iotests/078.out                             |  26 ++
 tests/qemu-iotests/080                                 | 180 ++++++++++++++
 tests/qemu-iotests/080.out                             |  83 +++++++
 tests/qemu-iotests/088                                 |  64 +++++
 tests/qemu-iotests/088.out                             |  17 ++
 tests/qemu-iotests/092                                 |  98 ++++++++
 tests/qemu-iotests/092.out                             |  38 +++
 tests/qemu-iotests/common                              |  21 ++
 tests/qemu-iotests/common.rc                           |   3 +
 tests/qemu-iotests/group                               |   6 +
 tests/qemu-iotests/sample_images/empty.bochs.bz2       | Bin 0 -> 118 bytes
 tests/qemu-iotests/sample_images/fake.parallels.bz2    | Bin 0 -> 141 bytes
 .../sample_images/simple-pattern.cloop.bz2             | Bin 0 -> 488 bytes
 tests/tcg/test_path.c                                  |  13 +-
 trace-events                                           |   3 +-
 ui/vnc-enc-tight.c                                     |   2 +-
 132 files changed, 2692 insertions(+), 696 deletions(-)
 create mode 100755 tests/qemu-iotests/075
 create mode 100644 tests/qemu-iotests/075.out
 create mode 100755 tests/qemu-iotests/076
 create mode 100644 tests/qemu-iotests/076.out
 create mode 100755 tests/qemu-iotests/078
 create mode 100644 tests/qemu-iotests/078.out
 create mode 100755 tests/qemu-iotests/080
 create mode 100644 tests/qemu-iotests/080.out
 create mode 100755 tests/qemu-iotests/088
 create mode 100644 tests/qemu-iotests/088.out
 create mode 100755 tests/qemu-iotests/092
 create mode 100644 tests/qemu-iotests/092.out
 create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
 create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
 create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2

[Qemu-devel] [PATCH 001/156] char: restore read callback on a reattached (hotplug) chardev

[Michael Roth]

From: Gal Hammer <ghammer@redhat.com>

Fix a bug that was introduced in commit 386a5a1e. A removal of a device
set the chr handlers to NULL. However when the device is plugged back,
its read callback is not restored so data can't be transferred from the
host to the guest (e.g. via the virtio-serial port).

https://bugzilla.redhat.com/show_bug.cgi?id=1027181

Signed-off-by: Gal Hammer <ghammer@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ac1b84dd1e020648db82a99260891aa982d1142c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-char.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index e00f84c..1c0d648 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -213,7 +213,7 @@ void qemu_chr_add_handlers(CharDriverState *s,
     s->chr_read = fd_read;
     s->chr_event = fd_event;
     s->handler_opaque = opaque;
-    if (s->chr_update_read_handler)
+    if (fe_open && s->chr_update_read_handler)
         s->chr_update_read_handler(s);
 
     if (!s->explicit_fe_open) {
@@ -1136,13 +1136,14 @@ static void pty_chr_state(CharDriverState *chr, int connected)
         if (!s->connected) {
             s->connected = 1;
             qemu_chr_be_generic_open(chr);
+        }
+        if (!chr->fd_in_tag) {
             chr->fd_in_tag = io_add_watch_poll(s->fd, pty_chr_read_poll,
                                                pty_chr_read, chr);
         }
     }
 }
 
-
 static void pty_chr_close(struct CharDriverState *chr)
 {
     PtyCharDriver *s = chr->opaque;
@@ -2510,6 +2511,17 @@ static void tcp_chr_connect(void *opaque)
     qemu_chr_be_generic_open(chr);
 }
 
+static void tcp_chr_update_read_handler(CharDriverState *chr)
+{
+    TCPCharDriver *s = chr->opaque;
+
+    remove_fd_in_watch(chr);
+    if (s->chan) {
+        chr->fd_in_tag = io_add_watch_poll(s->chan, tcp_chr_read_poll,
+                                           tcp_chr_read, chr);
+    }
+}
+
 #define IACSET(x,a,b,c) x[0] = a; x[1] = b; x[2] = c;
 static void tcp_chr_telnet_init(int fd)
 {
@@ -2665,6 +2677,7 @@ static CharDriverState *qemu_chr_open_socket_fd(int fd, bool do_nodelay,
     chr->get_msgfd = tcp_get_msgfd;
     chr->chr_add_client = tcp_chr_add_client;
     chr->chr_add_watch = tcp_chr_add_watch;
+    chr->chr_update_read_handler = tcp_chr_update_read_handler;
     /* be isn't opened until we get a connection */
     chr->explicit_be_open = true;
 
-- 
1.9.1

[Qemu-devel] [PATCH 002/156] scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

The transfer length depends on field BYTCHK, which is encoded in byte
1, bits 1..2.  However, the guard for for case BYTCHK=11b doesn't
work, and we get case 01b instead.  Fix it.

Note that since emulated scsi-hd fails the command outright, it takes
SCSI passthrough of a device that actually implements VERIFY with
BYTCHK=11b to make the bug bite.

Screwed up in commit d12ad44.  Spotted by Coverity.

Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7ef8cf9a0861b6f67f5e57428478c31bfd811651)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index b04438b..48286ef 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -909,7 +909,7 @@ static int scsi_req_length(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf)
     case VERIFY_16:
         if ((buf[1] & 2) == 0) {
             cmd->xfer = 0;
-        } else if ((buf[1] & 4) == 1) {
+        } else if ((buf[1] & 4) != 0) {
             cmd->xfer = 1;
         }
         cmd->xfer *= dev->blocksize;
-- 
1.9.1

[Qemu-devel] [PATCH 003/156] block/iscsi: fix deadlock on scsi check condition

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

the retry logic was broken because the complete status
of the task structure was not reset. this resulted in
an infinite loop retrying the command over and over.

CC: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 837c390137193e715fee20b35c0ddb164b1c4fa4)

Conflicts:
	block/iscsi.c

*only modified retry clauses present before 063c3378

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/iscsi.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/block/iscsi.c b/block/iscsi.c
index a410a28..75a4001 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -143,12 +143,13 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
 
     if (iTask->retries-- > 0 && status == SCSI_STATUS_CHECK_CONDITION
         && task->sense.key == SCSI_SENSE_UNIT_ATTENTION) {
+        error_report("iSCSI CheckCondition: %s", iscsi_get_error(iscsi));
         iTask->do_retry = 1;
         goto out;
     }
 
     if (status != SCSI_STATUS_GOOD) {
-        error_report("iSCSI: Failure. %s", iscsi_get_error(iscsi));
+        error_report("iSCSI Failure: %s", iscsi_get_error(iscsi));
     }
 
 out:
@@ -868,6 +869,7 @@ retry:
             scsi_free_scsi_task(iTask.task);
             iTask.task = NULL;
         }
+        iTask.complete = 0;
         goto retry;
     }
 
@@ -964,6 +966,7 @@ retry:
         }
 
         if (iTask.do_retry) {
+            iTask.complete = 0;
             goto retry;
         }
 
-- 
1.9.1

[Qemu-devel] [PATCH 004/156] s390x/virtio-hcall: Add range check for hypervisor call

[Michael Roth]

From: Thomas Huth <thuth@linux.vnet.ibm.com>

The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
CC: qemu-stable@nongnu.org
(cherry picked from commit f2c55d1735175ab37ab9f69854460087112d2756)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/s390-virtio-hcall.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/s390x/s390-virtio-hcall.c b/hw/s390x/s390-virtio-hcall.c
index ee62649..0e328d8 100644
--- a/hw/s390x/s390-virtio-hcall.c
+++ b/hw/s390x/s390-virtio-hcall.c
@@ -26,11 +26,14 @@ void s390_register_virtio_hypercall(uint64_t code, s390_virtio_fn fn)
 
 int s390_virtio_hypercall(CPUS390XState *env)
 {
-    s390_virtio_fn fn = s390_diag500_table[env->regs[1]];
+    s390_virtio_fn fn;
 
-    if (!fn) {
-        return -EINVAL;
+    if (env->regs[1] < MAX_DIAG_SUBCODES) {
+        fn = s390_diag500_table[env->regs[1]];
+        if (fn) {
+            return fn(&env->regs[2]);
+        }
     }
 
-    return fn(&env->regs[2]);
+    return -EINVAL;
 }
-- 
1.9.1

[Qemu-devel] [PATCH 005/156] target-i386: Fix CC_OP_CLR vs PF

[Michael Roth]

From: Richard Henderson <rth@twiddle.net>

Parity should be set for a zero result.

Cc: qemu-stable@nongnu.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit d2fe51bda8adf33d07c21e034fdc13a1e1fa4e19)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/cc_helper.c | 2 +-
 target-i386/translate.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/target-i386/cc_helper.c b/target-i386/cc_helper.c
index ee04092..05dd12b 100644
--- a/target-i386/cc_helper.c
+++ b/target-i386/cc_helper.c
@@ -103,7 +103,7 @@ target_ulong helper_cc_compute_all(target_ulong dst, target_ulong src1,
     case CC_OP_EFLAGS:
         return src1;
     case CC_OP_CLR:
-        return CC_Z;
+        return CC_Z | CC_P;
 
     case CC_OP_MULB:
         return compute_all_mulb(dst, src1);
diff --git a/target-i386/translate.c b/target-i386/translate.c
index 7916e5b..b19ea14 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -915,7 +915,7 @@ static void gen_compute_eflags(DisasContext *s)
         return;
     }
     if (s->cc_op == CC_OP_CLR) {
-        tcg_gen_movi_tl(cpu_cc_src, CC_Z);
+        tcg_gen_movi_tl(cpu_cc_src, CC_Z | CC_P);
         set_cc_op(s, CC_OP_EFLAGS);
         return;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 006/156] target-i386: Fix ucomis and comis memory access

[Michael Roth]

From: Richard Henderson <rth@twiddle.net>

We were loading 16 bytes for both single and double-precision
scalar comparisons.

Reported-by: Alexander Bluhm <bluhm@openbsd.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit cb48da7f8140b5cbb648d990876720da9cd04d8f)

Conflicts:
	target-i386/translate.c

*removed dependency on 323d1876

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/translate.c | 44 +++++++++++++++++++++++++++++++++++---------
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index b19ea14..4a25486 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -4565,21 +4565,47 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
         if (is_xmm) {
             op1_offset = offsetof(CPUX86State,xmm_regs[reg]);
             if (mod != 3) {
+                int sz = 4;
+
                 gen_lea_modrm(env, s, modrm, &reg_addr, &offset_addr);
                 op2_offset = offsetof(CPUX86State,xmm_t0);
-                if (b1 >= 2 && ((b >= 0x50 && b <= 0x5f && b != 0x5b) ||
-                                b == 0xc2)) {
-                    /* specific case for SSE single instructions */
+
+                switch (b) {
+                case 0x50 ... 0x5a:
+                case 0x5c ... 0x5f:
+                case 0xc2:
+                    /* Most sse scalar operations.  */
                     if (b1 == 2) {
-                        /* 32 bit access */
-                        gen_op_ld_T0_A0(OT_LONG + s->mem_index);
-                        tcg_gen_st32_tl(cpu_T[0], cpu_env, offsetof(CPUX86State,xmm_t0.XMM_L(0)));
+                        sz = 2;
+                    } else if (b1 == 3) {
+                        sz = 3;
+                    }
+                    break;
+
+                case 0x2e:  /* ucomis[sd] */
+                case 0x2f:  /* comis[sd] */
+                    if (b1 == 0) {
+                        sz = 2;
                     } else {
-                        /* 64 bit access */
-                        gen_ldq_env_A0(s->mem_index, offsetof(CPUX86State,xmm_t0.XMM_D(0)));
+                        sz = 3;
                     }
-                } else {
+                    break;
+                }
+
+                switch (sz) {
+                case 2:
+                    /* 32 bit access */
+                    gen_op_ld_T0_A0(OT_LONG + s->mem_index);
+                    tcg_gen_st32_tl(cpu_T[0], cpu_env, offsetof(CPUX86State,xmm_t0.XMM_L(0)));
+                    break;
+                case 3:
+                    /* 64 bit access */
+                    gen_ldq_env_A0(s->mem_index, offsetof(CPUX86State,xmm_t0.XMM_D(0)));
+                    break;
+                default:
+                    /* 128 bit access */
                     gen_ldo_env_A0(s->mem_index, op2_offset);
+                    break;
                 }
             } else {
                 rm = (modrm & 7) | REX_B(s);
-- 
1.9.1

[Qemu-devel] [PATCH 007/156] scsi: Change scsi sense buf size to 252

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

Current buffer size fails the assersion check in like

    hw/scsi/scsi-bus.c:1655:    assert(req->sense_len <= sizeof(req->sense));

when backend (block/iscsi.c) returns more data then 96.

Exercise the core dump path by booting an Gentoo ISO with scsi-generic
device backed with iscsi (built with libiscsi 1.7.0):

    x86_64-softmmu/qemu-system-x86_64 \
    -drive file=iscsi://localhost:3260/iqn.foobar/0,if=none,id=drive-disk \
    -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 \
    -device scsi-generic,drive=drive-disk,bus=scsi1.0,id=iscsi-disk \
    -boot d \
    -cdrom gentoo.iso

    qemu-system-x86_64: hw/scsi/scsi-bus.c:1655: scsi_req_complete:
    Assertion `req->sense_len <= sizeof(req->sense)' failed.

According to SPC-4, section 4.5.2.1, 252 is the limit of sense data. So
increase the value to fix it.

Also remove duplicated define for the macro.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c5f52875b980e54e6bebad6121c76863356e1d7f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-generic.c | 2 --
 hw/scsi/spapr_vscsi.c  | 1 -
 include/hw/scsi/scsi.h | 2 +-
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 8f195be..4967e47 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -37,8 +37,6 @@ do { fprintf(stderr, "scsi-generic: " fmt , ## __VA_ARGS__); } while (0)
 #include <scsi/sg.h>
 #include "block/scsi.h"
 
-#define SCSI_SENSE_BUF_SIZE 96
-
 #define SG_ERR_DRIVER_TIMEOUT  0x06
 #define SG_ERR_DRIVER_SENSE    0x08
 
diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index c0c46d7..e8bca39 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -60,7 +60,6 @@
 #define VSCSI_MAX_SECTORS       4096
 #define VSCSI_REQ_LIMIT         24
 
-#define SCSI_SENSE_BUF_SIZE     96
 #define SRP_RSP_SENSE_DATA_LEN  18
 
 typedef union vscsi_crq {
diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
index 76f6ac2..2e0554c 100644
--- a/include/hw/scsi/scsi.h
+++ b/include/hw/scsi/scsi.h
@@ -31,7 +31,7 @@ typedef struct SCSISense {
     uint8_t ascq;
 } SCSISense;
 
-#define SCSI_SENSE_BUF_SIZE 96
+#define SCSI_SENSE_BUF_SIZE 252
 
 struct SCSICommand {
     uint8_t buf[SCSI_CMD_BUF_SIZE];
-- 
1.9.1

[Qemu-devel] [PATCH 008/156] qom: Avoid leaking str and bool properties on failure

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

When object_property_add_str() and object_property_add_bool() fail, they
leak their internal StringProperty and BoolProperty structs.  Remember
to free the structs on error.

Luckily this is a low-impact memory leak since most QOM properties are
static qdev properties that will never take the error case.
object_property_add() only fails if the property name is already in use.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit a01aedc8d32e6f5b08a4041b62be3c5fab7a3382)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qom/object.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/qom/object.c b/qom/object.c
index 21b5a0b..9156f91 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -1273,6 +1273,7 @@ void object_property_add_str(Object *obj, const char *name,
                            void (*set)(Object *, const char *, Error **),
                            Error **errp)
 {
+    Error *local_err = NULL;
     StringProperty *prop = g_malloc0(sizeof(*prop));
 
     prop->get = get;
@@ -1282,7 +1283,11 @@ void object_property_add_str(Object *obj, const char *name,
                         get ? property_get_str : NULL,
                         set ? property_set_str : NULL,
                         property_release_str,
-                        prop, errp);
+                        prop, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        g_free(prop);
+    }
 }
 
 typedef struct BoolProperty
@@ -1329,6 +1334,7 @@ void object_property_add_bool(Object *obj, const char *name,
                               void (*set)(Object *, bool, Error **),
                               Error **errp)
 {
+    Error *local_err = NULL;
     BoolProperty *prop = g_malloc0(sizeof(*prop));
 
     prop->get = get;
@@ -1338,7 +1344,11 @@ void object_property_add_bool(Object *obj, const char *name,
                         get ? property_get_bool : NULL,
                         set ? property_set_bool : NULL,
                         property_release_bool,
-                        prop, errp);
+                        prop, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        g_free(prop);
+    }
 }
 
 static char *qdev_get_type(Object *obj, Error **errp)
-- 
1.9.1

[Qemu-devel] [PATCH 009/156] tap: avoid deadlocking rx

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The net subsystem has a control flow mechanism so peer NetClientStates
can tell each other to stop sending packets.  This is used to stop
monitoring the tap file descriptor for incoming packets if the guest rx
ring has no spare buffers.

There is a corner case when tap_can_send() is true at the beginning of
an event loop iteration but becomes false before the tap_send() fd
handler is invoked.

tap_send() will read the packet from the tap file descriptor and attempt
to send it.  The net queue will hold on to the packet and return 0,
indicating that further I/O is not possible.  tap then stops monitoring
the file descriptor for reads.

This is unlike the normal case where tap_can_send() is the same before
and during the event loop iteration.  The event loop would simply not
monitor the file descriptor if tap_can_send() returns true.  Upon next
iteration it would check tap_can_send() again and begin monitoring if we
can send.

The deadlock happens because tap_send() explicitly disabled read_poll.
This is done with the expectation that the peer will call
qemu_net_queue_flush().  But hw/net/virtio-net.c does not monitor
vm_running transitions and issue the flush.  Hence we're left with a
broken tap device.

Cc: qemu-stable@nongnu.org
Reported-by: Neil Skrypuch <neil@tembosocial.com>
Tested-by: Neil Skrypuch <neil@tembosocial.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 68e5ec64009812dbaa03ed9cfded9344986f5304)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 net/tap.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/tap.c b/net/tap.c
index 39c1cda..6b87a73 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -190,7 +190,7 @@ static void tap_send(void *opaque)
     TAPState *s = opaque;
     int size;
 
-    do {
+    while (qemu_can_send_packet(&s->nc)) {
         uint8_t *buf = s->buf;
 
         size = tap_read_packet(s->fd, s->buf, sizeof(s->buf));
@@ -206,8 +206,11 @@ static void tap_send(void *opaque)
         size = qemu_send_packet_async(&s->nc, buf, size, tap_send_completed);
         if (size == 0) {
             tap_read_poll(s, false);
+            break;
+        } else if (size < 0) {
+            break;
         }
-    } while (size > 0 && qemu_can_send_packet(&s->nc));
+    }
 }
 
 bool tap_has_ufo(NetClientState *nc)
-- 
1.9.1

[Qemu-devel] [PATCH 010/156] tests: Fix 'make test' for i686 hosts (build regression)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

'make test' is broken at least since commit
baacf04799ace72a9c735dd9306a1ceaf305e7cf. Several source files were moved
to util/, and some of them there split, so add the missing prefix and new
files to fix the compiler and linker errors.

There remain more issues, but these changes allow running the test on a
Linux i686 host.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 6d4adef48dd6bb738474ab857f4fcb240ff9d2d6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/tcg/test_path.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tests/tcg/test_path.c b/tests/tcg/test_path.c
index a064eea..f8dd36a 100644
--- a/tests/tcg/test_path.c
+++ b/tests/tcg/test_path.c
@@ -1,12 +1,15 @@
 /* Test path override code */
 #define _GNU_SOURCE
 #include "config-host.h"
-#include "iov.c"
-#include "cutils.c"
-#include "path.c"
-#include "trace.c"
+#include "util/cutils.c"
+#include "util/hexdump.c"
+#include "util/iov.c"
+#include "util/path.c"
+#include "util/qemu-timer-common.c"
+#include "trace/control.c"
+#include "../trace/generated-events.c"
 #ifdef CONFIG_TRACE_SIMPLE
-#include "../trace/simple.c"
+#include "trace/simple.c"
 #endif
 
 #include <stdarg.h>
-- 
1.9.1

[Qemu-devel] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Those versions don't fully support __int128_t.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit a00f66ab9b3021e781695a73c579b6292501ab37)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 configure | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/configure b/configure
index 3cbcea1..c0882dc 100755
--- a/configure
+++ b/configure
@@ -3520,6 +3520,11 @@ fi
 
 int128=no
 cat > $TMPC << EOF
+#if defined(__clang_major__) && defined(__clang_minor__)
+# if ((__clang_major__ < 3) || (__clang_major__ == 3) && (__clang_minor__ < 2))
+#  error __int128_t does not work in CLANG before 3.2
+# endif
+#endif
 __int128_t a;
 __uint128_t b;
 int main (void) {
-- 
1.9.1

[Qemu-devel] [PATCH 012/156] mirror: fix throttling delay calculation

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

The throttling delay calculation was using an inaccurate sector count to
calculate the time to sleep.  This broke rate-limiting for the block
mirror job.

Move the delay calculation into mirror_iteration() where we know how
many sectors were transferred.  This lets us calculate an accurate delay
time.

Reported-by: Joaquim Barrera <jbarrera@ac.upc.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit cc8c9d6c6f28e4e376a6561a2a31524fd069bc2d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/mirror.c | 28 +++++++++++++++-------------
 trace-events   |  2 +-
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/block/mirror.c b/block/mirror.c
index 7b95acf..9bfc22f 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -136,11 +136,12 @@ static void mirror_read_complete(void *opaque, int ret)
                     mirror_write_complete, op);
 }
 
-static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
+static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
 {
     BlockDriverState *source = s->common.bs;
     int nb_sectors, sectors_per_chunk, nb_chunks;
     int64_t end, sector_num, next_chunk, next_sector, hbitmap_next_sector;
+    uint64_t delay_ns;
     MirrorOp *op;
 
     s->sector_num = hbitmap_iter_next(&s->hbi);
@@ -227,7 +228,12 @@ static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
         nb_chunks += added_chunks;
         next_sector += added_sectors;
         next_chunk += added_chunks;
-    } while (next_sector < end);
+        if (!s->synced && s->common.speed) {
+            delay_ns = ratelimit_calculate_delay(&s->limit, added_sectors);
+        } else {
+            delay_ns = 0;
+        }
+    } while (delay_ns == 0 && next_sector < end);
 
     /* Allocate a MirrorOp that is used as an AIO callback.  */
     op = g_slice_new(MirrorOp);
@@ -263,6 +269,7 @@ static void coroutine_fn mirror_iteration(MirrorBlockJob *s)
     trace_mirror_one_iteration(s, sector_num, nb_sectors);
     bdrv_aio_readv(source, sector_num, &op->qiov, nb_sectors,
                    mirror_read_complete, op);
+    return delay_ns;
 }
 
 static void mirror_free_init(MirrorBlockJob *s)
@@ -358,7 +365,7 @@ static void coroutine_fn mirror_run(void *opaque)
     bdrv_dirty_iter_init(bs, &s->hbi);
     last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
     for (;;) {
-        uint64_t delay_ns;
+        uint64_t delay_ns = 0;
         int64_t cnt;
         bool should_complete;
 
@@ -382,8 +389,10 @@ static void coroutine_fn mirror_run(void *opaque)
                 qemu_coroutine_yield();
                 continue;
             } else if (cnt != 0) {
-                mirror_iteration(s);
-                continue;
+                delay_ns = mirror_iteration(s);
+                if (delay_ns == 0) {
+                    continue;
+                }
             }
         }
 
@@ -428,17 +437,10 @@ static void coroutine_fn mirror_run(void *opaque)
         }
 
         ret = 0;
-        trace_mirror_before_sleep(s, cnt, s->synced);
+        trace_mirror_before_sleep(s, cnt, s->synced, delay_ns);
         if (!s->synced) {
             /* Publish progress */
             s->common.offset = (end - cnt) * BDRV_SECTOR_SIZE;
-
-            if (s->common.speed) {
-                delay_ns = ratelimit_calculate_delay(&s->limit, sectors_per_chunk);
-            } else {
-                delay_ns = 0;
-            }
-
             block_job_sleep_ns(&s->common, QEMU_CLOCK_REALTIME, delay_ns);
             if (block_job_is_cancelled(&s->common)) {
                 break;
diff --git a/trace-events b/trace-events
index 8695e9e..b8887c1 100644
--- a/trace-events
+++ b/trace-events
@@ -81,7 +81,7 @@ mirror_start(void *bs, void *s, void *co, void *opaque) "bs %p s %p co %p opaque
 mirror_restart_iter(void *s, int64_t cnt) "s %p dirty count %"PRId64
 mirror_before_flush(void *s) "s %p"
 mirror_before_drain(void *s, int64_t cnt) "s %p dirty count %"PRId64
-mirror_before_sleep(void *s, int64_t cnt, int synced) "s %p dirty count %"PRId64" synced %d"
+mirror_before_sleep(void *s, int64_t cnt, int synced, uint64_t delay_ns) "s %p dirty count %"PRId64" synced %d delay %"PRIu64"ns"
 mirror_one_iteration(void *s, int64_t sector_num, int nb_sectors) "s %p sector_num %"PRId64" nb_sectors %d"
 mirror_iteration_done(void *s, int64_t sector_num, int nb_sectors, int ret) "s %p sector_num %"PRId64" nb_sectors %d ret %d"
 mirror_yield(void *s, int64_t cnt, int buf_free_count, int in_flight) "s %p dirty count %"PRId64" free buffers %d in_flight %d"
-- 
1.9.1

[Qemu-devel] [PATCH 013/156] mirror: fix early wake from sleep due to aio

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The mirror blockjob coroutine rate-limits itself by sleeping.  The
coroutine also performs I/O asynchronously so it's important that the
aio callback doesn't wake the coroutine early as that breaks
rate-limiting.

Reported-by: Joaquim Barrera <jbarrera@ac.upc.edu>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 7b770c720b28b8ac5b82ae431f2f354b7f8add91)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/mirror.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/block/mirror.c b/block/mirror.c
index 9bfc22f..2d9104e 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -95,7 +95,14 @@ static void mirror_iteration_done(MirrorOp *op, int ret)
     }
 
     g_slice_free(MirrorOp, op);
-    qemu_coroutine_enter(s->common.co, NULL);
+
+    /* Enter coroutine when it is not sleeping.  The coroutine sleeps to
+     * rate-limit itself.  The coroutine will eventually resume since there is
+     * a sleep timeout so don't wake it early.
+     */
+    if (s->common.busy) {
+        qemu_coroutine_enter(s->common.co, NULL);
+    }
 }
 
 static void mirror_write_complete(void *opaque, int ret)
-- 
1.9.1

[Qemu-devel] [PATCH 014/156] virtio-net: Do not filter VLANs without F_CTRL_VLAN

[Michael Roth]

From: Stefan Fritsch <sf@sfritsch.de>

If VIRTIO_NET_F_CTRL_VLAN is not negotiated, do not filter out all
VLAN-tagged packets but send them to the guest.

This fixes VLANs with OpenBSD guests (and probably NetBSD, too, because
the OpenBSD driver started as a port from NetBSD).

Signed-off-by: Stefan Fritsch <sf@sfritsch.de>
Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 0b1eaa8803e680de9a05727355dfe3d306b81e17)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 93a81eb..ec96862 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -515,6 +515,12 @@ static void virtio_net_set_features(VirtIODevice *vdev, uint32_t features)
         }
         vhost_net_ack_features(tap_get_vhost_net(nc->peer), features);
     }
+
+    if ((1 << VIRTIO_NET_F_CTRL_VLAN) & features) {
+        memset(n->vlans, 0, MAX_VLAN >> 3);
+    } else {
+        memset(n->vlans, 0xff, MAX_VLAN >> 3);
+    }
 }
 
 static int virtio_net_handle_rx_mode(VirtIONet *n, uint8_t cmd,
-- 
1.9.1

[Qemu-devel] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.

Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/stellaris_enet.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 9dd77f7..8a1d0d1 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -252,10 +252,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset,
                 s->tx_fifo[s->tx_fifo_len++] = value >> 24;
             }
         } else {
-            s->tx_fifo[s->tx_fifo_len++] = value;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 8;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 16;
-            s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+            if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+                s->tx_fifo[s->tx_fifo_len++] = value;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+                s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+            }
             if (s->tx_fifo_len >= s->tx_frame_len) {
                 /* We don't implement explicit CRC, so just chop it off.  */
                 if ((s->tctl & SE_TCTL_CRC) == 0)
-- 
1.9.1

[Qemu-devel] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The PADEN bit in the transmit control register enables padding of short
data packets out to the required minimum length. However a typo here
meant we were adjusting tx_fifo_len rather than tx_frame_len, so the
padding didn't actually happen. Fix this bug.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 7fd5f064d1c1a827a95ffe678418b3d5b8d2f108)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/stellaris_enet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 8a1d0d1..376c7b0 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -264,7 +264,7 @@ static void stellaris_enet_write(void *opaque, hwaddr offset,
                     s->tx_frame_len -= 4;
                 if ((s->tctl & SE_TCTL_PADEN) && s->tx_frame_len < 60) {
                     memset(&s->tx_fifo[s->tx_frame_len], 0, 60 - s->tx_frame_len);
-                    s->tx_fifo_len = 60;
+                    s->tx_frame_len = 60;
                 }
                 qemu_send_packet(qemu_get_queue(s->nic), s->tx_fifo,
                                  s->tx_frame_len);
-- 
1.9.1

[Qemu-devel] [PATCH 017/156] qcow2: Flush metadata during read-only reopen

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

If lazy refcounts are enabled for a backing file, committing to this
backing file may leave it in a dirty state even if the commit succeeds.
The reason is that the bdrv_flush() call in bdrv_commit() doesn't flush
refcount updates with lazy refcounts enabled, and qcow2_reopen_prepare()
doesn't take care to flush metadata.

In order to fix this, this patch also fixes qcow2_mark_clean(), which
contains another ineffective bdrv_flush() call beause lazy refcounts are
disabled only afterwards. All existing callers of qcow2_mark_clean()
either don't modify refcounts or already flush manually, so that this
fixes only a latent, but not yet actually triggerable bug.

Another instance of the same problem is live snapshots. Again, a real
corruption is prevented by an explicit flush for non-read-only images in
external_snapshot_prepare(), but images using lazy refcounts stay dirty.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 4c2e5f8f46a17966dc45b5a3e07b97434c0eabdf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 25 +++++++++++++++++++++----
 tests/qemu-iotests/039     | 20 ++++++++++++++++++++
 tests/qemu-iotests/039.out | 11 +++++++++++
 3 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 6e5d98d..b43c7d0 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -269,12 +269,15 @@ static int qcow2_mark_clean(BlockDriverState *bs)
     BDRVQcowState *s = bs->opaque;
 
     if (s->incompatible_features & QCOW2_INCOMPAT_DIRTY) {
-        int ret = bdrv_flush(bs);
+        int ret;
+
+        s->incompatible_features &= ~QCOW2_INCOMPAT_DIRTY;
+
+        ret = bdrv_flush(bs);
         if (ret < 0) {
             return ret;
         }
 
-        s->incompatible_features &= ~QCOW2_INCOMPAT_DIRTY;
         return qcow2_update_header(bs);
     }
     return 0;
@@ -792,11 +795,25 @@ static int qcow2_set_key(BlockDriverState *bs, const char *key)
     return 0;
 }
 
-/* We have nothing to do for QCOW2 reopen, stubs just return
- * success */
+/* We have no actual commit/abort logic for qcow2, but we need to write out any
+ * unwritten data if we reopen read-only. */
 static int qcow2_reopen_prepare(BDRVReopenState *state,
                                 BlockReopenQueue *queue, Error **errp)
 {
+    int ret;
+
+    if ((state->flags & BDRV_O_RDWR) == 0) {
+        ret = bdrv_flush(state->bs);
+        if (ret < 0) {
+            return ret;
+        }
+
+        ret = qcow2_mark_clean(state->bs);
+        if (ret < 0) {
+            return ret;
+        }
+    }
+
     return 0;
 }
 
diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039
index 8bade92..cc4fad8 100755
--- a/tests/qemu-iotests/039
+++ b/tests/qemu-iotests/039
@@ -130,6 +130,26 @@ ulimit -c "$old_ulimit"
 ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
 _check_test_img
 
+echo
+echo "== Committing to a backing file with lazy_refcounts=on =="
+
+IMGOPTS="compat=1.1,lazy_refcounts=on"
+TEST_IMG="$TEST_IMG".base _make_test_img $size
+
+IMGOPTS="compat=1.1,lazy_refcounts=on,backing_file=$TEST_IMG.base"
+_make_test_img $size
+
+$QEMU_IO -c "write 0 512" "$TEST_IMG" | _filter_qemu_io
+$QEMU_IMG commit "$TEST_IMG"
+
+# The dirty bit must not be set
+./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features
+./qcow2.py "$TEST_IMG".base dump-header | grep incompatible_features
+
+_check_test_img
+TEST_IMG="$TEST_IMG".base _check_test_img
+
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out
index 077fa64..fb31ae0 100644
--- a/tests/qemu-iotests/039.out
+++ b/tests/qemu-iotests/039.out
@@ -54,4 +54,15 @@ wrote 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 incompatible_features     0x0
 No errors were found on the image.
+
+== Committing to a backing file with lazy_refcounts=on ==
+Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=134217728 
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 backing_file='TEST_DIR/t.IMGFMT.base' 
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+Image committed.
+incompatible_features     0x0
+incompatible_features     0x0
+No errors were found on the image.
+No errors were found on the image.
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 018/156] block-commit: speed is an optional parameter

[Michael Roth]

From: Max Reitz <mreitz@redhat.com>

As speed is an optional parameter for the QMP block-commit command, it
should be set to 0 if not given (as it is undefined if has_speed is
false), that is, the speed should not be limited.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 5450466394c95cea8b661fb197ed215a4ab5d700)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/blockdev.c b/blockdev.c
index 44755e1..29b44a5 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -1786,6 +1786,10 @@ void qmp_block_commit(const char *device,
      */
     BlockdevOnError on_error = BLOCKDEV_ON_ERROR_REPORT;
 
+    if (!has_speed) {
+        speed = 0;
+    }
+
     /* drain all i/o before commits */
     bdrv_drain_all();
 
-- 
1.9.1

[Qemu-devel] [PATCH 019/156] ide: Correct improper smart self test counter reset in ide core.

[Michael Roth]

From: Benoît Canet <benoit.canet@irqsave.net>

The SMART self test counter was incorrectly being reset to zero,
not 1. This had the effect that on every 21st SMART EXECUTE OFFLINE:
 * We would write off the beginning of a dynamically allocated buffer
 * We forgot the SMART history
Fix this.

Signed-off-by: Benoit Canet <benoit@irqsave.net>
Message-id: 1397336390-24664-1-git-send-email-benoit.canet@irqsave.net
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Kevin Wolf <kwolf@redhat.com>
[PMM: tweaked commit message as per suggestions from Markus]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

(cherry picked from commit 940973ae0b45c9b6817bab8e4cf4df99a9ef83d7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ide/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ide/core.c b/hw/ide/core.c
index e1f4c33..6007f6f 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1601,7 +1601,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd)
         case 2: /* extended self test */
             s->smart_selftest_count++;
             if (s->smart_selftest_count > 21) {
-                s->smart_selftest_count = 0;
+                s->smart_selftest_count = 1;
             }
             n = 2 + (s->smart_selftest_count - 1) * 24;
             s->smart_selftest_data[n] = s->sector;
-- 
1.9.1

[Qemu-devel] [PATCH 020/156] megasas: Implement LD_LIST_QUERY

[Michael Roth]

From: Hannes Reinecke <hare@suse.de>

Newer firmware implement a LD_LIST_QUERY command, and due to a driver
issue no drives might be detected if this command isn't supported.
So add emulation for this command, too.

Cc: qemu-stable@nongnu.org
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 34bb4d02e00e508fa9d111a6a31b45bbfecbdba5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/megasas.c | 17 +++++++++++++++++
 hw/scsi/mfi.h     |  9 +++++++++
 trace-events      |  1 +
 3 files changed, 27 insertions(+)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 7c5a1a2..dc09de3 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1101,6 +1101,21 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
     return MFI_STAT_OK;
 }
 
+static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
+{
+    uint16_t flags;
+
+    /* mbox0 contains flags */
+    flags = le16_to_cpu(cmd->frame->dcmd.mbox[0]);
+    trace_megasas_dcmd_ld_list_query(cmd->index, flags);
+    if (flags == MR_LD_QUERY_TYPE_ALL ||
+        flags == MR_LD_QUERY_TYPE_EXPOSED_TO_HOST) {
+        return megasas_dcmd_ld_get_list(s, cmd);
+    }
+
+    return MFI_STAT_OK;
+}
+
 static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
                                       MegasasCmd *cmd)
 {
@@ -1404,6 +1419,8 @@ static const struct dcmd_cmd_tbl_t {
       megasas_dcmd_dummy },
     { MFI_DCMD_LD_GET_LIST, "LD_GET_LIST",
       megasas_dcmd_ld_get_list},
+    { MFI_DCMD_LD_LIST_QUERY, "LD_LIST_QUERY",
+      megasas_dcmd_ld_list_query },
     { MFI_DCMD_LD_GET_INFO, "LD_GET_INFO",
       megasas_dcmd_ld_get_info },
     { MFI_DCMD_LD_GET_PROP, "LD_GET_PROP",
diff --git a/hw/scsi/mfi.h b/hw/scsi/mfi.h
index cd8355b..a3034f6 100644
--- a/hw/scsi/mfi.h
+++ b/hw/scsi/mfi.h
@@ -164,6 +164,7 @@ typedef enum {
     MFI_DCMD_PD_BLINK =                 0x02070100,
     MFI_DCMD_PD_UNBLINK =               0x02070200,
     MFI_DCMD_LD_GET_LIST =              0x03010000,
+    MFI_DCMD_LD_LIST_QUERY =            0x03010100,
     MFI_DCMD_LD_GET_INFO =              0x03020000,
     MFI_DCMD_LD_GET_PROP =              0x03030000,
     MFI_DCMD_LD_SET_PROP =              0x03040000,
@@ -411,6 +412,14 @@ typedef enum {
     MR_PD_QUERY_TYPE_EXPOSED_TO_HOST =  5, /*query for system drives */
 } mfi_pd_query_type;
 
+typedef enum {
+    MR_LD_QUERY_TYPE_ALL =              0,
+    MR_LD_QUERY_TYPE_EXPOSED_TO_HOST =  1,
+    MR_LD_QUERY_TYPE_USED_TGT_IDS =     2,
+    MR_LD_QUERY_TYPE_CLUSTER_ACCESS =   3,
+    MR_LD_QUERY_TYPE_CLUSTER_LOCALE =   4,
+} mfi_ld_query_type;
+
 /*
  * Other propertities and definitions
  */
diff --git a/trace-events b/trace-events
index b8887c1..87fe42e 100644
--- a/trace-events
+++ b/trace-events
@@ -670,6 +670,7 @@ megasas_dcmd_ld_get_list(int cmd, int num, int max) "scmd %d: DCMD LD get list:
 megasas_dcmd_ld_get_info(int cmd, int ld_id) "scmd %d: DCMD LD get info for dev %d"
 megasas_dcmd_pd_get_info(int cmd, int pd_id) "scmd %d: DCMD PD get info for dev %d"
 megasas_dcmd_pd_list_query(int cmd, int flags) "scmd %d: DCMD PD list query flags %x"
+megasas_dcmd_ld_list_query(int cmd, int flags) "scmd %d: DCMD LD list query flags %x"
 megasas_dcmd_unsupported(int cmd, unsigned long size) "scmd %d: set properties len %ld"
 megasas_abort_frame(int cmd, int abort_cmd) "scmd %d: aborting frame %x"
 megasas_abort_no_cmd(int cmd, uint64_t context) "scmd %d: no active command for frame context %" PRIx64 ""
-- 
1.9.1

[Qemu-devel] [PATCH 021/156] arm: translate.c: Fix smlald Instruction

[Michael Roth]

From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>

The smlald (and probably smlsld) instruction was doing incorrect sign
extensions of the operands amongst 64bit result calculation. The
instruction psuedo-code is:

 operand2 = if m_swap then ROR(R[m],16) else R[m];
 product1 = SInt(R[n]<15:0>) * SInt(operand2<15:0>);
 product2 = SInt(R[n]<31:16>) * SInt(operand2<31:16>);
 result = product1 + product2 + SInt(R[dHi]:R[dLo]);
 R[dHi] = result<63:32>;
 R[dLo] = result<31:0>;

The result calculation should be done in 64 bit arithmetic, and hence
product1 and product2 should be sign extended to 64b before calculation.

The current implementation was adding product1 and product2 together
then sign-extending the intermediate result leading to false negatives.

E.G. if product1 = product2 = 0x4000000, their sum = 0x80000000, which
will be incorrectly interpreted as -ve on sign extension.

We fix by doing the 64b extensions on both product1 and product2 before
any addition/subtraction happens.

We also fix where we were possibly incorrectly setting the Q saturation
flag for SMLSLD, which the ARM ARM specifically says is not set.

Reported-by: Christina Smith <christina.smith@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 2cddb6f5a15be4ab8d2160f3499d128ae93d304d.1397704570.git.peter.crosthwaite@xilinx.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 33bbd75a7c3321432fe40a8cbacd64619c56138c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/translate.c | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 5f003e7..e0c3eaa 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -7732,27 +7732,39 @@ static void disas_arm_insn(CPUARMState * env, DisasContext *s)
                         if (insn & (1 << 5))
                             gen_swap_half(tmp2);
                         gen_smul_dual(tmp, tmp2);
-                        if (insn & (1 << 6)) {
-                            /* This subtraction cannot overflow. */
-                            tcg_gen_sub_i32(tmp, tmp, tmp2);
-                        } else {
-                            /* This addition cannot overflow 32 bits;
-                             * however it may overflow considered as a signed
-                             * operation, in which case we must set the Q flag.
-                             */
-                            gen_helper_add_setq(tmp, cpu_env, tmp, tmp2);
-                        }
-                        tcg_temp_free_i32(tmp2);
                         if (insn & (1 << 22)) {
                             /* smlald, smlsld */
+                            TCGv_i64 tmp64_2;
+
                             tmp64 = tcg_temp_new_i64();
+                            tmp64_2 = tcg_temp_new_i64();
                             tcg_gen_ext_i32_i64(tmp64, tmp);
+                            tcg_gen_ext_i32_i64(tmp64_2, tmp2);
                             tcg_temp_free_i32(tmp);
+                            tcg_temp_free_i32(tmp2);
+                            if (insn & (1 << 6)) {
+                                tcg_gen_sub_i64(tmp64, tmp64, tmp64_2);
+                            } else {
+                                tcg_gen_add_i64(tmp64, tmp64, tmp64_2);
+                            }
+                            tcg_temp_free_i64(tmp64_2);
                             gen_addq(s, tmp64, rd, rn);
                             gen_storeq_reg(s, rd, rn, tmp64);
                             tcg_temp_free_i64(tmp64);
                         } else {
                             /* smuad, smusd, smlad, smlsd */
+                            if (insn & (1 << 6)) {
+                                /* This subtraction cannot overflow. */
+                                tcg_gen_sub_i32(tmp, tmp, tmp2);
+                            } else {
+                                /* This addition cannot overflow 32 bits;
+                                 * however it may overflow considered as a
+                                 * signed operation, in which case we must set
+                                 * the Q flag.
+                                 */
+                                gen_helper_add_setq(tmp, cpu_env, tmp, tmp2);
+                            }
+                            tcg_temp_free_i32(tmp2);
                             if (rd != 15)
                               {
                                 tmp2 = load_reg(s, rd);
-- 
1.9.1

[Qemu-devel] [PATCH 022/156] block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file.

[Michael Roth]

From: Benoît Canet <benoit.canet@irqsave.net>

In 1.7.1 qcow2_create2 reopen the file for flushing without the BDRV_O_NO_BACKING
flags.

As a consequence the code would recursively open the whole backing chain.

These three stack arrays would pile up through the recursion and lead to a coroutine
stack overflow.

Convert these array to malloced buffers in order to streamline the coroutine
footprint.

Symptoms where freezes or segfaults on production machines while taking QMP externals
snapshots. The overflow disturbed coroutine switching.

Signed-off-by: Benoit Canet <benoit.canet@gmail.com>

*note: backport of upstream's 1ba4b6a

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/block.c b/block.c
index 382ea71..8f84dbc 100644
--- a/block.c
+++ b/block.c
@@ -966,14 +966,14 @@ fail:
  */
 int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
 {
-    char backing_filename[PATH_MAX];
-    int back_flags, ret;
+    char *backing_filename = g_malloc0(PATH_MAX);
+    int back_flags, ret = 0;
     BlockDriver *back_drv = NULL;
     Error *local_err = NULL;
 
     if (bs->backing_hd != NULL) {
         QDECREF(options);
-        return 0;
+        goto free_exit;
     }
 
     /* NULL means an empty set of options */
@@ -986,10 +986,9 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
         backing_filename[0] = '\0';
     } else if (bs->backing_file[0] == '\0' && qdict_size(options) == 0) {
         QDECREF(options);
-        return 0;
+        goto free_exit;
     } else {
-        bdrv_get_full_backing_filename(bs, backing_filename,
-                                       sizeof(backing_filename));
+        bdrv_get_full_backing_filename(bs, backing_filename, PATH_MAX);
     }
 
     bs->backing_hd = bdrv_new("");
@@ -1012,11 +1011,14 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *options, Error **errp)
         error_setg(errp, "Could not open backing file: %s",
                    error_get_pretty(local_err));
         error_free(local_err);
-        return ret;
+        goto free_exit;
     }
     pstrcpy(bs->backing_file, sizeof(bs->backing_file),
             bs->backing_hd->file->filename);
-    return 0;
+    ret = 0;
+free_exit:
+    g_free(backing_filename);
+    return ret;
 }
 
 /*
@@ -1032,7 +1034,8 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
 {
     int ret;
     /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
-    char tmp_filename[PATH_MAX + 1];
+    char *backing_filename = NULL;
+    char *tmp_filename = g_malloc0(PATH_MAX + 1);
     BlockDriverState *file = NULL;
     QDict *file_options = NULL;
     const char *drvname;
@@ -1052,7 +1055,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
         int64_t total_size;
         BlockDriver *bdrv_qcow2;
         QEMUOptionParameter *create_options;
-        char backing_filename[PATH_MAX];
+        backing_filename = g_malloc0(PATH_MAX);
 
         if (qdict_size(options) != 0) {
             error_setg(errp, "Can't use snapshot=on with driver-specific options");
@@ -1075,7 +1078,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
 
         bdrv_unref(bs1);
 
-        ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+        ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
         if (ret < 0) {
             error_setg_errno(errp, -ret, "Could not get temporary filename");
             goto fail;
@@ -1083,8 +1086,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
 
         /* Real path is meaningless for protocols */
         if (path_has_protocol(filename)) {
-            snprintf(backing_filename, sizeof(backing_filename),
-                     "%s", filename);
+            snprintf(backing_filename, PATH_MAX, "%s", filename);
         } else if (!realpath(filename, backing_filename)) {
             ret = -errno;
             error_setg_errno(errp, errno, "Could not resolve path '%s'", filename);
@@ -1206,6 +1208,8 @@ fail:
     if (error_is_set(&local_err)) {
         error_propagate(errp, local_err);
     }
+    g_free(tmp_filename);
+    g_free(backing_filename);
     return ret;
 
 close_and_fail:
@@ -1214,6 +1218,8 @@ close_and_fail:
     if (error_is_set(&local_err)) {
         error_propagate(errp, local_err);
     }
+    g_free(tmp_filename);
+    g_free(backing_filename);
     return ret;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 023/156] block: Use BDRV_O_NO_BACKING where appropriate

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

If you open an image temporarily just because you want to check its size
or get it flushed, there's no real reason to open the whole backing file
chain.

This is a backport of c9fbb99d41b05acf0d7b93deb2fcdbf9047c238e to
qemu 1.7.1.

The backport was done to fix a bug where QEMU 1.7.1 would crash or freeze
when the user take around 80 consecutives snapshots in a row.

git bisect would lead to commit: ba2ab2f2ca4150a7e314fbb19fa158bd8ddc36eb
and it was clear that BDRV_NO_BACKING was missing.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c       | 4 ++--
 block/qcow2.c | 3 ++-
 block/vmdk.c  | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/block.c b/block.c
index 8f84dbc..68651a9 100644
--- a/block.c
+++ b/block.c
@@ -1067,9 +1067,9 @@ int bdrv_open(BlockDriverState *bs, const char *filename, QDict *options,
         /* if snapshot, we create a temporary backing file and open it
            instead of opening 'filename' directly */
 
-        /* if there is a backing file, use it */
         bs1 = bdrv_new("");
-        ret = bdrv_open(bs1, filename, NULL, 0, drv, &local_err);
+        ret = bdrv_open(bs1, filename, NULL, BDRV_O_NO_BACKING, drv,
+                        &local_err);
         if (ret < 0) {
             bdrv_unref(bs1);
             goto fail;
diff --git a/block/qcow2.c b/block/qcow2.c
index b43c7d0..f2897b6 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1605,7 +1605,8 @@ static int qcow2_create2(const char *filename, int64_t total_size,
 
     /* Reopen the image without BDRV_O_NO_FLUSH to flush it before returning */
     ret = bdrv_open(bs, filename, NULL,
-                    BDRV_O_RDWR | BDRV_O_CACHE_WB, drv, &local_err);
+                    BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING,
+                    drv, &local_err);
     if (error_is_set(&local_err)) {
         error_propagate(errp, local_err);
         goto out;
diff --git a/block/vmdk.c b/block/vmdk.c
index a7ebd0f..d35a9d7 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1689,7 +1689,7 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options,
     }
     if (backing_file) {
         BlockDriverState *bs = bdrv_new("");
-        ret = bdrv_open(bs, backing_file, NULL, 0, NULL, errp);
+        ret = bdrv_open(bs, backing_file, NULL, BDRV_O_NO_BACKING, NULL, errp);
         if (ret != 0) {
             bdrv_unref(bs);
             return ret;
-- 
1.9.1

[Qemu-devel] [PATCH 024/156] s390x/helper: Added format control bit to MMU translation

[Michael Roth]

From: Thomas Huth <thuth@linux.vnet.ibm.com>

With the EDAT-1 facility, the MMU translation can stop at the
segment table already, pointing to a 1 MB block. And while we're
at it, move the page table entry handling to a separate function,
too, as suggested by Alexander Graf.

Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit c4400206d43b6a235299c7047cca0af93269fc03)

Conflicts:
	target-s390x/helper.c

*removed unecessary context

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-s390x/cpu.h    |  4 +++
 target-s390x/helper.c | 70 ++++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 56 insertions(+), 18 deletions(-)

diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 68b5ab7..8c0d00a 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -274,6 +274,9 @@ typedef struct CPUS390XState {
 #define FLAG_MASK_64            (PSW_MASK_64     >> 32)
 #define FLAG_MASK_32            0x00001000
 
+/* Control register 0 bits */
+#define CR0_EDAT                0x0000000000800000ULL
+
 static inline int cpu_mmu_index (CPUS390XState *env)
 {
     if (env->psw.mask & PSW_MASK_PSTATE) {
@@ -932,6 +935,7 @@ struct sysib_322 {
 #define _REGION_ENTRY_LENGTH    0x03      /* region third length              */
 
 #define _SEGMENT_ENTRY_ORIGIN   ~0x7ffULL /* segment table origin             */
+#define _SEGMENT_ENTRY_FC       0x400     /* format control                   */
 #define _SEGMENT_ENTRY_RO       0x200     /* page protection bit              */
 #define _SEGMENT_ENTRY_INV      0x20      /* invalid segment table entry      */
 
diff --git a/target-s390x/helper.c b/target-s390x/helper.c
index da33b38..e8e92ef 100644
--- a/target-s390x/helper.c
+++ b/target-s390x/helper.c
@@ -164,6 +164,50 @@ static void trigger_page_fault(CPUS390XState *env, target_ulong vaddr,
     trigger_pgm_exception(env, type, ilen);
 }
 
+/* Decode page table entry (normal 4KB page) */
+static int mmu_translate_pte(CPUS390XState *env, target_ulong vaddr,
+                             uint64_t asc, uint64_t asce,
+                             target_ulong *raddr, int *flags, int rw)
+{
+    if (asce & _PAGE_INVALID) {
+        DPRINTF("%s: PTE=0x%" PRIx64 " invalid\n", __func__, asce);
+        trigger_page_fault(env, vaddr, PGM_PAGE_TRANS, asc, rw);
+        return -1;
+    }
+
+    if (asce & _PAGE_RO) {
+        *flags &= ~PAGE_WRITE;
+    }
+
+    *raddr = asce & _ASCE_ORIGIN;
+
+    PTE_DPRINTF("%s: PTE=0x%" PRIx64 "\n", __func__, asce);
+
+    return 0;
+}
+
+/* Decode EDAT1 segment frame absolute address (1MB page) */
+static int mmu_translate_sfaa(CPUS390XState *env, target_ulong vaddr,
+                              uint64_t asc, uint64_t asce, target_ulong *raddr,
+                              int *flags, int rw)
+{
+    if (asce & _SEGMENT_ENTRY_INV) {
+        DPRINTF("%s: SEG=0x%" PRIx64 " invalid\n", __func__, asce);
+        trigger_page_fault(env, vaddr, PGM_SEGMENT_TRANS, asc, rw);
+        return -1;
+    }
+
+    if (asce & _SEGMENT_ENTRY_RO) {
+        *flags &= ~PAGE_WRITE;
+    }
+
+    *raddr = (asce & 0xfffffffffff00000ULL) | (vaddr & 0xfffff);
+
+    PTE_DPRINTF("%s: SEG=0x%" PRIx64 "\n", __func__, asce);
+
+    return 0;
+}
+
 static int mmu_translate_asce(CPUS390XState *env, target_ulong vaddr,
                               uint64_t asc, uint64_t asce, int level,
                               target_ulong *raddr, int *flags, int rw)
@@ -222,28 +266,18 @@ static int mmu_translate_asce(CPUS390XState *env, target_ulong vaddr,
     PTE_DPRINTF("%s: 0x%" PRIx64 " + 0x%" PRIx64 " => 0x%016" PRIx64 "\n",
                 __func__, origin, offs, new_asce);
 
-    if (level != _ASCE_TYPE_SEGMENT) {
+    if (level == _ASCE_TYPE_SEGMENT) {
+        /* 4KB page */
+        return mmu_translate_pte(env, vaddr, asc, new_asce, raddr, flags, rw);
+    } else if (level - 4 == _ASCE_TYPE_SEGMENT &&
+               (new_asce & _SEGMENT_ENTRY_FC) && (env->cregs[0] & CR0_EDAT)) {
+        /* 1MB page */
+        return mmu_translate_sfaa(env, vaddr, asc, new_asce, raddr, flags, rw);
+    } else {
         /* yet another region */
         return mmu_translate_asce(env, vaddr, asc, new_asce, level - 4, raddr,
                                   flags, rw);
     }
-
-    /* PTE */
-    if (new_asce & _PAGE_INVALID) {
-        DPRINTF("%s: PTE=0x%" PRIx64 " invalid\n", __func__, new_asce);
-        trigger_page_fault(env, vaddr, PGM_PAGE_TRANS, asc, rw);
-        return -1;
-    }
-
-    if (new_asce & _PAGE_RO) {
-        *flags &= ~PAGE_WRITE;
-    }
-
-    *raddr = new_asce & _ASCE_ORIGIN;
-
-    PTE_DPRINTF("%s: PTE=0x%" PRIx64 "\n", __func__, new_asce);
-
-    return 0;
 }
 
 static int mmu_translate_asc(CPUS390XState *env, target_ulong vaddr,
-- 
1.9.1

[Qemu-devel] [PATCH 025/156] s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG

[Michael Roth]

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

This patch creates empty function stubs (used by the gdbserver) in preparation
for the hw debugging support by kvm on s390, which will enable the
__KVM_HAVE_GUEST_DEBUG define in the linux headers and require these methods on
the qemu side.

Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit 8c0124490bcd78c9c54139cd654c71c5fbd95e6b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-s390x/kvm.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index b00a661..ef4d5cc 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -362,6 +362,26 @@ int kvm_arch_remove_sw_breakpoint(CPUState *cs, struct kvm_sw_breakpoint *bp)
     return 0;
 }
 
+int kvm_arch_insert_hw_breakpoint(target_ulong addr,
+                                  target_ulong len, int type)
+{
+    return -ENOSYS;
+}
+
+int kvm_arch_remove_hw_breakpoint(target_ulong addr,
+                                  target_ulong len, int type)
+{
+    return -ENOSYS;
+}
+
+void kvm_arch_remove_all_hw_breakpoints(void)
+{
+}
+
+void kvm_arch_update_guest_debug(CPUState *cpu, struct kvm_guest_debug *dbg)
+{
+}
+
 void kvm_arch_pre_run(CPUState *cpu, struct kvm_run *run)
 {
 }
@@ -812,6 +832,11 @@ static int handle_tsch(S390CPU *cpu)
     return ret;
 }
 
+static int kvm_arch_handle_debug_exit(S390CPU *cpu)
+{
+    return -ENOSYS;
+}
+
 int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
 {
     S390CPU *cpu = S390_CPU(cs);
@@ -827,6 +852,9 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
         case KVM_EXIT_S390_TSCH:
             ret = handle_tsch(cpu);
             break;
+        case KVM_EXIT_DEBUG:
+            ret = kvm_arch_handle_debug_exit(cpu);
+            break;
         default:
             fprintf(stderr, "Unknown KVM exit: %d\n", run->exit_reason);
             break;
-- 
1.9.1

[Qemu-devel] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference

[Michael Roth]

From: Michael Tokarev <mjt@tls.msk.ru>

The rule for messages.po appears to be slightly wrong.
Move the `cd' command within parens.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Tested-by: Stefan Weil <sw@weilnetz.de>
(cherry picked from commit b920cad6693d6f2baa0217543c9f9cca5ebaf6ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 po/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/po/Makefile b/po/Makefile
index 705166e..669f865 100644
--- a/po/Makefile
+++ b/po/Makefile
@@ -37,8 +37,8 @@ install: $(OBJS)
 	$(call quiet-command, msgfmt -o $@ $<, "  GEN   $@")
 
 $(PO_PATH)/messages.po: $(SRC_PATH)/ui/gtk.c
-	$(call quiet-command, cd $(SRC_PATH) && \
-	 (xgettext -o - --from-code=UTF-8 --foreign-user \
+	$(call quiet-command, ( cd $(SRC_PATH) && \
+          xgettext -o - --from-code=UTF-8 --foreign-user \
 	    --package-name=QEMU --package-version=$(VERSION) \
 	    --msgid-bugs-address=qemu-devel@nongnu.org -k_ -C ui/gtk.c | \
 	  sed -e s/CHARSET/UTF-8/) >$@, "  GEN   $@")
-- 
1.9.1

[Qemu-devel] [PATCH 027/156] acpi: fix tables for no-hpet configuration

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled.  If no tables follow hpet, this could lead to a malformed
rsdt.

Fix it up.

To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.

Reported-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 9ac1c4c07e7e6ab16a3e2149e9b32c0d092cb3f5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/acpi-build.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 1f22fb6..8988047 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1075,15 +1075,16 @@ void acpi_build(PcGuestInfo *guest_info, AcpiBuildTables *tables)
     /* ACPI tables pointed to by RSDT */
     acpi_add_table(table_offsets, tables->table_data);
     build_fadt(tables->table_data, tables->linker, &pm, facs, dsdt);
-    acpi_add_table(table_offsets, tables->table_data);
 
+    acpi_add_table(table_offsets, tables->table_data);
     build_ssdt(tables->table_data, tables->linker, &cpu, &pm, &misc, &pci,
                guest_info);
-    acpi_add_table(table_offsets, tables->table_data);
 
-    build_madt(tables->table_data, tables->linker, &cpu, guest_info);
     acpi_add_table(table_offsets, tables->table_data);
+    build_madt(tables->table_data, tables->linker, &cpu, guest_info);
+
     if (misc.has_hpet) {
+        acpi_add_table(table_offsets, tables->table_data);
         build_hpet(tables->table_data, tables->linker);
     }
     if (guest_info->numa_nodes) {
-- 
1.9.1

[Qemu-devel] [PATCH 028/156] vmxnet3: validate interrupt indices coming from guest

[Michael Roth]

From: Dmitry Fleytman <dmitry@daynix.com>

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-2-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 8c6c0478996e8f77374e69b6df68655b0b4ba689)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/vmxnet3.c | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 19687aa..7c709ca 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -52,6 +52,9 @@
 #define VMXNET3_DEVICE_VERSION    0x1
 #define VMXNET3_DEVICE_REVISION   0x1
 
+/* Number of interrupt vectors for non-MSIx modes */
+#define VMXNET3_MAX_NMSIX_INTRS   (1)
+
 /* Macros for rings descriptors access */
 #define VMXNET3_READ_TX_QUEUE_DESCR8(dpa, field) \
     (vmw_shmem_ld8(dpa + offsetof(struct Vmxnet3_TxQueueDesc, field)))
@@ -1305,6 +1308,34 @@ static bool vmxnet3_verify_intx(VMXNET3State *s, int intx)
            (pci_get_byte(s->parent_obj.config + PCI_INTERRUPT_PIN) - 1));
 }
 
+static void vmxnet3_validate_interrupt_idx(bool is_msix, int idx)
+{
+    int max_ints = is_msix ? VMXNET3_MAX_INTRS : VMXNET3_MAX_NMSIX_INTRS;
+    if (idx >= max_ints) {
+        hw_error("Bad interrupt index: %d\n", idx);
+    }
+}
+
+static void vmxnet3_validate_interrupts(VMXNET3State *s)
+{
+    int i;
+
+    VMW_CFPRN("Verifying event interrupt index (%d)", s->event_int_idx);
+    vmxnet3_validate_interrupt_idx(s->msix_used, s->event_int_idx);
+
+    for (i = 0; i < s->txq_num; i++) {
+        int idx = s->txq_descr[i].intr_idx;
+        VMW_CFPRN("Verifying TX queue %d interrupt index (%d)", i, idx);
+        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
+    }
+
+    for (i = 0; i < s->rxq_num; i++) {
+        int idx = s->rxq_descr[i].intr_idx;
+        VMW_CFPRN("Verifying RX queue %d interrupt index (%d)", i, idx);
+        vmxnet3_validate_interrupt_idx(s->msix_used, idx);
+    }
+}
+
 static void vmxnet3_activate_device(VMXNET3State *s)
 {
     int i;
@@ -1447,6 +1478,8 @@ static void vmxnet3_activate_device(VMXNET3State *s)
                sizeof(s->rxq_descr[i].rxq_stats));
     }
 
+    vmxnet3_validate_interrupts(s);
+
     /* Make sure everything is in place before device activation */
     smp_wmb();
 
@@ -2007,7 +2040,6 @@ vmxnet3_cleanup_msix(VMXNET3State *s)
     }
 }
 
-#define VMXNET3_MSI_NUM_VECTORS   (1)
 #define VMXNET3_MSI_OFFSET        (0x50)
 #define VMXNET3_USE_64BIT         (true)
 #define VMXNET3_PER_VECTOR_MASK   (false)
@@ -2018,7 +2050,7 @@ vmxnet3_init_msi(VMXNET3State *s)
     PCIDevice *d = PCI_DEVICE(s);
     int res;
 
-    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MSI_NUM_VECTORS,
+    res = msi_init(d, VMXNET3_MSI_OFFSET, VMXNET3_MAX_NMSIX_INTRS,
                    VMXNET3_USE_64BIT, VMXNET3_PER_VECTOR_MASK);
     if (0 > res) {
         VMW_WRPRN("Failed to initialize MSI, error %d", res);
-- 
1.9.1

[Qemu-devel] [PATCH 029/156] vmxnet3: validate queues configuration coming from guest

[Michael Roth]

From: Dmitry Fleytman <dmitry@daynix.com>

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-3-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9878d173f574df74bde0ff50b2f81009fbee81bb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/vmxnet3.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 7c709ca..0dd8c7a 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1336,6 +1336,23 @@ static void vmxnet3_validate_interrupts(VMXNET3State *s)
     }
 }
 
+static void vmxnet3_validate_queues(VMXNET3State *s)
+{
+    /*
+    * txq_num and rxq_num are total number of queues
+    * configured by guest. These numbers must not
+    * exceed corresponding maximal values.
+    */
+
+    if (s->txq_num > VMXNET3_DEVICE_MAX_TX_QUEUES) {
+        hw_error("Bad TX queues number: %d\n", s->txq_num);
+    }
+
+    if (s->rxq_num > VMXNET3_DEVICE_MAX_RX_QUEUES) {
+        hw_error("Bad RX queues number: %d\n", s->rxq_num);
+    }
+}
+
 static void vmxnet3_activate_device(VMXNET3State *s)
 {
     int i;
@@ -1382,7 +1399,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
         VMXNET3_READ_DRV_SHARED8(s->drv_shmem, devRead.misc.numRxQueues);
 
     VMW_CFPRN("Number of TX/RX queues %u/%u", s->txq_num, s->rxq_num);
-    assert(s->txq_num <= VMXNET3_DEVICE_MAX_TX_QUEUES);
+    vmxnet3_validate_queues(s);
 
     qdescr_table_pa =
         VMXNET3_READ_DRV_SHARED64(s->drv_shmem, devRead.misc.queueDescPA);
-- 
1.9.1

[Qemu-devel] [PATCH 030/156] vmxnet3: validate interrupt indices read on migration

[Michael Roth]

From: Dmitry Fleytman <dmitry@daynix.com>

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-4-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 3c99afc779c2c78718a565ad8c5e98de7c2c7484)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/vmxnet3.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 0dd8c7a..b9ed47a 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2393,6 +2393,8 @@ static int vmxnet3_post_load(void *opaque, int version_id)
         }
     }
 
+    vmxnet3_validate_interrupts(s);
+
     return 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 031/156] vmxnet3: validate queues configuration read on migration

[Michael Roth]

From: Dmitry Fleytman <dmitry@daynix.com>

CVE-2013-4544

Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-5-git-send-email-dmitry@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f12d048a523780dbda702027d4a91b62af1a08d7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/vmxnet3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index b9ed47a..bbb4fe5 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -2393,6 +2393,7 @@ static int vmxnet3_post_load(void *opaque, int version_id)
         }
     }
 
+    vmxnet3_validate_queues(s);
     vmxnet3_validate_interrupts(s);
 
     return 0;
-- 
1.9.1

[Qemu-devel] [PATCH 032/156] vmstate: reduce code duplication

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

move size offset and number of elements math out
to functions, to reduce code duplication.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 35fc1f71899fd42323bd8f33da18f0211e0d2727)

Conflicts:
	vmstate.c

*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 savevm.c | 100 +++++++++++++++++++++++++++++++++------------------------------
 1 file changed, 52 insertions(+), 48 deletions(-)

diff --git a/savevm.c b/savevm.c
index 3f912dd..2c87455 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1673,6 +1673,50 @@ static void vmstate_subsection_save(QEMUFile *f, const VMStateDescription *vmsd,
 static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
                                    void *opaque);
 
+static int vmstate_n_elems(void *opaque, VMStateField *field)
+{
+    int n_elems = 1;
+
+    if (field->flags & VMS_ARRAY) {
+        n_elems = field->num;
+    } else if (field->flags & VMS_VARRAY_INT32) {
+        n_elems = *(int32_t *)(opaque+field->num_offset);
+    } else if (field->flags & VMS_VARRAY_UINT32) {
+        n_elems = *(uint32_t *)(opaque+field->num_offset);
+    } else if (field->flags & VMS_VARRAY_UINT16) {
+        n_elems = *(uint16_t *)(opaque+field->num_offset);
+    } else if (field->flags & VMS_VARRAY_UINT8) {
+        n_elems = *(uint8_t *)(opaque+field->num_offset);
+    }
+
+    return n_elems;
+}
+
+static int vmstate_size(void *opaque, VMStateField *field)
+{
+    int size = field->size;
+
+    if (field->flags & VMS_VBUFFER) {
+        size = *(int32_t *)(opaque+field->size_offset);
+        if (field->flags & VMS_MULTIPLY) {
+            size *= field->size;
+        }
+    }
+
+    return size;
+}
+
+static void *vmstate_base_addr(void *opaque, VMStateField *field)
+{
+    void *base_addr = opaque + field->offset;
+
+    if (field->flags & VMS_POINTER) {
+        base_addr = *(void **)base_addr + field->start;
+    }
+
+    return base_addr;
+}
+
 int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
                        void *opaque, int version_id)
 {
@@ -1698,30 +1742,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
              field->field_exists(opaque, version_id)) ||
             (!field->field_exists &&
              field->version_id <= version_id)) {
-            void *base_addr = opaque + field->offset;
-            int i, n_elems = 1;
-            int size = field->size;
-
-            if (field->flags & VMS_VBUFFER) {
-                size = *(int32_t *)(opaque+field->size_offset);
-                if (field->flags & VMS_MULTIPLY) {
-                    size *= field->size;
-                }
-            }
-            if (field->flags & VMS_ARRAY) {
-                n_elems = field->num;
-            } else if (field->flags & VMS_VARRAY_INT32) {
-                n_elems = *(int32_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT32) {
-                n_elems = *(uint32_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT16) {
-                n_elems = *(uint16_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT8) {
-                n_elems = *(uint8_t *)(opaque+field->num_offset);
-            }
-            if (field->flags & VMS_POINTER) {
-                base_addr = *(void **)base_addr + field->start;
-            }
+            void *base_addr = vmstate_base_addr(opaque, field);
+            int i, n_elems = vmstate_n_elems(opaque, field);
+            int size = vmstate_size(opaque, field);
+
             for (i = 0; i < n_elems; i++) {
                 void *addr = base_addr + size * i;
 
@@ -1762,30 +1786,10 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
     while(field->name) {
         if (!field->field_exists ||
             field->field_exists(opaque, vmsd->version_id)) {
-            void *base_addr = opaque + field->offset;
-            int i, n_elems = 1;
-            int size = field->size;
-
-            if (field->flags & VMS_VBUFFER) {
-                size = *(int32_t *)(opaque+field->size_offset);
-                if (field->flags & VMS_MULTIPLY) {
-                    size *= field->size;
-                }
-            }
-            if (field->flags & VMS_ARRAY) {
-                n_elems = field->num;
-            } else if (field->flags & VMS_VARRAY_INT32) {
-                n_elems = *(int32_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT32) {
-                n_elems = *(uint32_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT16) {
-                n_elems = *(uint16_t *)(opaque+field->num_offset);
-            } else if (field->flags & VMS_VARRAY_UINT8) {
-                n_elems = *(uint8_t *)(opaque+field->num_offset);
-            }
-            if (field->flags & VMS_POINTER) {
-                base_addr = *(void **)base_addr + field->start;
-            }
+            void *base_addr = vmstate_base_addr(opaque, field);
+            int i, n_elems = vmstate_n_elems(opaque, field);
+            int size = vmstate_size(opaque, field);
+
             for (i = 0; i < n_elems; i++) {
                 void *addr = base_addr + size * i;
 
-- 
1.9.1

[Qemu-devel] [PATCH 033/156] vmstate: add VMS_MUST_EXIST

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

Can be used to verify a required field exists or validate
state in some other way.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)

Conflicts:
	vmstate.c

*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/migration/vmstate.h |  1 +
 savevm.c                    | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 9d09e60..13fb78d 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -100,6 +100,7 @@ enum VMStateFlags {
     VMS_MULTIPLY         = 0x200,  /* multiply "size" field by field_size */
     VMS_VARRAY_UINT8     = 0x400,  /* Array with size in uint8_t field*/
     VMS_VARRAY_UINT32    = 0x800,  /* Array with size in uint32_t field*/
+    VMS_MUST_EXIST       = 0x1000, /* Field must exist in input */
 };
 
 typedef struct {
diff --git a/savevm.c b/savevm.c
index 2c87455..8a22807 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1762,6 +1762,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
                     return ret;
                 }
             }
+        } else if (field->flags & VMS_MUST_EXIST) {
+            fprintf(stderr, "Input validation failed: %s/%s\n",
+                    vmsd->name, field->name);
+            return -1;
         }
         field++;
     }
@@ -1802,6 +1806,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
                     field->info->put(f, addr, size);
                 }
             }
+        } else {
+            if (field->flags & VMS_MUST_EXIST) {
+                fprintf(stderr, "Output state validation failed: %s/%s\n",
+                        vmsd->name, field->name);
+                assert(!(field->flags & VMS_MUST_EXIST));
+            }
         }
         field++;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 034/156] vmstate: add VMSTATE_VALIDATE

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/migration/vmstate.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 13fb78d..3007d89 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap;
     .offset       = vmstate_offset_value(_state, _field, _type),     \
 }
 
+/* Validate state using a boolean predicate. */
+#define VMSTATE_VALIDATE(_name, _test) { \
+    .name         = (_name),                                         \
+    .field_exists = (_test),                                         \
+    .flags        = VMS_ARRAY | VMS_MUST_EXIST,                      \
+    .num          = 0, /* 0 elements: no data, only run _test */     \
+}
+
 #define VMSTATE_POINTER(_field, _state, _version, _info, _type) {    \
     .name       = (stringify(_field)),                               \
     .version_id = (_version),                                        \
-- 
1.9.1

[Qemu-devel] [PATCH 035/156] virtio-net: fix buffer overflow on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c

Deals with loading a corrupted savevm image.

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

Fix it by making the value unsigned.
For consistency, change first_multi as well.

Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 include/hw/virtio/virtio-net.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
index df60f16..4b32440 100644
--- a/include/hw/virtio/virtio-net.h
+++ b/include/hw/virtio/virtio-net.h
@@ -176,8 +176,8 @@ typedef struct VirtIONet {
     uint8_t nobcast;
     uint8_t vhost_started;
     struct {
-        int in_use;
-        int first_multi;
+        uint32_t in_use;
+        uint32_t first_multi;
         uint8_t multi_overflow;
         uint8_t uni_overflow;
         uint8_t *macs;
-- 
1.9.1

[Qemu-devel] [PATCH 036/156] virtio-net: out-of-bounds buffer write on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index ec96862..e00d1c0 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1387,6 +1387,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         }
 
         n->curr_queues = qemu_get_be16(f);
+        if (n->curr_queues > n->max_queues) {
+            error_report("virtio-net: curr_queues %x > max_queues %x",
+                         n->curr_queues, n->max_queues);
+            return -1;
+        }
         for (i = 1; i < n->curr_queues; i++) {
             n->vqs[i].tx_waiting = qemu_get_be32(f);
         }
-- 
1.9.1

[Qemu-devel] [PATCH 037/156] virtio-net: out-of-bounds buffer write on load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index e00d1c0..29c5f35 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1342,10 +1342,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
             qemu_get_buffer(f, n->mac_table.macs,
                             n->mac_table.in_use * ETH_ALEN);
-        } else if (n->mac_table.in_use) {
-            uint8_t *buf = g_malloc0(n->mac_table.in_use);
-            qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
-            g_free(buf);
+        } else {
+            int64_t i;
+
+            /* Overflow detected - can happen if source has a larger MAC table.
+             * We simply set overflow flag so there's no need to maintain the
+             * table of addresses, discard them all.
+             * Note: 64 bit math to avoid integer overflow.
+             */
+            for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
+                qemu_get_byte(f);
+            }
             n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
             n->mac_table.in_use = 0;
         }
-- 
1.9.1

[Qemu-devel] [PATCH 038/156] virtio: out-of-bounds buffer write on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 965b2c0..8dc3cb3 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -888,7 +888,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
-    int num, i, ret;
+    int i, ret;
+    uint32_t num;
     uint32_t features;
     uint32_t supported_features;
     BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
@@ -916,6 +917,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 
     num = qemu_get_be32(f);
 
+    if (num > VIRTIO_PCI_QUEUE_MAX) {
+        error_report("Invalid number of PCI queues: 0x%x", num);
+        return -1;
+    }
+
     for (i = 0; i < num; i++) {
         vdev->vq[i].vring.num = qemu_get_be32(f);
         if (k->has_variable_vring_alignment) {
-- 
1.9.1

[Qemu-devel] [PATCH 039/156] ahci: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded.  So
we use the old version of ports to read the array but then allow any
value for ports.  This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ide/ahci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index fbea9e8..e321274 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1290,7 +1290,7 @@ const VMStateDescription vmstate_ahci = {
         VMSTATE_UINT32(control_regs.impl, AHCIState),
         VMSTATE_UINT32(control_regs.version, AHCIState),
         VMSTATE_UINT32(idp_index, AHCIState),
-        VMSTATE_INT32(ports, AHCIState),
+        VMSTATE_INT32_EQUAL(ports, AHCIState),
         VMSTATE_END_OF_LIST()
     },
 };
-- 
1.9.1

[Qemu-devel] [PATCH 040/156] hpet: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/timer/hpet.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index c6c2803..60892da 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -227,6 +227,18 @@ static int hpet_pre_load(void *opaque)
     return 0;
 }
 
+static bool hpet_validate_num_timers(void *opaque, int version_id)
+{
+    HPETState *s = opaque;
+
+    if (s->num_timers < HPET_MIN_TIMERS) {
+        return false;
+    } else if (s->num_timers > HPET_MAX_TIMERS) {
+        return false;
+    }
+    return true;
+}
+
 static int hpet_post_load(void *opaque, int version_id)
 {
     HPETState *s = opaque;
@@ -295,6 +307,7 @@ static const VMStateDescription vmstate_hpet = {
         VMSTATE_UINT64(isr, HPETState),
         VMSTATE_UINT64(hpet_counter, HPETState),
         VMSTATE_UINT8_V(num_timers, HPETState, 2),
+        VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
         VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
                                     vmstate_hpet_timer, HPETTimer),
         VMSTATE_END_OF_LIST()
-- 
1.9.1

[Qemu-devel] [PATCH 041/156] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

4) CVE-2013-4529
hw/pci/pcie_aer.c    pcie aer log can overrun the buffer if log_num is
                     too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pcie_aer.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
index 991502e..535be2c 100644
--- a/hw/pci/pcie_aer.c
+++ b/hw/pci/pcie_aer.c
@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
     }
 };
 
+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
+{
+    PCIEAERLog *s = opaque;
+
+    return s->log_num <= s->log_max;
+}
+
 const VMStateDescription vmstate_pcie_aer_log = {
     .name = "PCIE_AER_ERROR_LOG",
     .version_id = 1,
@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
     .minimum_version_id_old = 1,
     .fields     = (VMStateField[]) {
         VMSTATE_UINT16(log_num, PCIEAERLog),
-        VMSTATE_UINT16(log_max, PCIEAERLog),
+        VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
+        VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
         VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
                               vmstate_pcie_aer_err, PCIEAERErr),
         VMSTATE_END_OF_LIST()
-- 
1.9.1

[Qemu-devel] [PATCH 042/156] pl022: fix buffer overun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ssi/pl022.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c
index fd479ef..b19bc71 100644
--- a/hw/ssi/pl022.c
+++ b/hw/ssi/pl022.c
@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+static int pl022_post_load(void *opaque, int version_id)
+{
+    PL022State *s = opaque;
+
+    if (s->tx_fifo_head < 0 ||
+        s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) ||
+        s->rx_fifo_head < 0 ||
+        s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) {
+        return -1;
+    }
+    return 0;
+}
+
 static const VMStateDescription vmstate_pl022 = {
     .name = "pl022_ssp",
     .version_id = 1,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
+    .post_load = pl022_post_load,
     .fields      = (VMStateField[]) {
         VMSTATE_UINT32(cr0, PL022State),
         VMSTATE_UINT32(cr1, PL022State),
-- 
1.9.1

[Qemu-devel] [PATCH 043/156] Fix vmstate_info_int32_le comparison/assign

[Michael Roth]

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

Fix comparison of vmstate_info_int32_le so that it succeeds if loaded
value is (l)ess than or (e)qual

When the comparison succeeds, assign the value loaded
  This is a change in behaviour but I think the original intent, since
  the idea is to check if the version/size of the thing you're loading is
  less than some limit, but you might well want to do something based on
  the actual version/size in the file

Fix up comment and name text

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 24a370ef2351dc596a7e47508b952ddfba79ef94)

Conflicts:
	vmstate.c

*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 savevm.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/savevm.c b/savevm.c
index 8a22807..40054cf 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1111,22 +1111,24 @@ const VMStateInfo vmstate_info_int32_equal = {
     .put  = put_int32,
 };
 
-/* 32 bit int. See that the received value is the less or the same
-   than the one in the field */
+/* 32 bit int. Check that the received value is less than or equal to
+   the one in the field */
 
 static int get_int32_le(QEMUFile *f, void *pv, size_t size)
 {
-    int32_t *old = pv;
-    int32_t new;
-    qemu_get_sbe32s(f, &new);
+    int32_t *cur = pv;
+    int32_t loaded;
+    qemu_get_sbe32s(f, &loaded);
 
-    if (*old <= new)
+    if (loaded <= *cur) {
+        *cur = loaded;
         return 0;
+    }
     return -EINVAL;
 }
 
 const VMStateInfo vmstate_info_int32_le = {
-    .name = "int32 equal",
+    .name = "int32 le",
     .get  = get_int32_le,
     .put  = put_int32,
 };
-- 
1.9.1

[Qemu-devel] [PATCH 044/156] vmstate: fix buffer overflow in target-arm/machine.c

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4531

cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.

VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.

Fix this macro to valide the value appropriately.

The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)

Conflicts:
	vmstate.c

*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 savevm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/savevm.c b/savevm.c
index 40054cf..b436732 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1111,8 +1111,9 @@ const VMStateInfo vmstate_info_int32_equal = {
     .put  = put_int32,
 };
 
-/* 32 bit int. Check that the received value is less than or equal to
-   the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
 
 static int get_int32_le(QEMUFile *f, void *pv, size_t size)
 {
@@ -1120,7 +1121,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
     int32_t loaded;
     qemu_get_sbe32s(f, &loaded);
 
-    if (loaded <= *cur) {
+    if (loaded >= 0 && loaded <= *cur) {
         *cur = loaded;
         return 0;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 045/156] virtio: avoid buffer overrun on incoming migration

[Michael Roth]

CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 8dc3cb3..705fad9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -904,6 +904,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     qemu_get_8s(f, &vdev->status);
     qemu_get_8s(f, &vdev->isr);
     qemu_get_be16s(f, &vdev->queue_sel);
+    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
+        return -1;
+    }
     qemu_get_be32s(f, &features);
 
     if (virtio_set_features(vdev, features) < 0) {
-- 
1.9.1

[Qemu-devel] [PATCH 046/156] openpic: avoid buffer overrun on incoming migration

[Michael Roth]

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/intc/openpic.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
index 7df72f4..ede1bc4 100644
--- a/hw/intc/openpic.c
+++ b/hw/intc/openpic.c
@@ -41,6 +41,7 @@
 #include "hw/sysbus.h"
 #include "hw/pci/msi.h"
 #include "qemu/bitops.h"
+#include "qapi/qmp/qerror.h"
 
 //#define DEBUG_OPENPIC
 
@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q)
 static int openpic_load(QEMUFile* f, void *opaque, int version_id)
 {
     OpenPICState *opp = (OpenPICState *)opaque;
-    unsigned int i;
+    unsigned int i, nb_cpus;
 
     if (version_id != 1) {
         return -EINVAL;
@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id)
     qemu_get_be32s(f, &opp->spve);
     qemu_get_be32s(f, &opp->tfrr);
 
-    qemu_get_be32s(f, &opp->nb_cpus);
+    qemu_get_be32s(f, &nb_cpus);
+    if (opp->nb_cpus != nb_cpus) {
+        return -EINVAL;
+    }
+    assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
 
     for (i = 0; i < opp->nb_cpus; i++) {
         qemu_get_sbe32s(f, &opp->dst[i].ctpr);
@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp)
         {NULL}
     };
 
+    if (opp->nb_cpus > MAX_CPU) {
+        error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
+                  TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus,
+                  (uint64_t)0, (uint64_t)MAX_CPU);
+        return;
+    }
+
     switch (opp->model) {
     case OPENPIC_MODEL_FSL_MPIC_20:
     default:
-- 
1.9.1

[Qemu-devel] [PATCH 047/156] virtio: validate num_sg when mapping

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 705fad9..c2c9b5a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -427,6 +427,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
     unsigned int i;
     hwaddr len;
 
+    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+        error_report("virtio: map attempt out of bounds: %zd > %d",
+                     num_sg, VIRTQUEUE_MAX_SIZE);
+        exit(1);
+    }
+
     for (i = 0; i < num_sg; i++) {
         len = sg[i].iov_len;
         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
-- 
1.9.1

[Qemu-devel] [PATCH 048/156] pxa2xx: avoid buffer overrun on incoming migration

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/pxa2xx.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index 02b7016..daec57d 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -742,7 +742,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque)
 static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
 {
     PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
-    int i;
+    int i, v;
 
     s->enable = qemu_get_be32(f);
 
@@ -756,7 +756,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
     qemu_get_8s(f, &s->ssrsa);
     qemu_get_8s(f, &s->ssacd);
 
-    s->rx_level = qemu_get_byte(f);
+    v = qemu_get_byte(f);
+    if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+        return -EINVAL;
+    }
+    s->rx_level = v;
     s->rx_start = 0;
     for (i = 0; i < s->rx_level; i ++)
         s->rx_fifo[i] = qemu_get_byte(f);
-- 
1.9.1

[Qemu-devel] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/ssi-sd.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index 1bb56c4..90ff07b 100644
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
     for (i = 0; i < 5; i++)
         s->response[i] = qemu_get_be32(f);
     s->arglen = qemu_get_be32(f);
+    if (s->mode == SSI_SD_CMDARG &&
+        (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
+        return -EINVAL;
+    }
     s->response_pos = qemu_get_be32(f);
     s->stopping = qemu_get_be32(f);
+    if (s->mode == SSI_SD_RESPONSE &&
+        (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
+        (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
+        return -EINVAL;
+    }
 
     ss->cs = qemu_get_be32(f);
 
-- 
1.9.1

[Qemu-devel] [PATCH 050/156] ssd0323: fix buffer overun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/display/ssd0323.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index c3231c6..773414c 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id)
         return -EINVAL;
 
     s->cmd_len = qemu_get_be32(f);
+    if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
+        return -EINVAL;
+    }
     s->cmd = qemu_get_be32(f);
     for (i = 0; i < 8; i++)
         s->cmd_data[i] = qemu_get_be32(f);
     s->row = qemu_get_be32(f);
+    if (s->row < 0 || s->row >= 80) {
+        return -EINVAL;
+    }
     s->row_start = qemu_get_be32(f);
+    if (s->row_start < 0 || s->row_start >= 80) {
+        return -EINVAL;
+    }
     s->row_end = qemu_get_be32(f);
+    if (s->row_end < 0 || s->row_end >= 80) {
+        return -EINVAL;
+    }
     s->col = qemu_get_be32(f);
+    if (s->col < 0 || s->col >= 64) {
+        return -EINVAL;
+    }
     s->col_start = qemu_get_be32(f);
+    if (s->col_start < 0 || s->col_start >= 64) {
+        return -EINVAL;
+    }
     s->col_end = qemu_get_be32(f);
+    if (s->col_end < 0 || s->col_end >= 64) {
+        return -EINVAL;
+    }
     s->redraw = qemu_get_be32(f);
     s->remap = qemu_get_be32(f);
     s->mode = qemu_get_be32(f);
+    if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) {
+        return -EINVAL;
+    }
     qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer));
 
     ss->cs = qemu_get_be32(f);
-- 
1.9.1

[Qemu-devel] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/input/tsc210x.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
index 485c9e5..aa5b688 100644
--- a/hw/input/tsc210x.c
+++ b/hw/input/tsc210x.c
@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id)
     s->enabled = qemu_get_byte(f);
     s->host_mode = qemu_get_byte(f);
     s->function = qemu_get_byte(f);
+    if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) {
+        return -EINVAL;
+    }
     s->nextfunction = qemu_get_byte(f);
+    if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) {
+        return -EINVAL;
+    }
     s->precision = qemu_get_byte(f);
+    if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) {
+        return -EINVAL;
+    }
     s->nextprecision = qemu_get_byte(f);
+    if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) {
+        return -EINVAL;
+    }
     s->filter = qemu_get_byte(f);
     s->pin_func = qemu_get_byte(f);
     s->ref = qemu_get_byte(f);
-- 
1.9.1

[Qemu-devel] [PATCH 052/156] zaurus: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/gpio/zaurus.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index dc79a8b..8e2ce04 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id)
     return version_id == 0;
 }
 
+static bool vmstate_scoop_validate(void *opaque, int version_id)
+{
+    ScoopInfo *s = opaque;
+
+    return !(s->prev_level & 0xffff0000) &&
+        !(s->gpio_level & 0xffff0000) &&
+        !(s->gpio_dir & 0xffff0000);
+}
+
 static const VMStateDescription vmstate_scoop_regs = {
     .name = "scoop",
     .version_id = 1,
@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = {
         VMSTATE_UINT32(gpio_level, ScoopInfo),
         VMSTATE_UINT32(gpio_dir, ScoopInfo),
         VMSTATE_UINT32(prev_level, ScoopInfo),
+        VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),
         VMSTATE_UINT16(mcr, ScoopInfo),
         VMSTATE_UINT16(cdr, ScoopInfo),
         VMSTATE_UINT16(ccr, ScoopInfo),
-- 
1.9.1

[Qemu-devel] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/virtio-scsi.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 3fa6d07..3c867c6 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
     qemu_get_be32s(f, &n);
     assert(n < vs->conf.num_queues);
     qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+    /* TODO: add a way for SCSIBusInfo's load_request to fail,
+     * and fail migration instead of asserting here.
+     * When we do, we might be able to re-enable NDEBUG below.
+     */
+#ifdef NDEBUG
+#error building with NDEBUG is not supported
+#endif
+    assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
+    assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
     virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
 
     scsi_req_ref(sreq);
-- 
1.9.1

[Qemu-devel] [PATCH 054/156] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

As the macro verifies the value is positive, rename it
to make the function clearer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci.c                | 4 ++--
 include/migration/vmstate.h | 2 +-
 target-arm/machine.c        | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 49eca95..347d0c0 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -474,7 +474,7 @@ const VMStateDescription vmstate_pci_device = {
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
     .fields      = (VMStateField []) {
-        VMSTATE_INT32_LE(version_id, PCIDevice),
+        VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
         VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
                                    vmstate_info_pci_config,
                                    PCI_CONFIG_SPACE_SIZE),
@@ -491,7 +491,7 @@ const VMStateDescription vmstate_pcie_device = {
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
     .fields      = (VMStateField []) {
-        VMSTATE_INT32_LE(version_id, PCIDevice),
+        VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
         VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
                                    vmstate_info_pci_config,
                                    PCIE_CONFIG_SPACE_SIZE),
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 3007d89..1325fa5 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -591,7 +591,7 @@ extern const VMStateInfo vmstate_info_bitmap;
 #define VMSTATE_UINT64_EQUAL(_f, _s)                                  \
     VMSTATE_UINT64_EQUAL_V(_f, _s, 0)
 
-#define VMSTATE_INT32_LE(_f, _s)                                   \
+#define VMSTATE_INT32_POSITIVE_LE(_f, _s)                             \
     VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t)
 
 #define VMSTATE_UINT8_TEST(_f, _s, _t)                               \
diff --git a/target-arm/machine.c b/target-arm/machine.c
index 74f010f..286e853 100644
--- a/target-arm/machine.c
+++ b/target-arm/machine.c
@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = {
         /* The length-check must come before the arrays to avoid
          * incoming data possibly overflowing the array.
          */
-        VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU),
+        VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU),
         VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU,
                              cpreg_vmstate_array_len,
                              0, vmstate_info_uint64, uint64_t),
-- 
1.9.1

[Qemu-devel] [PATCH 055/156] usb: sanity check setup_index+setup_len in post_load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/bus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index ca329be..53c85fe 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -47,7 +47,9 @@ static int usb_device_post_load(void *opaque, int version_id)
     } else {
         dev->attached = 1;
     }
-    if (dev->setup_index >= sizeof(dev->data_buf) ||
+    if (dev->setup_index < 0 ||
+        dev->setup_len < 0 ||
+        dev->setup_index >= sizeof(dev->data_buf) ||
         dev->setup_len >= sizeof(dev->data_buf)) {
         return -EINVAL;
     }
-- 
1.9.1

[Qemu-devel] [PATCH 056/156] savevm: Ignore minimum_version_id_old if there is no load_state_old

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.

Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 767adce2d9cd397de3418caa16be35ea18d56f22)

Conflicts:
	vmstate.c

*removed dependency on b6fcfa59 (Move VMState code to vmstate.c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 docs/migration.txt | 12 +++++-------
 savevm.c           |  9 +++++----
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/docs/migration.txt b/docs/migration.txt
index 0e0a1d4..fe1f2bb 100644
--- a/docs/migration.txt
+++ b/docs/migration.txt
@@ -139,7 +139,6 @@ static const VMStateDescription vmstate_kbd = {
     .name = "pckbd",
     .version_id = 3,
     .minimum_version_id = 3,
-    .minimum_version_id_old = 3,
     .fields      = (VMStateField []) {
         VMSTATE_UINT8(write_cmd, KBDState),
         VMSTATE_UINT8(status, KBDState),
@@ -168,12 +167,13 @@ You can see that there are several version fields:
 - minimum_version_id: the minimum version_id that VMState is able to understand
   for that device.
 - minimum_version_id_old: For devices that were not able to port to vmstate, we can
-  assign a function that knows how to read this old state.
+  assign a function that knows how to read this old state. This field is
+  ignored if there is no load_state_old handler.
 
 So, VMState is able to read versions from minimum_version_id to
-version_id.  And the function load_state_old() is able to load state
-from minimum_version_id_old to minimum_version_id.  This function is
-deprecated and will be removed when no more users are left.
+version_id.  And the function load_state_old() (if present) is able to
+load state from minimum_version_id_old to minimum_version_id.  This
+function is deprecated and will be removed when no more users are left.
 
 ===  Massaging functions ===
 
@@ -255,7 +255,6 @@ const VMStateDescription vmstate_ide_drive_pio_state = {
     .name = "ide_drive/pio_state",
     .version_id = 1,
     .minimum_version_id = 1,
-    .minimum_version_id_old = 1,
     .pre_save = ide_drive_pio_pre_save,
     .post_load = ide_drive_pio_post_load,
     .fields      = (VMStateField []) {
@@ -275,7 +274,6 @@ const VMStateDescription vmstate_ide_drive = {
     .name = "ide_drive",
     .version_id = 3,
     .minimum_version_id = 0,
-    .minimum_version_id_old = 0,
     .post_load = ide_drive_post_load,
     .fields      = (VMStateField []) {
         .... several fields ....
diff --git a/savevm.c b/savevm.c
index b436732..a271c2b 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1729,11 +1729,12 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
     if (version_id > vmsd->version_id) {
         return -EINVAL;
     }
-    if (version_id < vmsd->minimum_version_id_old) {
-        return -EINVAL;
-    }
     if  (version_id < vmsd->minimum_version_id) {
-        return vmsd->load_state_old(f, opaque, version_id);
+        if (vmsd->load_state_old &&
+            version_id >= vmsd->minimum_version_id_old) {
+            return vmsd->load_state_old(f, opaque, version_id);
+        }
+        return -EINVAL;
     }
     if (vmsd->pre_load) {
         int ret = vmsd->pre_load(opaque);
-- 
1.9.1

[Qemu-devel] [PATCH 057/156] virtio: validate config_len on load

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index c2c9b5a..151fae9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -895,6 +895,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
 int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 {
     int i, ret;
+    int32_t config_len;
     uint32_t num;
     uint32_t features;
     uint32_t supported_features;
@@ -921,7 +922,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
                      features, supported_features);
         return -1;
     }
-    vdev->config_len = qemu_get_be32(f);
+    config_len = qemu_get_be32(f);
+    if (config_len != vdev->config_len) {
+        error_report("Unexpected config length 0x%x. Expected 0x%zx",
+                     config_len, vdev->config_len);
+        return -1;
+    }
     qemu_get_buffer(f, vdev->config, vdev->config_len);
 
     num = qemu_get_be32(f);
-- 
1.9.1

[Qemu-devel] [PATCH 058/156] stellaris_enet: block migration

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

Incoming migration with stellaris_enet is unsafe.
It's being reworked, but for now, simply block it
since noone is using it anyway.
Block outgoing migration for good measure.

CVE-2013-4532

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/stellaris_enet.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 376c7b0..0574d10 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -8,6 +8,7 @@
  */
 #include "hw/sysbus.h"
 #include "net/net.h"
+#include "migration/migration.h"
 #include <zlib.h>
 
 //#define DEBUG_STELLARIS_ENET 1
@@ -75,6 +76,7 @@ typedef struct {
     NICConf conf;
     qemu_irq irq;
     MemoryRegion mmio;
+    Error *migration_blocker;
 } stellaris_enet_state;
 
 static void stellaris_enet_update(stellaris_enet_state *s)
@@ -361,7 +363,7 @@ static int stellaris_enet_load(QEMUFile *f, void *opaque, int version_id)
     stellaris_enet_state *s = (stellaris_enet_state *)opaque;
     int i;
 
-    if (version_id != 1)
+    if (1)
         return -EINVAL;
 
     s->ris = qemu_get_be32(f);
@@ -422,6 +424,10 @@ static int stellaris_enet_init(SysBusDevice *sbd)
     stellaris_enet_reset(s);
     register_savevm(dev, "stellaris_enet", -1, 1,
                     stellaris_enet_save, stellaris_enet_load, s);
+
+    error_setg(&s->migration_blocker,
+            "stellaris_enet does not support migration");
+    migrate_add_blocker(s->migration_blocker);
     return 0;
 }
 
@@ -429,6 +435,9 @@ static void stellaris_enet_unrealize(DeviceState *dev, Error **errp)
 {
     stellaris_enet_state *s = STELLARIS_ENET(dev);
 
+    migrate_del_blocker(s->migration_blocker);
+    error_free(s->migration_blocker);
+
     unregister_savevm(DEVICE(s), "stellaris_enet", s);
 
     memory_region_destroy(&s->mmio);
-- 
1.9.1

[Qemu-devel] [PATCH 059/156] target-i386: fix set of registers zeroed on reset

[Michael Roth]

From: Paolo Bonzini <pbonzini@redhat.com>

BND0-3, BNDCFGU, BNDCFGS, BNDSTATUS were not zeroed on reset, but they
should be (Intel Instruction Set Extensions Programming Reference
319433-015, pages 9-4 and 9-6).  Same for YMM.

XCR0 should be reset to 1.

TSC and TSC_RESET were zeroed already by the memset, remove the explicit
assignments.

Cc: Andreas Faerber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 05e7e819d7d159a75a46354aead95e1199b8f168)

Conflicts:
	target-i386/cpu.c
	target-i386/cpu.h

*removed dependency on 79e9ebeb

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/cpu.c | 2 ++
 target-i386/cpu.h | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 47af9a8..654a04e 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -2446,6 +2446,8 @@ static void x86_cpu_reset(CPUState *s)
     cpu_breakpoint_remove_all(env, BP_CPU);
     cpu_watchpoint_remove_all(env, BP_CPU);
 
+    env->xcr0 = 1;
+
 #if !defined(CONFIG_USER_ONLY)
     /* We hard-wire the BSP to the first CPU. */
     if (s->cpu_index == 0) {
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index ea373e8..199f407 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -801,6 +801,8 @@ typedef struct CPUX86State {
     XMMReg xmm_t0;
     MMXReg mmx_t0;
 
+    XMMReg ymmh_regs[CPU_NB_REGS];
+
     /* sysenter registers */
     uint32_t sysenter_cs;
     target_ulong sysenter_esp;
@@ -909,9 +911,7 @@ typedef struct CPUX86State {
     uint16_t fpus_vmstate;
     uint16_t fptag_vmstate;
     uint16_t fpregs_format_vmstate;
-
     uint64_t xstate_bv;
-    XMMReg ymmh_regs[CPU_NB_REGS];
 
     uint64_t xcr0;
 
-- 
1.9.1

[Qemu-devel] [PATCH 060/156] target-arm: Make vbar_write 64bit friendly on 32bit hosts

[Michael Roth]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 1398926097-28097-2-git-send-email-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit fed3ffb9f157f33bc9b2b1c3ef68e710ee6b7b4b)

Conflicts:
	target-arm/helper.c

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 3445813..c3e4910 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -546,7 +546,7 @@ static int pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static int vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
                       uint64_t value)
 {
-    env->cp15.c12_vbar = value & ~0x1Ful;
+    env->cp15.c12_vbar = value & ~0x1FULL;
     return 0;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 061/156] linux-user/elfload.c: Fix incorrect ARM HWCAP bits

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The ELF HWCAP bits for ARM features THUMBEE, NEON, VFPv3 and VFPv3D16 are
all off by one compared to the kernel definitions. Fix this discrepancy
and add in the missing CRUNCH bit which was the cause of the off-by-one
error. (We don't emulate any of the CPUs which have that weird hardware,
so it's otherwise uninteresting to us.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit 43ce393ee5f7b96d2ac22fedc40d6b6fb3f65a3e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/elfload.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 8dd424d..7d1e097 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -346,10 +346,11 @@ enum
     ARM_HWCAP_ARM_EDSP      = 1 << 7,
     ARM_HWCAP_ARM_JAVA      = 1 << 8,
     ARM_HWCAP_ARM_IWMMXT    = 1 << 9,
-    ARM_HWCAP_ARM_THUMBEE   = 1 << 10,
-    ARM_HWCAP_ARM_NEON      = 1 << 11,
-    ARM_HWCAP_ARM_VFPv3     = 1 << 12,
-    ARM_HWCAP_ARM_VFPv3D16  = 1 << 13,
+    ARM_HWCAP_ARM_CRUNCH    = 1 << 10,
+    ARM_HWCAP_ARM_THUMBEE   = 1 << 11,
+    ARM_HWCAP_ARM_NEON      = 1 << 12,
+    ARM_HWCAP_ARM_VFPv3     = 1 << 13,
+    ARM_HWCAP_ARM_VFPv3D16  = 1 << 14,
 };
 
 #define TARGET_HAS_VALIDATE_GUEST_SPACE
-- 
1.9.1

[Qemu-devel] [PATCH 062/156] linux-user/elfload.c: Update ARM HWCAP bits

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The kernel has added support for a number of new ARM HWCAP bits;
add them to QEMU, including support for setting them where we have
a corresponding CPU feature bit.

We were also incorrectly setting the VFPv3D16 HWCAP -- this means
"only 16 D registers", not "supports 16-bit floating point format";
since QEMU always has 32 D registers for VFPv3, we can just remove
the line that incorrectly set this bit.

The kernel does not set the HWCAP_FPA even if it is providing FPA
emulation via nwfpe, so don't set this bit in QEMU either.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit 24682654654a2e7b50afc27880f4098e5fca3742)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/elfload.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 7d1e097..adf84eb 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -351,6 +351,13 @@ enum
     ARM_HWCAP_ARM_NEON      = 1 << 12,
     ARM_HWCAP_ARM_VFPv3     = 1 << 13,
     ARM_HWCAP_ARM_VFPv3D16  = 1 << 14,
+    ARM_HWCAP_ARM_TLS       = 1 << 15,
+    ARM_HWCAP_ARM_VFPv4     = 1 << 16,
+    ARM_HWCAP_ARM_IDIVA     = 1 << 17,
+    ARM_HWCAP_ARM_IDIVT     = 1 << 18,
+    ARM_HWCAP_ARM_VFPD32    = 1 << 19,
+    ARM_HWCAP_ARM_LPAE      = 1 << 20,
+    ARM_HWCAP_ARM_EVTSTRM   = 1 << 21,
 };
 
 #define TARGET_HAS_VALIDATE_GUEST_SPACE
@@ -425,17 +432,28 @@ static uint32_t get_elf_hwcap(void)
     hwcaps |= ARM_HWCAP_ARM_HALF;
     hwcaps |= ARM_HWCAP_ARM_THUMB;
     hwcaps |= ARM_HWCAP_ARM_FAST_MULT;
-    hwcaps |= ARM_HWCAP_ARM_FPA;
 
     /* probe for the extra features */
 #define GET_FEATURE(feat, hwcap) \
     do { if (arm_feature(&cpu->env, feat)) { hwcaps |= hwcap; } } while (0)
+    /* EDSP is in v5TE and above, but all our v5 CPUs are v5TE */
+    GET_FEATURE(ARM_FEATURE_V5, ARM_HWCAP_ARM_EDSP);
     GET_FEATURE(ARM_FEATURE_VFP, ARM_HWCAP_ARM_VFP);
     GET_FEATURE(ARM_FEATURE_IWMMXT, ARM_HWCAP_ARM_IWMMXT);
     GET_FEATURE(ARM_FEATURE_THUMB2EE, ARM_HWCAP_ARM_THUMBEE);
     GET_FEATURE(ARM_FEATURE_NEON, ARM_HWCAP_ARM_NEON);
     GET_FEATURE(ARM_FEATURE_VFP3, ARM_HWCAP_ARM_VFPv3);
-    GET_FEATURE(ARM_FEATURE_VFP_FP16, ARM_HWCAP_ARM_VFPv3D16);
+    GET_FEATURE(ARM_FEATURE_V6K, ARM_HWCAP_ARM_TLS);
+    GET_FEATURE(ARM_FEATURE_VFP4, ARM_HWCAP_ARM_VFPv4);
+    GET_FEATURE(ARM_FEATURE_ARM_DIV, ARM_HWCAP_ARM_IDIVA);
+    GET_FEATURE(ARM_FEATURE_THUMB_DIV, ARM_HWCAP_ARM_IDIVT);
+    /* All QEMU's VFPv3 CPUs have 32 registers, see VFP_DREG in translate.c.
+     * Note that the ARM_HWCAP_ARM_VFPv3D16 bit is always the inverse of
+     * ARM_HWCAP_ARM_VFPD32 (and so always clear for QEMU); it is unrelated
+     * to our VFP_FP16 feature bit.
+     */
+    GET_FEATURE(ARM_FEATURE_VFP3, ARM_HWCAP_ARM_VFPD32);
+    GET_FEATURE(ARM_FEATURE_LPAE, ARM_HWCAP_ARM_LPAE);
 #undef GET_FEATURE
 
     return hwcaps;
-- 
1.9.1

[Qemu-devel] [PATCH 063/156] linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The ARM target-specific code in elfload.c was incorrectly allowing
the 64-bit ARM target to use most of the existing 32-bit definitions:
most noticably this meant that our HWCAP bits passed to the guest
were wrong, and register handling when dumping core was totally
broken. Fix this by properly separating the 64 and 32 bit code,
since they have more differences than similarities.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit 24e76ff06bcd0936ee8b04b15dca42efb7d614d1)

Conflicts:
	linux-user/elfload.c

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/elfload.c | 84 +++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 73 insertions(+), 11 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index adf84eb..c9147b3 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -267,17 +267,15 @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
 
 #ifdef TARGET_ARM
 
+#ifndef TARGET_AARCH64
+/* 32 bit ARM definitions */
+
 #define ELF_START_MMAP 0x80000000
 
 #define elf_check_arch(x) ((x) == ELF_MACHINE)
 
 #define ELF_ARCH        ELF_MACHINE
-
-#ifdef TARGET_AARCH64
-#define ELF_CLASS       ELFCLASS64
-#else
 #define ELF_CLASS       ELFCLASS32
-#endif
 
 static inline void init_thread(struct target_pt_regs *regs,
                                struct image_info *infop)
@@ -285,10 +283,6 @@ static inline void init_thread(struct target_pt_regs *regs,
     abi_long stack = infop->start_stack;
     memset(regs, 0, sizeof(*regs));
 
-#ifdef TARGET_AARCH64
-    regs->pc = infop->entry & ~0x3ULL;
-    regs->sp = stack;
-#else
     regs->ARM_cpsr = 0x10;
     if (infop->entry & 1)
         regs->ARM_cpsr |= CPSR_T;
@@ -302,7 +296,6 @@ static inline void init_thread(struct target_pt_regs *regs,
     /* For uClinux PIC binaries.  */
     /* XXX: Linux does this only on ARM with no MMU (do we care ?) */
     regs->ARM_r10 = infop->start_data;
-#endif
 }
 
 #define ELF_NREG    18
@@ -459,7 +452,76 @@ static uint32_t get_elf_hwcap(void)
     return hwcaps;
 }
 
-#endif
+#else
+/* 64 bit ARM definitions */
+#define ELF_START_MMAP 0x80000000
+
+#define elf_check_arch(x) ((x) == ELF_MACHINE)
+
+#define ELF_ARCH        ELF_MACHINE
+#define ELF_CLASS       ELFCLASS64
+#define ELF_PLATFORM    "aarch64"
+
+static inline void init_thread(struct target_pt_regs *regs,
+                               struct image_info *infop)
+{
+    abi_long stack = infop->start_stack;
+    memset(regs, 0, sizeof(*regs));
+
+    regs->pc = infop->entry & ~0x3ULL;
+    regs->sp = stack;
+}
+
+#define ELF_NREG    34
+typedef target_elf_greg_t  target_elf_gregset_t[ELF_NREG];
+
+static void elf_core_copy_regs(target_elf_gregset_t *regs,
+                               const CPUARMState *env)
+{
+    int i;
+
+    for (i = 0; i < 32; i++) {
+        (*regs)[i] = tswapreg(env->xregs[i]);
+    }
+    (*regs)[32] = tswapreg(env->pc);
+    (*regs)[33] = tswapreg(pstate_read((CPUARMState *)env));
+}
+
+#define USE_ELF_CORE_DUMP
+#define ELF_EXEC_PAGESIZE       4096
+
+enum {
+    ARM_HWCAP_A64_FP            = 1 << 0,
+    ARM_HWCAP_A64_ASIMD         = 1 << 1,
+    ARM_HWCAP_A64_EVTSTRM       = 1 << 2,
+    ARM_HWCAP_A64_AES           = 1 << 3,
+    ARM_HWCAP_A64_PMULL         = 1 << 4,
+    ARM_HWCAP_A64_SHA1          = 1 << 5,
+    ARM_HWCAP_A64_SHA2          = 1 << 6,
+    ARM_HWCAP_A64_CRC32         = 1 << 7,
+};
+
+#define ELF_HWCAP get_elf_hwcap()
+
+static uint32_t get_elf_hwcap(void)
+{
+    ARMCPU *cpu = ARM_CPU(thread_cpu);
+    uint32_t hwcaps = 0;
+
+    hwcaps |= ARM_HWCAP_A64_FP;
+    hwcaps |= ARM_HWCAP_A64_ASIMD;
+
+    /* probe for the extra features */
+#define GET_FEATURE(feat, hwcap) \
+    do { if (arm_feature(&cpu->env, feat)) { hwcaps |= hwcap; } } while (0)
+    GET_FEATURE(ARM_FEATURE_V8_AES, ARM_HWCAP_A64_PMULL);
+#undef GET_FEATURE
+
+    return hwcaps;
+}
+
+#endif /* not TARGET_AARCH64 */
+#endif /* TARGET_ARM */
 
 #ifdef TARGET_UNICORE32
 
-- 
1.9.1

[Qemu-devel] [PATCH 064/156] spapr_pci: Fix number of returned vectors in ibm, change-msi

[Michael Roth]

From: Alexey Kardashevskiy <aik@ozlabs.ru>

Current guest kernels try allocating as many vectors as the quota is.
For example, in the case of virtio-net (which has just 3 vectors)
the guest requests 4 vectors (that is the quota in the test) and
the existing ibm,change-msi handler returns 4. But before it returns,
it calls msix_set_message() in a loop and corrupts memory behind
the end of msix_table.

This limits the number of vectors returned by ibm,change-msi to
the maximum supported by the actual device.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: qemu-stable@nongnu.org
[agraf: squash in bugfix from aik]
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit b26696b519f853c9844e5154858e583600ee3cdc)

*s/error_report/fprintf/ to reflect v1.7.x error reporting style

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/ppc/spapr_pci.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index edb4cb0..0079d31 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -342,6 +342,22 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, sPAPREnvironment *spapr,
 
     /* There is no cached config, allocate MSIs */
     if (!phb->msi_table[ndev].nvec) {
+        int max_irqs = 0;
+        if (ret_intr_type == RTAS_TYPE_MSI) {
+            max_irqs = msi_nr_vectors_allocated(pdev);
+        } else if (ret_intr_type == RTAS_TYPE_MSIX) {
+            max_irqs = pdev->msix_entries_nr;
+        }
+        if (!max_irqs) {
+            fprintf(stderr,
+                    "Requested interrupt type %d is not enabled for device#%d\n",
+                    ret_intr_type, ndev);
+            rtas_st(rets, 0, -1); /* Hardware error */
+            return;
+        }
+        if (req_num > max_irqs) {
+            req_num = max_irqs;
+        }
         irq = spapr_allocate_irq_block(req_num, false,
                                        ret_intr_type == RTAS_TYPE_MSI);
         if (irq < 0) {
-- 
1.9.1

[Qemu-devel] [PATCH 065/156] pci-assign: limit # of msix vectors

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

KVM only supports MSIX table size up to 256 vectors,
but some assigned devices support more vectors,
at the moment attempts to assign them fail with EINVAL.

Tweak the MSIX capability exposed to guest to limit table size
to a supported value.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Cc: qemu-stable@nongnu.org
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 639973a4740f38789057744b550df3a175bc49ad)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvm/pci-assign.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index 9686801..db70d6e 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -1257,6 +1257,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
     if (pos != 0 && kvm_device_msix_supported(kvm_state)) {
         int bar_nr;
         uint32_t msix_table_entry;
+        uint16_t msix_max;
 
         if (!check_irqchip_in_kernel()) {
             return -ENOTSUP;
@@ -1268,9 +1269,10 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         }
         pci_dev->msix_cap = pos;
 
-        pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS,
-                     pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
-                     PCI_MSIX_FLAGS_QSIZE);
+        msix_max = (pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
+                    PCI_MSIX_FLAGS_QSIZE) + 1;
+        msix_max = MIN(msix_max, KVM_MAX_MSIX_PER_DEV);
+        pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS, msix_max - 1);
 
         /* Only enable and function mask bits are writable */
         pci_set_word(pci_dev->wmask + pos + PCI_MSIX_FLAGS,
@@ -1280,9 +1282,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         bar_nr = msix_table_entry & PCI_MSIX_FLAGS_BIRMASK;
         msix_table_entry &= ~PCI_MSIX_FLAGS_BIRMASK;
         dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry;
-        dev->msix_max = pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS);
-        dev->msix_max &= PCI_MSIX_FLAGS_QSIZE;
-        dev->msix_max += 1;
+        dev->msix_max = msix_max;
     }
 
     /* Minimal PM support, nothing writable, device appears to NAK changes */
-- 
1.9.1

[Qemu-devel] [PATCH 066/156] virtio: allow mapping up to max queue size

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

It's a loop from i < num_sg  and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.

Not a big problem in practice as people don't use
such big queues, but it's inelegant.

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/virtio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 151fae9..c6265c6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -427,7 +427,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
     unsigned int i;
     hwaddr len;
 
-    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+    if (num_sg > VIRTQUEUE_MAX_SIZE) {
         error_report("virtio: map attempt out of bounds: %zd > %d",
                      num_sg, VIRTQUEUE_MAX_SIZE);
         exit(1);
-- 
1.9.1

[Qemu-devel] [PATCH 067/156] migration: remove duplicate code

[Michael Roth]

From: ChenLiang <chenliang88@huawei.com>

version_id is checked twice in the ram_load.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 21a246a43b606ee833f907d589d8dcbb54a2761e)

*prereq for db80fac backport
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 arch_init.c | 68 ++++++++++++++++++++++++++++++-------------------------------
 1 file changed, 33 insertions(+), 35 deletions(-)

diff --git a/arch_init.c b/arch_init.c
index e0acbc5..85652aa 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -862,7 +862,7 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
 
     seq_iter++;
 
-    if (version_id < 4 || version_id > 4) {
+    if (version_id != 4) {
         return -EINVAL;
     }
 
@@ -873,44 +873,42 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
         addr &= TARGET_PAGE_MASK;
 
         if (flags & RAM_SAVE_FLAG_MEM_SIZE) {
-            if (version_id == 4) {
-                /* Synchronize RAM block list */
-                char id[256];
-                ram_addr_t length;
-                ram_addr_t total_ram_bytes = addr;
-
-                while (total_ram_bytes) {
-                    RAMBlock *block;
-                    uint8_t len;
-
-                    len = qemu_get_byte(f);
-                    qemu_get_buffer(f, (uint8_t *)id, len);
-                    id[len] = 0;
-                    length = qemu_get_be64(f);
-
-                    QTAILQ_FOREACH(block, &ram_list.blocks, next) {
-                        if (!strncmp(id, block->idstr, sizeof(id))) {
-                            if (block->length != length) {
-                                fprintf(stderr,
-                                        "Length mismatch: %s: " RAM_ADDR_FMT
-                                        " in != " RAM_ADDR_FMT "\n", id, length,
-                                        block->length);
-                                ret =  -EINVAL;
-                                goto done;
-                            }
-                            break;
+            /* Synchronize RAM block list */
+            char id[256];
+            ram_addr_t length;
+            ram_addr_t total_ram_bytes = addr;
+
+            while (total_ram_bytes) {
+                RAMBlock *block;
+                uint8_t len;
+
+                len = qemu_get_byte(f);
+                qemu_get_buffer(f, (uint8_t *)id, len);
+                id[len] = 0;
+                length = qemu_get_be64(f);
+
+                QTAILQ_FOREACH(block, &ram_list.blocks, next) {
+                    if (!strncmp(id, block->idstr, sizeof(id))) {
+                        if (block->length != length) {
+                            fprintf(stderr,
+                                    "Length mismatch: %s: " RAM_ADDR_FMT
+                                    " in != " RAM_ADDR_FMT "\n", id, length,
+                                    block->length);
+                            ret =  -EINVAL;
+                            goto done;
                         }
+                        break;
                     }
+                }
 
-                    if (!block) {
-                        fprintf(stderr, "Unknown ramblock \"%s\", cannot "
-                                "accept migration\n", id);
-                        ret = -EINVAL;
-                        goto done;
-                    }
-
-                    total_ram_bytes -= length;
+                if (!block) {
+                    fprintf(stderr, "Unknown ramblock \"%s\", cannot "
+                            "accept migration\n", id);
+                    ret = -EINVAL;
+                    goto done;
                 }
+
+                total_ram_bytes -= length;
             }
         }
 
-- 
1.9.1

[Qemu-devel] [PATCH 068/156] migration: catch unknown flags in ram_load

[Michael Roth]

From: Peter Lieven <pl@kamp.de>

if a saved vm has unknown flags in the memory data qemu
currently simply ignores this flag and continues which
yields in an unpredictable result.

This patch catches all unknown flags and aborts the
loading of the vm. Additionally error reports are thrown
if the migration aborts abnormally.

Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit db80facefa62dff42bb50c73b0f03eda5f732b49)

Conflicts:
	arch_init.c

*removed unecessary context from 4798fe55

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 arch_init.c | 32 +++++++++++++++++---------------
 migration.c |  2 +-
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/arch_init.c b/arch_init.c
index 85652aa..8038937 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -857,7 +857,6 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
 {
     ram_addr_t addr;
     int flags, ret = 0;
-    int error;
     static uint64_t seq_iter;
 
     seq_iter++;
@@ -866,7 +865,7 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
         return -EINVAL;
     }
 
-    do {
+    while (!ret) {
         addr = qemu_get_be64(f);
 
         flags = addr & ~TARGET_PAGE_MASK;
@@ -895,7 +894,6 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
                                     " in != " RAM_ADDR_FMT "\n", id, length,
                                     block->length);
                             ret =  -EINVAL;
-                            goto done;
                         }
                         break;
                     }
@@ -905,14 +903,14 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
                     fprintf(stderr, "Unknown ramblock \"%s\", cannot "
                             "accept migration\n", id);
                     ret = -EINVAL;
-                    goto done;
+                }
+                if (ret) {
+                    break;
                 }
 
                 total_ram_bytes -= length;
             }
-        }
-
-        if (flags & RAM_SAVE_FLAG_COMPRESS) {
+        } else if (flags & RAM_SAVE_FLAG_COMPRESS) {
             void *host;
             uint8_t ch;
 
@@ -939,20 +937,24 @@ static int ram_load(QEMUFile *f, void *opaque, int version_id)
             }
 
             if (load_xbzrle(f, addr, host) < 0) {
+                error_report("Failed to decompress XBZRLE page at "
+                             RAM_ADDR_FMT, addr);
                 ret = -EINVAL;
-                goto done;
+                break;
             }
         } else if (flags & RAM_SAVE_FLAG_HOOK) {
             ram_control_load_hook(f, flags);
+        } else if (flags & RAM_SAVE_FLAG_EOS) {
+            /* normal exit */
+            break;
+        } else {
+            error_report("Unknown migration flags: %#x", flags);
+            ret = -EINVAL;
+            break;
         }
-        error = qemu_file_get_error(f);
-        if (error) {
-            ret = error;
-            goto done;
-        }
-    } while (!(flags & RAM_SAVE_FLAG_EOS));
+        ret = qemu_file_get_error(f);
+    }
 
-done:
     DPRINTF("Completed load of VM with exit code %d seq iteration "
             "%" PRIu64 "\n", ret, seq_iter);
     return ret;
diff --git a/migration.c b/migration.c
index 79c86c9..22a1399 100644
--- a/migration.c
+++ b/migration.c
@@ -105,7 +105,7 @@ static void process_incoming_migration_co(void *opaque)
     ret = qemu_loadvm_state(f);
     qemu_fclose(f);
     if (ret < 0) {
-        fprintf(stderr, "load of migration failed\n");
+        error_report("load of migration failed: %s", strerror(-ret));
         exit(EXIT_FAILURE);
     }
     qemu_announce_self();
-- 
1.9.1

[Qemu-devel] [PATCH 069/156] qemu-iotests: add ./check -cloop support

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Add the cloop block driver to qemu-iotests.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 47f73da0a7d36e399eaa353d93afce90de9b599d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/common    | 7 +++++++
 tests/qemu-iotests/common.rc | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/tests/qemu-iotests/common b/tests/qemu-iotests/common
index 8cde7f1..b5043fc 100644
--- a/tests/qemu-iotests/common
+++ b/tests/qemu-iotests/common
@@ -129,6 +129,7 @@ common options
 check options
     -raw                test raw (default)
     -cow                test cow
+    -cloop              test cloop
     -qcow               test qcow
     -qcow2              test qcow2
     -qed                test qed
@@ -167,6 +168,12 @@ testlist options
             xpand=false
             ;;
 
+        -cloop)
+            IMGFMT=cloop
+            IMGFMT_GENERIC=false
+            xpand=false
+            ;;
+
         -qcow)
             IMGFMT=qcow
             xpand=false
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
index 7f62457..65c5bc1 100644
--- a/tests/qemu-iotests/common.rc
+++ b/tests/qemu-iotests/common.rc
@@ -350,6 +350,9 @@ _fail()
 #
 _supported_fmt()
 {
+    # "generic" is suitable for most image formats. For some formats it doesn't
+    # work, however (most notably read-only formats), so they can opt out by
+    # setting IMGFMT_GENERIC to false.
     for f; do
         if [ "$f" = "$IMGFMT" -o "$f" = "generic" -a "$IMGFMT_GENERIC" = "true" ]; then
             return
-- 
1.9.1

[Qemu-devel] [PATCH 070/156] qemu-iotests: add cloop input validation tests

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Add a cloop format-specific test case.  Later patches add tests for
input validation to the script.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 05560fcebb1528f4354f6f24d1eb8cdbcdf2c4b2)

Conflicts:
	tests/qemu-iotests/group

*fixed context mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/075                             |  53 +++++++++++++++++++++
 tests/qemu-iotests/075.out                         |   6 +++
 tests/qemu-iotests/group                           |   1 +
 .../sample_images/simple-pattern.cloop.bz2         | Bin 0 -> 488 bytes
 4 files changed, 60 insertions(+)
 create mode 100755 tests/qemu-iotests/075
 create mode 100644 tests/qemu-iotests/075.out
 create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2

diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
new file mode 100755
index 0000000..88ae8bb
--- /dev/null
+++ b/tests/qemu-iotests/075
@@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# cloop format input validation tests
+#
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=stefanha@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt cloop
+_supported_proto generic
+_supported_os Linux
+
+echo
+echo "== check that the first sector can be read =="
+_use_sample_img simple-pattern.cloop.bz2
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
new file mode 100644
index 0000000..26661fa
--- /dev/null
+++ b/tests/qemu-iotests/075.out
@@ -0,0 +1,6 @@
+QA output created by 075
+
+== check that the first sector can be read ==
+read 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index b63b18c..7520928 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -77,3 +77,4 @@
 069 rw auto
 070 rw auto
 073 rw auto
+075 rw auto
diff --git a/tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2 b/tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..a02d2ee4c710f48e9c0151dcb25e0637e2067b9f
GIT binary patch
literal 488
zcmV<E0T=#4T4*^jL0KkKS$!c^s{jDG|NsC0_gDW9_d2OS$xc6a-+JT#;L<<<!!DqR
zoPPjAw}UVNSb~P4B=ixqo{^dp)X?;vpbaz)0j7f>3?Lc+41uQ7dV@xWL&_k@fD-@#
zFaQ7m34&k(U;qh;fB*@Jhy<dkwE)NlO)>*Ug9HEo0004?8UO~34GlC628%pmbhgch
zQ?C-kdNsT#_wF0s)BwwA2FQRmQ2|gLC{;2<2TA~GsDT1j=>&+yJOz05+voN44`{1d
zzJBs>VEI%;odJ<DA}T7yR63R#n!O(yOaYZb`VA~7GZW~D#85TOm-_%kMu-q!)tKq^
zERY4;S{;XR6rY6v(*H)9meFSz6lBU&gr7oE(l~G$83sv%a#T}w6gocKLIN6ITT|q-
znK{@X-6$nAs>rKXRk|8ZS4K7%5gzkAQ>1{(br+n41iF_h7v?hIp07p=N-CUc+@4Yf
zQ&XeXEn0Pf;=C$r^FkBM%zW*-#l~jMVhBQ-L?JW`fA{X9W`T7LT<?gFTO&*76!XLa
z9snznf(FbsrS0b8Ua%J@ynLKYN{c5AAK4%jagW79I1Su6Yx32d*aU&vvR5)d8pvqU
eYDAm_3G6V!^Ib0@xa$@_#oUoj6eJ%=RjR-T$jlD_

literal 0
HcmV?d00001

-- 
1.9.1

[Qemu-devel] [PATCH 071/156] block/cloop: validate block_size header field (CVE-2014-0144)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value.  Also enforce the
assumption that the value is a non-zero multiple of 512.

These constraints conform to cloop 2.639's code so we accept existing
image files.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit d65f97a82c4ed48374a764c769d4ba1ea9724e97)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/cloop.c              | 23 +++++++++++++++++++++++
 tests/qemu-iotests/075     | 20 ++++++++++++++++++++
 tests/qemu-iotests/075.out | 12 ++++++++++++
 3 files changed, 55 insertions(+)

diff --git a/block/cloop.c b/block/cloop.c
index b907023..f021663 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -26,6 +26,9 @@
 #include "qemu/module.h"
 #include <zlib.h>
 
+/* Maximum compressed block size */
+#define MAX_BLOCK_SIZE (64 * 1024 * 1024)
+
 typedef struct BDRVCloopState {
     CoMutex lock;
     uint32_t block_size;
@@ -68,6 +71,26 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
         return ret;
     }
     s->block_size = be32_to_cpu(s->block_size);
+    if (s->block_size % 512) {
+        error_setg(errp, "block_size %u must be a multiple of 512",
+                   s->block_size);
+        return -EINVAL;
+    }
+    if (s->block_size == 0) {
+        error_setg(errp, "block_size cannot be zero");
+        return -EINVAL;
+    }
+
+    /* cloop's create_compressed_fs.c warns about block sizes beyond 256 KB but
+     * we can accept more.  Prevent ridiculous values like 4 GB - 1 since we
+     * need a buffer this big.
+     */
+    if (s->block_size > MAX_BLOCK_SIZE) {
+        error_setg(errp, "block_size %u must be %u MB or less",
+                   s->block_size,
+                   MAX_BLOCK_SIZE / (1024 * 1024));
+        return -EINVAL;
+    }
 
     ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
     if (ret < 0) {
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 88ae8bb..8f54a99 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -42,11 +42,31 @@ _supported_fmt cloop
 _supported_proto generic
 _supported_os Linux
 
+block_size_offset=128
+
 echo
 echo "== check that the first sector can be read =="
 _use_sample_img simple-pattern.cloop.bz2
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== block_size must be a multiple of 512 =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== block_size cannot be zero =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x00\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== huge block_size ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index 26661fa..d362c95 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -3,4 +3,16 @@ QA output created by 075
 == check that the first sector can be read ==
 read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== block_size must be a multiple of 512 ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512
+no file open, try 'help open'
+
+== block_size cannot be zero ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size cannot be zero
+no file open, try 'help open'
+
+== huge block_size ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 072/156] block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:

    uint32_t n_blocks, offsets_size;
    [...]
    ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
    [...]
    s->n_blocks = be32_to_cpu(s->n_blocks);

    /* read offsets */
    offsets_size = s->n_blocks * sizeof(uint64_t);
    s->offsets = g_malloc(offsets_size);

    [...]

    for(i=0;i<s->n_blocks;i++) {
        s->offsets[i] = be64_to_cpu(s->offsets[i]);

offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.

This patch refuses to open files if offsets_size would overflow.

Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 509a41bab5306181044b5fff02eadf96d9c8676a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/cloop.c              | 7 +++++++
 tests/qemu-iotests/075     | 7 +++++++
 tests/qemu-iotests/075.out | 4 ++++
 3 files changed, 18 insertions(+)

diff --git a/block/cloop.c b/block/cloop.c
index f021663..563e916 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -99,6 +99,13 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
     s->n_blocks = be32_to_cpu(s->n_blocks);
 
     /* read offsets */
+    if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) {
+        /* Prevent integer overflow */
+        error_setg(errp, "n_blocks %u must be %zu or less",
+                   s->n_blocks,
+                   UINT32_MAX / sizeof(uint64_t));
+        return -EINVAL;
+    }
     offsets_size = s->n_blocks * sizeof(uint64_t);
     s->offsets = g_malloc(offsets_size);
 
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 8f54a99..9ce6b1f 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -43,6 +43,7 @@ _supported_proto generic
 _supported_os Linux
 
 block_size_offset=128
+n_blocks_offset=132
 
 echo
 echo "== check that the first sector can be read =="
@@ -67,6 +68,12 @@ _use_sample_img simple-pattern.cloop.bz2
 poke_file "$TEST_IMG" "$block_size_offset" "\xff\xff\xfe\x00"
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== offsets_size overflow ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index d362c95..a771789 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -15,4 +15,8 @@ no file open, try 'help open'
 == huge block_size ===
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 4294966784 must be 64 MB or less
 no file open, try 'help open'
+
+== offsets_size overflow ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 073/156] block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Limit offsets_size to 512 MB so that:

1. g_malloc() does not abort due to an unreasonable size argument.

2. offsets_size does not overflow the bdrv_pread() int size argument.

This limit imposes a maximum image size of 16 TB at 256 KB block size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 7b103b36d6ef3b11827c203d3a793bf7da50ecd6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/cloop.c              | 9 +++++++++
 tests/qemu-iotests/075     | 6 ++++++
 tests/qemu-iotests/075.out | 4 ++++
 3 files changed, 19 insertions(+)

diff --git a/block/cloop.c b/block/cloop.c
index 563e916..844665e 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -107,6 +107,15 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
         return -EINVAL;
     }
     offsets_size = s->n_blocks * sizeof(uint64_t);
+    if (offsets_size > 512 * 1024 * 1024) {
+        /* Prevent ridiculous offsets_size which causes memory allocation to
+         * fail or overflows bdrv_pread() size.  In practice the 512 MB
+         * offsets[] limit supports 16 TB images at 256 KB block size.
+         */
+        error_setg(errp, "image requires too many offsets, "
+                   "try increasing block size");
+        return -EINVAL;
+    }
     s->offsets = g_malloc(offsets_size);
 
     ret = bdrv_pread(bs->file, 128 + 4 + 4, s->offsets, offsets_size);
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 9ce6b1f..9c00fa8 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -74,6 +74,12 @@ _use_sample_img simple-pattern.cloop.bz2
 poke_file "$TEST_IMG" "$n_blocks_offset" "\xff\xff\xff\xff"
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== refuse images that require too many offsets ==="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index a771789..7cdaee1 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -19,4 +19,8 @@ no file open, try 'help open'
 == offsets_size overflow ===
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: n_blocks 4294967295 must be 536870911 or less
 no file open, try 'help open'
+
+== refuse images that require too many offsets ===
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 074/156] block/cloop: refuse images with bogus offsets (CVE-2014-0144)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The offsets[] array allows efficient seeking and tells us the maximum
compressed data size.  If the offsets are bogus the maximum compressed
data size will be unrealistic.

This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway.  Therefore we should refuse such images.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f56b9bc3ae20fc93815b34aa022be919941406ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/cloop.c              | 34 +++++++++++++++++++++++++++++-----
 tests/qemu-iotests/075     | 15 +++++++++++++++
 tests/qemu-iotests/075.out |  8 ++++++++
 3 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/block/cloop.c b/block/cloop.c
index 844665e..55a804f 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -124,12 +124,36 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     for(i=0;i<s->n_blocks;i++) {
+        uint64_t size;
+
         s->offsets[i] = be64_to_cpu(s->offsets[i]);
-        if (i > 0) {
-            uint32_t size = s->offsets[i] - s->offsets[i - 1];
-            if (size > max_compressed_block_size) {
-                max_compressed_block_size = size;
-            }
+        if (i == 0) {
+            continue;
+        }
+
+        if (s->offsets[i] < s->offsets[i - 1]) {
+            error_setg(errp, "offsets not monotonically increasing at "
+                       "index %u, image file is corrupt", i);
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        size = s->offsets[i] - s->offsets[i - 1];
+
+        /* Compressed blocks should be smaller than the uncompressed block size
+         * but maybe compression performed poorly so the compressed block is
+         * actually bigger.  Clamp down on unrealistic values to prevent
+         * ridiculous s->compressed_block allocation.
+         */
+        if (size > 2 * MAX_BLOCK_SIZE) {
+            error_setg(errp, "invalid compressed block size at index %u, "
+                       "image file is corrupt", i);
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        if (size > max_compressed_block_size) {
+            max_compressed_block_size = size;
         }
     }
 
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index 9c00fa8..d74fb33 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -44,6 +44,7 @@ _supported_os Linux
 
 block_size_offset=128
 n_blocks_offset=132
+offsets_offset=136
 
 echo
 echo "== check that the first sector can be read =="
@@ -80,6 +81,20 @@ _use_sample_img simple-pattern.cloop.bz2
 poke_file "$TEST_IMG" "$n_blocks_offset" "\x04\x00\x00\x01"
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== refuse images with non-monotonically increasing offsets =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\xff\xff\xff\xff"
+poke_file "$TEST_IMG" $((offsets_offset + 8)) "\x00\x00\x00\x00\xff\xfe\x00\x00"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== refuse images with invalid compressed block size =="
+_use_sample_img simple-pattern.cloop.bz2
+poke_file "$TEST_IMG" "$offsets_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
+poke_file "$TEST_IMG" $((offsets_offset + 8)) "\xff\xff\xff\xff\xff\xff\xff\xff"
+$QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index 7cdaee1..911cd3b 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -23,4 +23,12 @@ no file open, try 'help open'
 == refuse images that require too many offsets ===
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: image requires too many offsets, try increasing block size
 no file open, try 'help open'
+
+== refuse images with non-monotonically increasing offsets ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: offsets not monotonically increasing at index 1, image file is corrupt
+no file open, try 'help open'
+
+== refuse images with invalid compressed block size ==
+qemu-io: can't open device TEST_DIR/simple-pattern.cloop: invalid compressed block size at index 1, image file is corrupt
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 075/156] block/cloop: fix offsets[] size off-by-one

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

cloop stores the number of compressed blocks in the n_blocks header
field.  The file actually contains n_blocks + 1 offsets, where the extra
offset is the end-of-file offset.

The following line in cloop_read_block() results in an out-of-bounds
offsets[] access:

    uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];

This patch allocates and loads the extra offset so that
cloop_read_block() works correctly when the last block is accessed.

Notice that we must free s->offsets[] unconditionally now since there is
always an end-of-file offset.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 42d43d35d907579179a39c924d169da924786f65)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/cloop.c              | 12 +++++-------
 tests/qemu-iotests/075     |  5 +++++
 tests/qemu-iotests/075.out |  4 ++++
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/block/cloop.c b/block/cloop.c
index 55a804f..b6ad50f 100644
--- a/block/cloop.c
+++ b/block/cloop.c
@@ -99,14 +99,14 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
     s->n_blocks = be32_to_cpu(s->n_blocks);
 
     /* read offsets */
-    if (s->n_blocks > UINT32_MAX / sizeof(uint64_t)) {
+    if (s->n_blocks > (UINT32_MAX - 1) / sizeof(uint64_t)) {
         /* Prevent integer overflow */
         error_setg(errp, "n_blocks %u must be %zu or less",
                    s->n_blocks,
-                   UINT32_MAX / sizeof(uint64_t));
+                   (UINT32_MAX - 1) / sizeof(uint64_t));
         return -EINVAL;
     }
-    offsets_size = s->n_blocks * sizeof(uint64_t);
+    offsets_size = (s->n_blocks + 1) * sizeof(uint64_t);
     if (offsets_size > 512 * 1024 * 1024) {
         /* Prevent ridiculous offsets_size which causes memory allocation to
          * fail or overflows bdrv_pread() size.  In practice the 512 MB
@@ -123,7 +123,7 @@ static int cloop_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
-    for(i=0;i<s->n_blocks;i++) {
+    for (i = 0; i < s->n_blocks + 1; i++) {
         uint64_t size;
 
         s->offsets[i] = be64_to_cpu(s->offsets[i]);
@@ -243,9 +243,7 @@ static coroutine_fn int cloop_co_read(BlockDriverState *bs, int64_t sector_num,
 static void cloop_close(BlockDriverState *bs)
 {
     BDRVCloopState *s = bs->opaque;
-    if (s->n_blocks > 0) {
-        g_free(s->offsets);
-    }
+    g_free(s->offsets);
     g_free(s->compressed_block);
     g_free(s->uncompressed_block);
     inflateEnd(&s->zstream);
diff --git a/tests/qemu-iotests/075 b/tests/qemu-iotests/075
index d74fb33..40032c5 100755
--- a/tests/qemu-iotests/075
+++ b/tests/qemu-iotests/075
@@ -52,6 +52,11 @@ _use_sample_img simple-pattern.cloop.bz2
 $QEMU_IO -c "read 0 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
 
 echo
+echo "== check that the last sector can be read =="
+_use_sample_img simple-pattern.cloop.bz2
+$QEMU_IO -c "read $((1024 * 1024 - 512)) 512" $TEST_IMG 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
 echo "== block_size must be a multiple of 512 =="
 _use_sample_img simple-pattern.cloop.bz2
 poke_file "$TEST_IMG" "$block_size_offset" "\x00\x00\x02\x01"
diff --git a/tests/qemu-iotests/075.out b/tests/qemu-iotests/075.out
index 911cd3b..5f1d6c1 100644
--- a/tests/qemu-iotests/075.out
+++ b/tests/qemu-iotests/075.out
@@ -4,6 +4,10 @@ QA output created by 075
 read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 
+== check that the last sector can be read ==
+read 512/512 bytes at offset 1048064
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
 == block_size must be a multiple of 512 ==
 qemu-io: can't open device TEST_DIR/simple-pattern.cloop: block_size 513 must be a multiple of 512
 no file open, try 'help open'
-- 
1.9.1

[Qemu-devel] [PATCH 076/156] qemu-iotests: Support for bochs format

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 24f3078a049c52070adfc659fc3a1a71a11a7765)

Conflicts:
	tests/qemu-iotests/group

*fix context mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tests/qemu-iotests/078                           |  53 +++++++++++++++++++++++
 tests/qemu-iotests/078.out                       |   6 +++
 tests/qemu-iotests/common                        |   7 +++
 tests/qemu-iotests/group                         |   1 +
 tests/qemu-iotests/sample_images/empty.bochs.bz2 | Bin 0 -> 118 bytes
 5 files changed, 67 insertions(+)
 create mode 100755 tests/qemu-iotests/078
 create mode 100644 tests/qemu-iotests/078.out
 create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2

diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
new file mode 100755
index 0000000..f55f46d
--- /dev/null
+++ b/tests/qemu-iotests/078
@@ -0,0 +1,53 @@
+#!/bin/bash
+#
+# bochs format input validation tests
+#
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt bochs
+_supported_proto generic
+_supported_os Linux
+
+echo
+echo "== Read from a valid image =="
+_use_sample_img empty.bochs.bz2
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
new file mode 100644
index 0000000..25d37c5
--- /dev/null
+++ b/tests/qemu-iotests/078.out
@@ -0,0 +1,6 @@
+QA output created by 078
+
+== Read from a valid image ==
+read 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+*** done
diff --git a/tests/qemu-iotests/common b/tests/qemu-iotests/common
index b5043fc..35abbfc 100644
--- a/tests/qemu-iotests/common
+++ b/tests/qemu-iotests/common
@@ -128,6 +128,7 @@ common options
 
 check options
     -raw                test raw (default)
+    -bochs              test bochs
     -cow                test cow
     -cloop              test cloop
     -qcow               test qcow
@@ -163,6 +164,12 @@ testlist options
             xpand=false
             ;;
 
+        -bochs)
+            IMGFMT=bochs
+            IMGFMT_GENERIC=false
+            xpand=false
+            ;;
+
         -cow)
             IMGFMT=cow
             xpand=false
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 7520928..97226d4 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -78,3 +78,4 @@
 070 rw auto
 073 rw auto
 075 rw auto
+078 rw auto
diff --git a/tests/qemu-iotests/sample_images/empty.bochs.bz2 b/tests/qemu-iotests/sample_images/empty.bochs.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..7a29c6ed763407f2de067d2618e6a60fb23812b8
GIT binary patch
literal 118
zcmZ>Y%CIzaj8qGbEHvXuW?+ykpYp%q0D}XA$OAzJz31~91b}P?js*-MrV1$+l1$i~
z-4}9X&0;tqx7fiX<AheW%Z6AkV-}vCX-a&`bK=V?6cx(PyWI7EdEsra!@~6!wUt9A
V{S18A!=S+OU%bfGB47f@9suImDUARC

literal 0
HcmV?d00001

-- 
1.9.1

[Qemu-devel] [PATCH 077/156] bochs: Unify header structs and make them QEMU_PACKED

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This is an on-disk structure, so offsets must be accurate.

Before this patch, sizeof(bochs) != sizeof(header_v1), which makes the
memcpy() between both invalid. We're lucky enough that the destination
buffer happened to be the larger one, and the memcpy size to be taken
from the smaller one, so we didn't get a buffer overflow in practice.

This patch unifies the both structures, eliminating the need to do a
memcpy in the first place. The common fields are extracted to the top
level of the struct and the actually differing part gets a union of the
two versions.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 3dd8a6763bcc50dfc3de8da9279b741c0dea9fb1)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/bochs.c | 67 ++++++++++++++++++++++-------------------------------------
 1 file changed, 25 insertions(+), 42 deletions(-)

diff --git a/block/bochs.c b/block/bochs.c
index 51d9a90..708780d 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -39,45 +39,30 @@
 // not allocated: 0xffffffff
 
 // always little-endian
-struct bochs_header_v1 {
-    char magic[32]; // "Bochs Virtual HD Image"
-    char type[16]; // "Redolog"
-    char subtype[16]; // "Undoable" / "Volatile" / "Growing"
-    uint32_t version;
-    uint32_t header; // size of header
-
-    union {
-	struct {
-	    uint32_t catalog; // num of entries
-	    uint32_t bitmap; // bitmap size
-	    uint32_t extent; // extent size
-	    uint64_t disk; // disk size
-	    char padding[HEADER_SIZE - 64 - 8 - 20];
-	} redolog;
-	char padding[HEADER_SIZE - 64 - 8];
-    } extra;
-};
-
-// always little-endian
 struct bochs_header {
-    char magic[32]; // "Bochs Virtual HD Image"
-    char type[16]; // "Redolog"
-    char subtype[16]; // "Undoable" / "Volatile" / "Growing"
+    char magic[32];     /* "Bochs Virtual HD Image" */
+    char type[16];      /* "Redolog" */
+    char subtype[16];   /* "Undoable" / "Volatile" / "Growing" */
     uint32_t version;
-    uint32_t header; // size of header
+    uint32_t header;    /* size of header */
+
+    uint32_t catalog;   /* num of entries */
+    uint32_t bitmap;    /* bitmap size */
+    uint32_t extent;    /* extent size */
 
     union {
-	struct {
-	    uint32_t catalog; // num of entries
-	    uint32_t bitmap; // bitmap size
-	    uint32_t extent; // extent size
-	    uint32_t reserved; // for ???
-	    uint64_t disk; // disk size
-	    char padding[HEADER_SIZE - 64 - 8 - 24];
-	} redolog;
-	char padding[HEADER_SIZE - 64 - 8];
+        struct {
+            uint32_t reserved;  /* for ??? */
+            uint64_t disk;      /* disk size */
+            char padding[HEADER_SIZE - 64 - 20 - 12];
+        } QEMU_PACKED redolog;
+        struct {
+            uint64_t disk;      /* disk size */
+            char padding[HEADER_SIZE - 64 - 20 - 8];
+        } QEMU_PACKED redolog_v1;
+        char padding[HEADER_SIZE - 64 - 20];
     } extra;
-};
+} QEMU_PACKED;
 
 typedef struct BDRVBochsState {
     CoMutex lock;
@@ -114,7 +99,6 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
     BDRVBochsState *s = bs->opaque;
     int i;
     struct bochs_header bochs;
-    struct bochs_header_v1 header_v1;
     int ret;
 
     bs->read_only = 1; // no write support yet
@@ -133,13 +117,12 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     if (le32_to_cpu(bochs.version) == HEADER_V1) {
-      memcpy(&header_v1, &bochs, sizeof(bochs));
-      bs->total_sectors = le64_to_cpu(header_v1.extra.redolog.disk) / 512;
+        bs->total_sectors = le64_to_cpu(bochs.extra.redolog_v1.disk) / 512;
     } else {
-      bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512;
+        bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512;
     }
 
-    s->catalog_size = le32_to_cpu(bochs.extra.redolog.catalog);
+    s->catalog_size = le32_to_cpu(bochs.catalog);
     s->catalog_bitmap = g_malloc(s->catalog_size * 4);
 
     ret = bdrv_pread(bs->file, le32_to_cpu(bochs.header), s->catalog_bitmap,
@@ -153,10 +136,10 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
 
     s->data_offset = le32_to_cpu(bochs.header) + (s->catalog_size * 4);
 
-    s->bitmap_blocks = 1 + (le32_to_cpu(bochs.extra.redolog.bitmap) - 1) / 512;
-    s->extent_blocks = 1 + (le32_to_cpu(bochs.extra.redolog.extent) - 1) / 512;
+    s->bitmap_blocks = 1 + (le32_to_cpu(bochs.bitmap) - 1) / 512;
+    s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
 
-    s->extent_size = le32_to_cpu(bochs.extra.redolog.extent);
+    s->extent_size = le32_to_cpu(bochs.extent);
 
     qemu_co_mutex_init(&s->lock);
     return 0;
-- 
1.9.1

[Qemu-devel] [PATCH 078/156] bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 246f65838d19db6db55bfb41117c35645a2c4789)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/bochs.c              | 16 ++++++++--------
 tests/qemu-iotests/078     |  8 ++++++++
 tests/qemu-iotests/078.out |  4 ++++
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/block/bochs.c b/block/bochs.c
index 708780d..04cca71 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -67,13 +67,13 @@ struct bochs_header {
 typedef struct BDRVBochsState {
     CoMutex lock;
     uint32_t *catalog_bitmap;
-    int catalog_size;
+    uint32_t catalog_size;
 
-    int data_offset;
+    uint32_t data_offset;
 
-    int bitmap_blocks;
-    int extent_blocks;
-    int extent_size;
+    uint32_t bitmap_blocks;
+    uint32_t extent_blocks;
+    uint32_t extent_size;
 } BDRVBochsState;
 
 static int bochs_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -97,7 +97,7 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
                       Error **errp)
 {
     BDRVBochsState *s = bs->opaque;
-    int i;
+    uint32_t i;
     struct bochs_header bochs;
     int ret;
 
@@ -152,8 +152,8 @@ fail:
 static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
 {
     BDRVBochsState *s = bs->opaque;
-    int64_t offset = sector_num * 512;
-    int64_t extent_index, extent_offset, bitmap_offset;
+    uint64_t offset = sector_num * 512;
+    uint64_t extent_index, extent_offset, bitmap_offset;
     char bitmap_entry;
 
     // seek to sector
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index f55f46d..73b573a 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -42,11 +42,19 @@ _supported_fmt bochs
 _supported_proto generic
 _supported_os Linux
 
+catalog_size_offset=$((0x48))
+
 echo
 echo "== Read from a valid image =="
 _use_sample_img empty.bochs.bz2
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Negative catalog size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index 25d37c5..ef8c42d 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -3,4 +3,8 @@ QA output created by 078
 == Read from a valid image ==
 read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== Negative catalog size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Could not open 'TEST_DIR/empty.bochs': Interrupted system call
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 079/156] bochs: Check catalog_size header field (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e3737b820b45e54b059656dc3f914f895ac7a88b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/bochs.c              | 13 +++++++++++++
 tests/qemu-iotests/078     | 13 +++++++++++++
 tests/qemu-iotests/078.out | 10 +++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/block/bochs.c b/block/bochs.c
index 04cca71..d1b1a2c 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -122,7 +122,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
         bs->total_sectors = le64_to_cpu(bochs.extra.redolog.disk) / 512;
     }
 
+    /* Limit to 1M entries to avoid unbounded allocation. This is what is
+     * needed for the largest image that bximage can create (~8 TB). */
     s->catalog_size = le32_to_cpu(bochs.catalog);
+    if (s->catalog_size > 0x100000) {
+        error_setg(errp, "Catalog size is too large");
+        return -EFBIG;
+    }
+
     s->catalog_bitmap = g_malloc(s->catalog_size * 4);
 
     ret = bdrv_pread(bs->file, le32_to_cpu(bochs.header), s->catalog_bitmap,
@@ -141,6 +148,12 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
 
     s->extent_size = le32_to_cpu(bochs.extent);
 
+    if (s->catalog_size < bs->total_sectors / s->extent_size) {
+        error_setg(errp, "Catalog size is too small for this disk size");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     qemu_co_mutex_init(&s->lock);
     return 0;
 
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 73b573a..902ef0f 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
 _supported_os Linux
 
 catalog_size_offset=$((0x48))
+disk_size_offset=$((0x58))
 
 echo
 echo "== Read from a valid image =="
@@ -55,6 +56,18 @@ _use_sample_img empty.bochs.bz2
 poke_file "$TEST_IMG" "$catalog_size_offset" "\xff\xff\xff\xff"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Overflow for catalog size * sizeof(uint32_t) =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$catalog_size_offset" "\x00\x00\x00\x40"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Too small catalog bitmap for image size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
+{ $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index ef8c42d..7254693 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -5,6 +5,14 @@ read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 
 == Negative catalog size ==
-qemu-io: can't open device TEST_DIR/empty.bochs: Could not open 'TEST_DIR/empty.bochs': Interrupted system call
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
+no file open, try 'help open'
+
+== Overflow for catalog size * sizeof(uint32_t) ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too large
+no file open, try 'help open'
+
+== Too small catalog bitmap for image size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size
 no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 080/156] bochs: Check extent_size header field (CVE-2014-0142)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8e53abbc20d08ae3ec30c2054e1161314ad9501d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/bochs.c              |  8 ++++++++
 tests/qemu-iotests/078     | 13 +++++++++++++
 tests/qemu-iotests/078.out |  8 ++++++++
 3 files changed, 29 insertions(+)

diff --git a/block/bochs.c b/block/bochs.c
index d1b1a2c..0ec980a 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -147,6 +147,14 @@ static int bochs_open(BlockDriverState *bs, QDict *options, int flags,
     s->extent_blocks = 1 + (le32_to_cpu(bochs.extent) - 1) / 512;
 
     s->extent_size = le32_to_cpu(bochs.extent);
+    if (s->extent_size == 0) {
+        error_setg(errp, "Extent size may not be zero");
+        return -EINVAL;
+    } else if (s->extent_size > 0x800000) {
+        error_setg(errp, "Extent size %" PRIu32 " is too large",
+                   s->extent_size);
+        return -EINVAL;
+    }
 
     if (s->catalog_size < bs->total_sectors / s->extent_size) {
         error_setg(errp, "Catalog size is too small for this disk size");
diff --git a/tests/qemu-iotests/078 b/tests/qemu-iotests/078
index 902ef0f..872e734 100755
--- a/tests/qemu-iotests/078
+++ b/tests/qemu-iotests/078
@@ -43,6 +43,7 @@ _supported_proto generic
 _supported_os Linux
 
 catalog_size_offset=$((0x48))
+extent_size_offset=$((0x50))
 disk_size_offset=$((0x58))
 
 echo
@@ -68,6 +69,18 @@ _use_sample_img empty.bochs.bz2
 poke_file "$TEST_IMG" "$disk_size_offset" "\x00\xc0\x0f\x00\x00\x00\x00\x7f"
 { $QEMU_IO -c "read 2T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Negative extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 768k 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Zero extent size =="
+_use_sample_img empty.bochs.bz2
+poke_file "$TEST_IMG" "$extent_size_offset" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/078.out b/tests/qemu-iotests/078.out
index 7254693..ea95ffd 100644
--- a/tests/qemu-iotests/078.out
+++ b/tests/qemu-iotests/078.out
@@ -15,4 +15,12 @@ no file open, try 'help open'
 == Too small catalog bitmap for image size ==
 qemu-io: can't open device TEST_DIR/empty.bochs: Catalog size is too small for this disk size
 no file open, try 'help open'
+
+== Negative extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size 4294967295 is too large
+no file open, try 'help open'
+
+== Zero extent size ==
+qemu-io: can't open device TEST_DIR/empty.bochs: Extent size may not be zero
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 081/156] bochs: Fix bitmap offset calculation

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

32 bit truncation could let us access the wrong offset in the image.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a9ba36a45dfac645a810c31ce15ab393b69d820a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/bochs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/bochs.c b/block/bochs.c
index 0ec980a..5c74223 100644
--- a/block/bochs.c
+++ b/block/bochs.c
@@ -185,8 +185,9 @@ static int64_t seek_to_sector(BlockDriverState *bs, int64_t sector_num)
 	return -1; /* not allocated */
     }
 
-    bitmap_offset = s->data_offset + (512 * s->catalog_bitmap[extent_index] *
-	(s->extent_blocks + s->bitmap_blocks));
+    bitmap_offset = s->data_offset +
+        (512 * (uint64_t) s->catalog_bitmap[extent_index] *
+        (s->extent_blocks + s->bitmap_blocks));
 
     /* read in bitmap for current extent */
     if (bdrv_pread(bs->file, bitmap_offset + (extent_offset / 8),
-- 
1.9.1

[Qemu-devel] [PATCH 082/156] vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)

[Michael Roth]

From: Jeff Cody <jcody@redhat.com>

This adds checks to make sure that max_table_entries and block_size
are in sane ranges.  Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded memory allocation, or invalid memory accesses.

Also, the allocation of the pagetable is changed from g_malloc0()
to qemu_blockalign().

Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 97f1c45c6f456572e5b504b8614e4a69e23b8e3a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vpc.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 577cc45..4acf154 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -45,6 +45,8 @@ enum vhd_type {
 // Seconds since Jan 1, 2000 0:00:00 (UTC)
 #define VHD_TIMESTAMP_BASE 946684800
 
+#define VHD_MAX_SECTORS       (65535LL * 255 * 255)
+
 // always big-endian
 typedef struct vhd_footer {
     char        creator[8]; // "conectix"
@@ -164,6 +166,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     VHDDynDiskHeader *dyndisk_header;
     uint8_t buf[HEADER_SIZE];
     uint32_t checksum;
+    uint64_t computed_size;
     int disk_type = VHD_DYNAMIC;
     int ret;
 
@@ -221,7 +224,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     /* Allow a maximum disk size of approximately 2 TB */
-    if (bs->total_sectors >= 65535LL * 255 * 255) {
+    if (bs->total_sectors >= VHD_MAX_SECTORS) {
         ret = -EFBIG;
         goto fail;
     }
@@ -244,7 +247,23 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
         s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
 
         s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
-        s->pagetable = g_malloc(s->max_table_entries * 4);
+
+        if ((bs->total_sectors * 512) / s->block_size > 0xffffffffU) {
+            ret = -EINVAL;
+            goto fail;
+        }
+        if (s->max_table_entries > (VHD_MAX_SECTORS * 512) / s->block_size) {
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        computed_size = (uint64_t) s->max_table_entries * s->block_size;
+        if (computed_size < bs->total_sectors * 512) {
+            ret = -EINVAL;
+            goto fail;
+        }
+
+        s->pagetable = qemu_blockalign(bs, s->max_table_entries * 4);
 
         s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
 
@@ -297,7 +316,7 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
     return 0;
 
 fail:
-    g_free(s->pagetable);
+    qemu_vfree(s->pagetable);
 #ifdef CACHE
     g_free(s->pageentry_u8);
 #endif
@@ -819,7 +838,7 @@ static int vpc_has_zero_init(BlockDriverState *bs)
 static void vpc_close(BlockDriverState *bs)
 {
     BDRVVPCState *s = bs->opaque;
-    g_free(s->pagetable);
+    qemu_vfree(s->pagetable);
 #ifdef CACHE
     g_free(s->pageentry_u8);
 #endif
-- 
1.9.1

[Qemu-devel] [PATCH 083/156] vpc: Validate block size (CVE-2014-0142)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This fixes some cases of division by zero crashes.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 5e71dfad763d67bb64be79e20e93411c0c30ad25)

Conflicts:
	tests/qemu-iotests/group

*fixed context mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vpc.c                |  5 ++++
 tests/qemu-iotests/088     | 64 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/088.out | 17 ++++++++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 87 insertions(+)
 create mode 100755 tests/qemu-iotests/088
 create mode 100644 tests/qemu-iotests/088.out

diff --git a/block/vpc.c b/block/vpc.c
index 4acf154..be4f8ab 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -244,6 +244,11 @@ static int vpc_open(BlockDriverState *bs, QDict *options, int flags,
         }
 
         s->block_size = be32_to_cpu(dyndisk_header->block_size);
+        if (!is_power_of_2(s->block_size) || s->block_size < BDRV_SECTOR_SIZE) {
+            error_setg(errp, "Invalid block size %" PRIu32, s->block_size);
+            ret = -EINVAL;
+            goto fail;
+        }
         s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
 
         s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
diff --git a/tests/qemu-iotests/088 b/tests/qemu-iotests/088
new file mode 100755
index 0000000..c09adf8
--- /dev/null
+++ b/tests/qemu-iotests/088
@@ -0,0 +1,64 @@
+#!/bin/bash
+#
+# vpc (VHD) format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt vpc
+_supported_proto generic
+_supported_os Linux
+
+offset_block_size=$((512 + 32))
+
+echo
+echo "== Invalid block size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_block_size" "\x00\x00\x00\x80"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_block_size" "\x12\x34\x56\x78"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/088.out b/tests/qemu-iotests/088.out
new file mode 100644
index 0000000..d961609
--- /dev/null
+++ b/tests/qemu-iotests/088.out
@@ -0,0 +1,17 @@
+QA output created by 088
+
+== Invalid block size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 0
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 128
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.vpc: Invalid block size 305419896
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 97226d4..9b3552f 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -79,3 +79,4 @@
 073 rw auto
 075 rw auto
 078 rw auto
+088 rw auto
-- 
1.9.1

[Qemu-devel] [PATCH 084/156] vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)

[Michael Roth]

From: Jeff Cody <jcody@redhat.com>

The maximum blocks_in_image is 0xffffffff / 4, which also limits the
maximum disk_size for a VDI image to 1024TB.  Note that this is the maximum
size that QEMU will currently support with this driver, not necessarily the
maximum size allowed by the image format.

This also fixes an incorrect error message, a bug introduced by commit
5b7aa9b56d1bfc79916262f380c3fc7961becb50 (Reported by Stefan Weil)

Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 63fa06dc978f3669dbfd9443b33cde9e2a7f4b41)

Conflicts:
	block/vdi.c

*modified to retain 1.7's usage of logout() over error_setg()

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vdi.c | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/block/vdi.c b/block/vdi.c
index b6ec002..204a3e5 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -120,6 +120,11 @@ typedef unsigned char uuid_t[16];
 
 #define VDI_IS_ALLOCATED(X) ((X) < VDI_DISCARDED)
 
+/* max blocks in image is (0xffffffff / 4) */
+#define VDI_BLOCKS_IN_IMAGE_MAX  0x3fffffff
+#define VDI_DISK_SIZE_MAX        ((uint64_t)VDI_BLOCKS_IN_IMAGE_MAX * \
+                                  (uint64_t)DEFAULT_CLUSTER_SIZE)
+
 #if !defined(CONFIG_UUID)
 static inline void uuid_generate(uuid_t out)
 {
@@ -384,6 +389,13 @@ static int vdi_open(BlockDriverState *bs, QDict *options, int flags,
     vdi_header_print(&header);
 #endif
 
+    if (header.disk_size > VDI_DISK_SIZE_MAX) {
+        logout("disk size is 0x%" PRIx64 ", max supported is 0x%" PRIx64,
+               header.disk_size, VDI_DISK_SIZE_MAX);
+        ret = -ENOTSUP;
+        goto fail;
+    }
+
     if (header.disk_size % SECTOR_SIZE != 0) {
         /* 'VBoxManage convertfromraw' can create images with odd disk sizes.
            We accept them but round the disk size to the next multiple of
@@ -416,7 +428,7 @@ static int vdi_open(BlockDriverState *bs, QDict *options, int flags,
         logout("unsupported sector size %u B\n", header.sector_size);
         ret = -ENOTSUP;
         goto fail;
-    } else if (header.block_size != 1 * MiB) {
+    } else if (header.block_size != DEFAULT_CLUSTER_SIZE) {
         logout("unsupported block size %u B\n", header.block_size);
         ret = -ENOTSUP;
         goto fail;
@@ -433,6 +445,11 @@ static int vdi_open(BlockDriverState *bs, QDict *options, int flags,
         logout("parent uuid != 0, unsupported\n");
         ret = -ENOTSUP;
         goto fail;
+    } else if (header.blocks_in_image > VDI_BLOCKS_IN_IMAGE_MAX) {
+        logout("too many blocks %u, max is %u)",
+               header.blocks_in_image, VDI_BLOCKS_IN_IMAGE_MAX);
+        ret = -ENOTSUP;
+        goto fail;
     }
 
     bs->total_sectors = header.disk_size / SECTOR_SIZE;
@@ -681,11 +698,20 @@ static int vdi_create(const char *filename, QEMUOptionParameter *options,
         options++;
     }
 
+    if (bytes > VDI_DISK_SIZE_MAX) {
+        result = -ENOTSUP;
+        logout("image size (size is 0x%" PRIx64
+               ", max supported is 0x%" PRIx64 ")",
+               bytes, VDI_DISK_SIZE_MAX);
+        goto exit;
+    }
+
     fd = qemu_open(filename,
                    O_WRONLY | O_CREAT | O_TRUNC | O_BINARY | O_LARGEFILE,
                    0644);
     if (fd < 0) {
-        return -errno;
+        result = -errno;
+        goto exit;
     }
 
     /* We need enough blocks to store the given disk size,
@@ -746,6 +772,7 @@ static int vdi_create(const char *filename, QEMUOptionParameter *options,
         result = -errno;
     }
 
+exit:
     return result;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 085/156] vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)

[Michael Roth]

From: Jeff Cody <jcody@redhat.com>

Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.

The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
LogicalSectorSize is required to be either 512 or 4096 bytes.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 1d7678dec4761acdc43439da6ceda41a703ba1a6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vhdx.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/block/vhdx.c b/block/vhdx.c
index 7d1af96..8a70ae8 100644
--- a/block/vhdx.c
+++ b/block/vhdx.c
@@ -785,12 +785,20 @@ static int vhdx_parse_metadata(BlockDriverState *bs, BDRVVHDXState *s)
     le32_to_cpus(&s->logical_sector_size);
     le32_to_cpus(&s->physical_sector_size);
 
-    if (s->logical_sector_size == 0 || s->params.block_size == 0) {
+    if (s->params.block_size < VHDX_BLOCK_SIZE_MIN ||
+        s->params.block_size > VHDX_BLOCK_SIZE_MAX) {
         ret = -EINVAL;
         goto exit;
     }
 
-    /* both block_size and sector_size are guaranteed powers of 2 */
+    /* only 2 supported sector sizes */
+    if (s->logical_sector_size != 512 && s->logical_sector_size != 4096) {
+        ret = -EINVAL;
+        goto exit;
+    }
+
+    /* Both block_size and sector_size are guaranteed powers of 2, below.
+       Due to range checks above, s->sectors_per_block can never be < 256 */
     s->sectors_per_block = s->params.block_size / s->logical_sector_size;
     s->chunk_ratio = (VHDX_MAX_SECTORS_PER_BLOCK) *
                      (uint64_t)s->logical_sector_size /
-- 
1.9.1

[Qemu-devel] [PATCH 086/156] curl: check data size before memcpy to local buffer. (CVE-2014-0144)

[Michael Roth]

From: Fam Zheng <famz@redhat.com>

curl_read_cb is callback function for libcurl when data arrives. The
data size passed in here is not guaranteed to be within the range of
request we submitted, so we may overflow the guest IO buffer. Check the
real size we have before memcpy to buffer to avoid overflow.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6d4b9e55fc625514a38d27cff4b9933f617fa7dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/curl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/block/curl.c b/block/curl.c
index 1c04dcc..47cf70a 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -157,6 +157,11 @@ static size_t curl_read_cb(void *ptr, size_t size, size_t nmemb, void *opaque)
     if (!s || !s->orig_buf)
         goto read_end;
 
+    if (s->buf_off >= s->buf_len) {
+        /* buffer full, read nothing */
+        return 0;
+    }
+    realsize = MIN(realsize, s->buf_len - s->buf_off);
     memcpy(s->orig_buf + s->buf_off, ptr, realsize);
     s->buf_off += realsize;
 
-- 
1.9.1

[Qemu-devel] [PATCH 087/156] qcow2: Check header_length (CVE-2014-0144)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This fixes an unbounded allocation for s->unknown_header_fields.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 24342f2cae47d03911e346fe1e520b00dc2818e0)

Conflicts:
	tests/qemu-iotests/group

*fixed context mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 34 +++++++++++++++++++-------
 tests/qemu-iotests/080     | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/080.out |  9 +++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 96 insertions(+), 9 deletions(-)
 create mode 100755 tests/qemu-iotests/080
 create mode 100644 tests/qemu-iotests/080.out

diff --git a/block/qcow2.c b/block/qcow2.c
index f2897b6..e4280a2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -463,6 +463,18 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
 
     s->qcow_version = header.version;
 
+    /* Initialise cluster size */
+    if (header.cluster_bits < MIN_CLUSTER_BITS ||
+        header.cluster_bits > MAX_CLUSTER_BITS) {
+        error_setg(errp, "Unsupported cluster size: 2^%i", header.cluster_bits);
+        ret = -EINVAL;
+        goto fail;
+    }
+
+    s->cluster_bits = header.cluster_bits;
+    s->cluster_size = 1 << s->cluster_bits;
+    s->cluster_sectors = 1 << (s->cluster_bits - 9);
+
     /* Initialise version 3 header fields */
     if (header.version == 2) {
         header.incompatible_features    = 0;
@@ -476,6 +488,18 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         be64_to_cpus(&header.autoclear_features);
         be32_to_cpus(&header.refcount_order);
         be32_to_cpus(&header.header_length);
+
+        if (header.header_length < 104) {
+            error_setg(errp, "qcow2 header too short");
+            ret = -EINVAL;
+            goto fail;
+        }
+    }
+
+    if (header.header_length > s->cluster_size) {
+        error_setg(errp, "qcow2 header exceeds cluster size");
+        ret = -EINVAL;
+        goto fail;
     }
 
     if (header.header_length > sizeof(header)) {
@@ -532,12 +556,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     }
     s->refcount_order = header.refcount_order;
 
-    if (header.cluster_bits < MIN_CLUSTER_BITS ||
-        header.cluster_bits > MAX_CLUSTER_BITS) {
-        error_setg(errp, "Unsupported cluster size: 2^%i", header.cluster_bits);
-        ret = -EINVAL;
-        goto fail;
-    }
     if (header.crypt_method > QCOW_CRYPT_AES) {
         error_setg(errp, "Unsupported encryption method: %i",
                    header.crypt_method);
@@ -548,9 +566,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     if (s->crypt_method_header) {
         bs->encrypted = 1;
     }
-    s->cluster_bits = header.cluster_bits;
-    s->cluster_size = 1 << s->cluster_bits;
-    s->cluster_sectors = 1 << (s->cluster_bits - 9);
+
     s->l2_bits = s->cluster_bits - 3; /* L2 is always one cluster */
     s->l2_size = 1 << s->l2_bits;
     bs->total_sectors = header.size / 512;
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
new file mode 100755
index 0000000..6512701
--- /dev/null
+++ b/tests/qemu-iotests/080
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# qcow2 format input validation tests
+#
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow2
+_supported_proto generic
+_supported_os Linux
+
+header_size=104
+offset_header_size=100
+offset_ext_magic=$header_size
+offset_ext_size=$((header_size + 4))
+
+echo
+echo "== Huge header size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_header_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
new file mode 100644
index 0000000..41a166a
--- /dev/null
+++ b/tests/qemu-iotests/080.out
@@ -0,0 +1,9 @@
+QA output created by 080
+
+== Huge header size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 9b3552f..d0b762c 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -79,4 +79,5 @@
 073 rw auto
 075 rw auto
 078 rw auto
+080 rw auto
 088 rw auto
-- 
1.9.1

[Qemu-devel] [PATCH 088/156] qcow2: Check backing_file_offset (CVE-2014-0144)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Header, header extension and the backing file name must all be stored in
the first cluster. Setting the backing file to a much higher value
allowed header extensions to become much bigger than we want them to be
(unbounded allocation).

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit a1b3955c9415b1e767c130a2f59fee6aa28e575b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              |  6 ++++++
 tests/qemu-iotests/080     | 12 ++++++++++++
 tests/qemu-iotests/080.out |  7 +++++++
 3 files changed, 25 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index e4280a2..a6ad44e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -514,6 +514,12 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         }
     }
 
+    if (header.backing_file_offset > s->cluster_size) {
+        error_setg(errp, "Invalid backing file offset");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.backing_file_offset) {
         ext_end = header.backing_file_offset;
     } else {
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6512701..6d588dd 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -43,6 +43,8 @@ _supported_proto generic
 _supported_os Linux
 
 header_size=104
+
+offset_backing_file_offset=8
 offset_header_size=100
 offset_ext_magic=$header_size
 offset_ext_size=$((header_size + 4))
@@ -55,6 +57,16 @@ poke_file "$TEST_IMG" "$offset_header_size" "\xff\xff\xff\xff"
 poke_file "$TEST_IMG" "$offset_header_size" "\x7f\xff\xff\xff"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Huge unknown header extension =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\xff\xff\xff\xff\xff\xff\xff\xff"
+poke_file "$TEST_IMG" "$offset_ext_magic" "\x12\x34\x56\x78"
+poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 41a166a..48c40aa 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -6,4 +6,11 @@ qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: qcow2 header exceeds cluster size
 no file open, try 'help open'
+
+== Huge unknown header extension ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 089/156] qcow2: Check refcount table size (CVE-2014-0144)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Limit the in-memory reference count table size to 8 MB, it's enough in
practice. This fixes an unbounded allocation as well as a buffer
overflow in qcow2_refcount_init().

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 5dab2faddc8eaa1fb1abdbe2f502001fc13a1b21)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c     |  4 +++-
 block/qcow2.c              |  9 +++++++++
 tests/qemu-iotests/080     | 10 ++++++++++
 tests/qemu-iotests/080.out |  7 +++++++
 4 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 1ff43d0..8c57016 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -40,8 +40,10 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
 int qcow2_refcount_init(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
-    int ret, refcount_table_size2, i;
+    unsigned int refcount_table_size2, i;
+    int ret;
 
+    assert(s->refcount_table_size <= INT_MAX / sizeof(uint64_t));
     refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
     s->refcount_table = g_malloc(refcount_table_size2);
     if (s->refcount_table_size > 0) {
diff --git a/block/qcow2.c b/block/qcow2.c
index a6ad44e..8c8996d 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -579,10 +579,19 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     s->csize_shift = (62 - (s->cluster_bits - 8));
     s->csize_mask = (1 << (s->cluster_bits - 8)) - 1;
     s->cluster_offset_mask = (1LL << s->csize_shift) - 1;
+
     s->refcount_table_offset = header.refcount_table_offset;
     s->refcount_table_size =
         header.refcount_table_clusters << (s->cluster_bits - 3);
 
+    if (header.refcount_table_clusters > (0x800000 >> s->cluster_bits)) {
+        /* 8 MB refcount table is enough for 2 PB images at 64k cluster size
+         * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+        error_setg(errp, "Reference count table too large");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     s->snapshots_offset = header.snapshots_offset;
     s->nb_snapshots = header.nb_snapshots;
 
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6d588dd..6179e05 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
 header_size=104
 
 offset_backing_file_offset=8
+offset_refcount_table_clusters=56
 offset_header_size=100
 offset_ext_magic=$header_size
 offset_ext_size=$((header_size + 4))
@@ -67,6 +68,15 @@ poke_file "$TEST_IMG" "$offset_ext_size" "\x7f\xff\xff\xff"
 poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x00\x00"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Huge refcount table size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x02\x00\x01"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 48c40aa..6fef6d9 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -13,4 +13,11 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid backing file offset
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: Header extension too large
 no file open, try 'help open'
+
+== Huge refcount table size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 090/156] qcow2: Validate refcount table offset

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The end of the refcount table must not exceed INT64_MAX so that integer
overflows are avoided.

Also check for misaligned refcount table. Such images are invalid and
probably the result of data corruption. Error out to avoid further
corruption.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8c7de28305a514d7f879fdfc677ca11fbf60d2e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 33 +++++++++++++++++++++++++++++++++
 tests/qemu-iotests/080     | 13 +++++++++++++
 tests/qemu-iotests/080.out | 10 ++++++++++
 3 files changed, 56 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 8c8996d..de86302 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -332,6 +332,32 @@ static int qcow2_check(BlockDriverState *bs, BdrvCheckResult *result,
     return ret;
 }
 
+static int validate_table_offset(BlockDriverState *bs, uint64_t offset,
+                                 uint64_t entries, size_t entry_len)
+{
+    BDRVQcowState *s = bs->opaque;
+    uint64_t size;
+
+    /* Use signed INT64_MAX as the maximum even for uint64_t header fields,
+     * because values will be passed to qemu functions taking int64_t. */
+    if (entries > INT64_MAX / entry_len) {
+        return -EINVAL;
+    }
+
+    size = entries * entry_len;
+
+    if (INT64_MAX - size < offset) {
+        return -EINVAL;
+    }
+
+    /* Tables must be cluster aligned */
+    if (offset & (s->cluster_size - 1)) {
+        return -EINVAL;
+    }
+
+    return 0;
+}
+
 static QemuOptsList qcow2_runtime_opts = {
     .name = "qcow2",
     .head = QTAILQ_HEAD_INITIALIZER(qcow2_runtime_opts.head),
@@ -592,6 +618,13 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
+    ret = validate_table_offset(bs, s->refcount_table_offset,
+                                s->refcount_table_size, sizeof(uint64_t));
+    if (ret < 0) {
+        error_setg(errp, "Invalid reference count table offset");
+        goto fail;
+    }
+
     s->snapshots_offset = header.snapshots_offset;
     s->nb_snapshots = header.nb_snapshots;
 
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 6179e05..f58ac73 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
 header_size=104
 
 offset_backing_file_offset=8
+offset_refcount_table_offset=48
 offset_refcount_table_clusters=56
 offset_header_size=100
 offset_ext_magic=$header_size
@@ -76,6 +77,18 @@ poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\xff\xff\xff\xff"
 poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x02\x00\x01"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Misaligned refcount table =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_refcount_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xef"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Huge refcount offset =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_refcount_table_offset" "\xff\xff\xff\xff\xff\xff\x00\x00"
+poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x00\x00\x7f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
 # success, all done
 echo "*** done"
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 6fef6d9..f919b58 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -20,4 +20,14 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: Reference count table too large
 no file open, try 'help open'
+
+== Misaligned refcount table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table offset
+no file open, try 'help open'
+
+== Huge refcount offset ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table offset
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 091/156] qcow2: Validate snapshot table offset/size (CVE-2014-0144)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This avoid unbounded memory allocation and fixes a potential buffer
overflow on 32 bit hosts.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit ce48f2f441ca98885267af6fd636a7cb804ee646)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-snapshot.c     | 29 ++++-------------------------
 block/qcow2.c              | 15 +++++++++++++++
 block/qcow2.h              | 29 ++++++++++++++++++++++++++++-
 tests/qemu-iotests/080     | 27 +++++++++++++++++++++++++++
 tests/qemu-iotests/080.out | 17 +++++++++++++++++
 5 files changed, 91 insertions(+), 26 deletions(-)

diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 3529c68..7548165 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -26,31 +26,6 @@
 #include "block/block_int.h"
 #include "block/qcow2.h"
 
-typedef struct QEMU_PACKED QCowSnapshotHeader {
-    /* header is 8 byte aligned */
-    uint64_t l1_table_offset;
-
-    uint32_t l1_size;
-    uint16_t id_str_size;
-    uint16_t name_size;
-
-    uint32_t date_sec;
-    uint32_t date_nsec;
-
-    uint64_t vm_clock_nsec;
-
-    uint32_t vm_state_size;
-    uint32_t extra_data_size; /* for extension */
-    /* extra data follows */
-    /* id_str follows */
-    /* name follows  */
-} QCowSnapshotHeader;
-
-typedef struct QEMU_PACKED QCowSnapshotExtraData {
-    uint64_t vm_state_size_large;
-    uint64_t disk_size;
-} QCowSnapshotExtraData;
-
 void qcow2_free_snapshots(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
@@ -357,6 +332,10 @@ int qcow2_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
     uint64_t *l1_table = NULL;
     int64_t l1_table_offset;
 
+    if (s->nb_snapshots >= QCOW_MAX_SNAPSHOTS) {
+        return -EFBIG;
+    }
+
     memset(sn, 0, sizeof(*sn));
 
     /* Generate an ID if it wasn't passed */
diff --git a/block/qcow2.c b/block/qcow2.c
index de86302..3b81c53 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -625,6 +625,21 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
+    /* Snapshot table offset/length */
+    if (header.nb_snapshots > QCOW_MAX_SNAPSHOTS) {
+        error_setg(errp, "Too many snapshots");
+        ret = -EINVAL;
+        goto fail;
+    }
+
+    ret = validate_table_offset(bs, header.snapshots_offset,
+                                header.nb_snapshots,
+                                sizeof(QCowSnapshotHeader));
+    if (ret < 0) {
+        error_setg(errp, "Invalid snapshot table offset");
+        goto fail;
+    }
+
     s->snapshots_offset = header.snapshots_offset;
     s->nb_snapshots = header.nb_snapshots;
 
diff --git a/block/qcow2.h b/block/qcow2.h
index 922e190..99fe092 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -38,6 +38,7 @@
 #define QCOW_CRYPT_AES  1
 
 #define QCOW_MAX_CRYPT_CLUSTERS 32
+#define QCOW_MAX_SNAPSHOTS 65536
 
 /* indicate that the refcount of the referenced cluster is exactly one. */
 #define QCOW_OFLAG_COPIED     (1ULL << 63)
@@ -97,6 +98,32 @@ typedef struct QCowHeader {
     uint32_t header_length;
 } QEMU_PACKED QCowHeader;
 
+typedef struct QEMU_PACKED QCowSnapshotHeader {
+    /* header is 8 byte aligned */
+    uint64_t l1_table_offset;
+
+    uint32_t l1_size;
+    uint16_t id_str_size;
+    uint16_t name_size;
+
+    uint32_t date_sec;
+    uint32_t date_nsec;
+
+    uint64_t vm_clock_nsec;
+
+    uint32_t vm_state_size;
+    uint32_t extra_data_size; /* for extension */
+    /* extra data follows */
+    /* id_str follows */
+    /* name follows  */
+} QCowSnapshotHeader;
+
+typedef struct QEMU_PACKED QCowSnapshotExtraData {
+    uint64_t vm_state_size_large;
+    uint64_t disk_size;
+} QCowSnapshotExtraData;
+
+
 typedef struct QCowSnapshot {
     uint64_t l1_table_offset;
     uint32_t l1_size;
@@ -202,7 +229,7 @@ typedef struct BDRVQcowState {
     AES_KEY aes_decrypt_key;
     uint64_t snapshots_offset;
     int snapshots_size;
-    int nb_snapshots;
+    unsigned int nb_snapshots;
     QCowSnapshot *snapshots;
 
     int flags;
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index f58ac73..8a8b460 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -47,6 +47,8 @@ header_size=104
 offset_backing_file_offset=8
 offset_refcount_table_offset=48
 offset_refcount_table_clusters=56
+offset_nb_snapshots=60
+offset_snapshots_offset=64
 offset_header_size=100
 offset_ext_magic=$header_size
 offset_ext_size=$((header_size + 4))
@@ -90,6 +92,31 @@ poke_file "$TEST_IMG" "$offset_refcount_table_offset" "\xff\xff\xff\xff\xff\xff\
 poke_file "$TEST_IMG" "$offset_refcount_table_clusters" "\x00\x00\x00\x7f"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid snapshot table =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_nb_snapshots" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_snapshots_offset" "\xff\xff\xff\xff\xff\xff\x00\x00"
+poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x00\x00\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_snapshots_offset" "\x12\x34\x56\x78\x90\xab\xcd\xef"
+poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Hitting snapshot table size limit =="
+_make_test_img 64M
+# Put the refcount table in a more or less safe place (16 MB)
+poke_file "$TEST_IMG" "$offset_snapshots_offset" "\x00\x00\x00\x00\x01\x00\x00\x00"
+poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x00\x01\x00\x00"
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index f919b58..b06f47f 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -30,4 +30,21 @@ no file open, try 'help open'
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 qemu-io: can't open device TEST_DIR/t.qcow2: Invalid reference count table offset
 no file open, try 'help open'
+
+== Invalid snapshot table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Too many snapshots
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Too many snapshots
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid snapshot table offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid snapshot table offset
+no file open, try 'help open'
+
+== Hitting snapshot table size limit ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-img: Could not create snapshot 'test': -27 (File too large)
+read 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This avoids an unbounded allocation.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2d51c32c4b511db8bb9e58208f1e2c25e4c06c85)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 16 ++++++++++++++++
 tests/qemu-iotests/080     | 18 ++++++++++++++++++
 tests/qemu-iotests/080.out | 11 +++++++++++
 3 files changed, 45 insertions(+)

diff --git a/block/qcow2.c b/block/qcow2.c
index 3b81c53..f1f8c9c 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -644,6 +644,13 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     s->nb_snapshots = header.nb_snapshots;
 
     /* read the level 1 table */
+    if (header.l1_size > 0x2000000) {
+        /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+         * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+        error_setg(errp, "Active L1 table too large");
+        ret = -EFBIG;
+        goto fail;
+    }
     s->l1_size = header.l1_size;
 
     l1_vm_state_index = size_to_l1(s, header.size);
@@ -661,7 +668,16 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         ret = -EINVAL;
         goto fail;
     }
+
+    ret = validate_table_offset(bs, header.l1_table_offset,
+                                header.l1_size, sizeof(uint64_t));
+    if (ret < 0) {
+        error_setg(errp, "Invalid L1 table offset");
+        goto fail;
+    }
     s->l1_table_offset = header.l1_table_offset;
+
+
     if (s->l1_size > 0) {
         s->l1_table = g_malloc0(
             align_offset(s->l1_size * sizeof(uint64_t), 512));
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 8a8b460..7255b6c 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,8 @@ _supported_os Linux
 header_size=104
 
 offset_backing_file_offset=8
+offset_l1_size=36
+offset_l1_table_offset=40
 offset_refcount_table_offset=48
 offset_refcount_table_clusters=56
 offset_nb_snapshots=60
@@ -117,6 +119,22 @@ poke_file "$TEST_IMG" "$offset_nb_snapshots" "\x00\x01\x00\x00"
 { $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid L1 table =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l1_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l1_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x7f\xff\xff\xff\xff\xff\x00\x00"
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xef"
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index b06f47f..4ec2545 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -47,4 +47,15 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
 qemu-img: Could not create snapshot 'test': -27 (File too large)
 read 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== Invalid L1 table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Active L1 table too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Active L1 table too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 093/156] qcow2: Fix backing file name length check

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

len could become negative and would pass the check then. Nothing bad
happened because bdrv_pread() happens to return an error for negative
length values, but make variables for sizes unsigned anyway.

This patch also changes the behaviour to error out on invalid lengths
instead of silently truncating it to 1023.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6d33e8e7dc9d40ea105feed4b39caa3e641569e8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 9 ++++++---
 tests/qemu-iotests/080     | 8 ++++++++
 tests/qemu-iotests/080.out | 5 +++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index f1f8c9c..3e620f2 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -448,7 +448,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
                       Error **errp)
 {
     BDRVQcowState *s = bs->opaque;
-    int len, i, ret = 0;
+    unsigned int len, i;
+    int ret = 0;
     QCowHeader header;
     QemuOpts *opts;
     Error *local_err = NULL;
@@ -723,8 +724,10 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     /* read the backing file name */
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
-        if (len > 1023) {
-            len = 1023;
+        if (len > MIN(1023, s->cluster_size - header.backing_file_offset)) {
+            error_setg(errp, "Backing file name too long");
+            ret = -EINVAL;
+            goto fail;
         }
         ret = bdrv_pread(bs->file, header.backing_file_offset,
                          bs->backing_file, len);
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 7255b6c..f3091a9 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -45,6 +45,7 @@ _supported_os Linux
 header_size=104
 
 offset_backing_file_offset=8
+offset_backing_file_size=16
 offset_l1_size=36
 offset_l1_table_offset=40
 offset_refcount_table_offset=48
@@ -135,6 +136,13 @@ poke_file "$TEST_IMG" "$offset_l1_table_offset" "\x12\x34\x56\x78\x90\xab\xcd\xe
 poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid backing file size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x10\x00"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4ec2545..8103211 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -58,4 +58,9 @@ qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
 no file open, try 'help open'
+
+== Invalid backing file size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 094/156] qcow2: fix offset overflow in qcow2_alloc_clusters_at()

[Michael Roth]

From: Hu Tao <hutao@cn.fujitsu.com>

When cluster size is big enough it can lead to an offset overflow
in qcow2_alloc_clusters_at(). This patch fixes it.

The allocation is stopped each time at L2 table boundary
(see handle_alloc()), so the possible maximum bytes could be

  2^(cluster_bits - 3 + cluster_bits)

cluster_bits - 3 is used to compute the number of entry by L2
and the additional cluster_bits is to take into account each
clusters referenced by the L2 entries.

so int is safe for cluster_bits<=17, unsafe otherwise.

Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 33304ec9fa484e765c6249673e09e1b7d49c5b85)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 8c57016..6c212c9 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -678,7 +678,13 @@ int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
     BDRVQcowState *s = bs->opaque;
     uint64_t cluster_index;
     uint64_t old_free_cluster_index;
-    int i, refcount, ret;
+    uint64_t i;
+    int refcount, ret;
+
+    assert(nb_clusters >= 0);
+    if (nb_clusters == 0) {
+        return 0;
+    }
 
     /* Check how many clusters there are free */
     cluster_index = offset >> s->cluster_bits;
-- 
1.9.1

[Qemu-devel] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Strictly speaking, this is only required for has_zero_init() == false,
but it's easy enough to just do a cluster-aligned write that is padded
with zeros after the header.

This fixes that after 'qemu-img create' header extensions are attempted
to be parsed that are really just random leftover data.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f8413b3c23b08a547ce18609acc6fae5fd04ed5c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 3e620f2..3daf019 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1586,7 +1586,7 @@ static int qcow2_create2(const char *filename, int64_t total_size,
      * size for any qcow2 image.
      */
     BlockDriverState* bs;
-    QCowHeader header;
+    QCowHeader *header;
     uint8_t* refcount_table;
     Error *local_err = NULL;
     int ret;
@@ -1604,30 +1604,34 @@ static int qcow2_create2(const char *filename, int64_t total_size,
     }
 
     /* Write the header */
-    memset(&header, 0, sizeof(header));
-    header.magic = cpu_to_be32(QCOW_MAGIC);
-    header.version = cpu_to_be32(version);
-    header.cluster_bits = cpu_to_be32(cluster_bits);
-    header.size = cpu_to_be64(0);
-    header.l1_table_offset = cpu_to_be64(0);
-    header.l1_size = cpu_to_be32(0);
-    header.refcount_table_offset = cpu_to_be64(cluster_size);
-    header.refcount_table_clusters = cpu_to_be32(1);
-    header.refcount_order = cpu_to_be32(3 + REFCOUNT_SHIFT);
-    header.header_length = cpu_to_be32(sizeof(header));
+    QEMU_BUILD_BUG_ON((1 << MIN_CLUSTER_BITS) < sizeof(*header));
+    header = g_malloc0(cluster_size);
+    *header = (QCowHeader) {
+        .magic                      = cpu_to_be32(QCOW_MAGIC),
+        .version                    = cpu_to_be32(version),
+        .cluster_bits               = cpu_to_be32(cluster_bits),
+        .size                       = cpu_to_be64(0),
+        .l1_table_offset            = cpu_to_be64(0),
+        .l1_size                    = cpu_to_be32(0),
+        .refcount_table_offset      = cpu_to_be64(cluster_size),
+        .refcount_table_clusters    = cpu_to_be32(1),
+        .refcount_order             = cpu_to_be32(3 + REFCOUNT_SHIFT),
+        .header_length              = cpu_to_be32(sizeof(*header)),
+    };
 
     if (flags & BLOCK_FLAG_ENCRYPT) {
-        header.crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
+        header->crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
     } else {
-        header.crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
+        header->crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
     }
 
     if (flags & BLOCK_FLAG_LAZY_REFCOUNTS) {
-        header.compatible_features |=
+        header->compatible_features |=
             cpu_to_be64(QCOW2_COMPAT_LAZY_REFCOUNTS);
     }
 
-    ret = bdrv_pwrite(bs, 0, &header, sizeof(header));
+    ret = bdrv_pwrite(bs, 0, header, cluster_size);
+    g_free(header);
     if (ret < 0) {
         error_setg_errno(errp, -ret, "Could not write qcow2 header");
         goto out;
-- 
1.9.1

[Qemu-devel] [PATCH 096/156] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

free_cluster_index is only correct if update_refcount() was called from
an allocation function, and even there it's brittle because it's used to
protect unfinished allocations which still have a refcount of 0 - if it
moves in the wrong place, the unfinished allocation can be corrupted.

So not using it any more seems to be a good idea. Instead, use the
first requested cluster to do the calculations. Return -EAGAIN if
unfinished allocations could become invalid and let the caller restart
its search for some free clusters.

The context of creating a snapsnot is one situation where
update_refcount() is called outside of a cluster allocation. For this
case, the change fixes a buffer overflow if a cluster is referenced in
an L2 table that cannot be represented by an existing refcount block.
(new_table[refcount_table_index] was out of bounds)

[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to
11.
--Stefan]

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c     | 72 ++++++++++++++++++++++++----------------------
 block/qcow2.c              | 11 +++----
 tests/qemu-iotests/026.out |  6 ++--
 tests/qemu-iotests/044.out |  2 +-
 tests/qemu-iotests/080     | 11 +++++++
 tests/qemu-iotests/080.out |  7 +++++
 6 files changed, 65 insertions(+), 44 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 6c212c9..22dfb2d 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -193,10 +193,11 @@ static int alloc_refcount_block(BlockDriverState *bs,
      *   they can describe them themselves.
      *
      * - We need to consider that at this point we are inside update_refcounts
-     *   and doing the initial refcount increase. This means that some clusters
-     *   have already been allocated by the caller, but their refcount isn't
-     *   accurate yet. free_cluster_index tells us where this allocation ends
-     *   as long as we don't overwrite it by freeing clusters.
+     *   and potentially doing an initial refcount increase. This means that
+     *   some clusters have already been allocated by the caller, but their
+     *   refcount isn't accurate yet. If we allocate clusters for metadata, we
+     *   need to return -EAGAIN to signal the caller that it needs to restart
+     *   the search for free clusters.
      *
      * - alloc_clusters_noref and qcow2_free_clusters may load a different
      *   refcount block into the cache
@@ -281,7 +282,10 @@ static int alloc_refcount_block(BlockDriverState *bs,
         }
 
         s->refcount_table[refcount_table_index] = new_block;
-        return 0;
+
+        /* The new refcount block may be where the caller intended to put its
+         * data, so let it restart the search. */
+        return -EAGAIN;
     }
 
     ret = qcow2_cache_put(bs, s->refcount_block_cache, (void**) refcount_block);
@@ -304,8 +308,7 @@ static int alloc_refcount_block(BlockDriverState *bs,
 
     /* Calculate the number of refcount blocks needed so far */
     uint64_t refcount_block_clusters = 1 << (s->cluster_bits - REFCOUNT_SHIFT);
-    uint64_t blocks_used = (s->free_cluster_index +
-        refcount_block_clusters - 1) / refcount_block_clusters;
+    uint64_t blocks_used = DIV_ROUND_UP(cluster_index, refcount_block_clusters);
 
     /* And now we need at least one block more for the new metadata */
     uint64_t table_size = next_refcount_table_size(s, blocks_used + 1);
@@ -338,8 +341,6 @@ static int alloc_refcount_block(BlockDriverState *bs,
     uint16_t *new_blocks = g_malloc0(blocks_clusters * s->cluster_size);
     uint64_t *new_table = g_malloc0(table_size * sizeof(uint64_t));
 
-    assert(meta_offset >= (s->free_cluster_index * s->cluster_size));
-
     /* Fill the new refcount table */
     memcpy(new_table, s->refcount_table,
         s->refcount_table_size * sizeof(uint64_t));
@@ -402,18 +403,19 @@ static int alloc_refcount_block(BlockDriverState *bs,
     s->refcount_table_size = table_size;
     s->refcount_table_offset = table_offset;
 
-    /* Free old table. Remember, we must not change free_cluster_index */
-    uint64_t old_free_cluster_index = s->free_cluster_index;
+    /* Free old table. */
     qcow2_free_clusters(bs, old_table_offset, old_table_size * sizeof(uint64_t),
                         QCOW2_DISCARD_OTHER);
-    s->free_cluster_index = old_free_cluster_index;
 
     ret = load_refcount_block(bs, new_block, (void**) refcount_block);
     if (ret < 0) {
         return ret;
     }
 
-    return 0;
+    /* If we were trying to do the initial refcount update for some cluster
+     * allocation, we might have used the same clusters to store newly
+     * allocated metadata. Make the caller search some new space. */
+    return -EAGAIN;
 
 fail_table:
     g_free(new_table);
@@ -659,12 +661,15 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
     int ret;
 
     BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC);
-    offset = alloc_clusters_noref(bs, size);
-    if (offset < 0) {
-        return offset;
-    }
+    do {
+        offset = alloc_clusters_noref(bs, size);
+        if (offset < 0) {
+            return offset;
+        }
+
+        ret = update_refcount(bs, offset, size, 1, QCOW2_DISCARD_NEVER);
+    } while (ret == -EAGAIN);
 
-    ret = update_refcount(bs, offset, size, 1, QCOW2_DISCARD_NEVER);
     if (ret < 0) {
         return ret;
     }
@@ -677,7 +682,6 @@ int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
 {
     BDRVQcowState *s = bs->opaque;
     uint64_t cluster_index;
-    uint64_t old_free_cluster_index;
     uint64_t i;
     int refcount, ret;
 
@@ -686,30 +690,28 @@ int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
         return 0;
     }
 
-    /* Check how many clusters there are free */
-    cluster_index = offset >> s->cluster_bits;
-    for(i = 0; i < nb_clusters; i++) {
-        refcount = get_refcount(bs, cluster_index++);
+    do {
+        /* Check how many clusters there are free */
+        cluster_index = offset >> s->cluster_bits;
+        for(i = 0; i < nb_clusters; i++) {
+            refcount = get_refcount(bs, cluster_index++);
 
-        if (refcount < 0) {
-            return refcount;
-        } else if (refcount != 0) {
-            break;
+            if (refcount < 0) {
+                return refcount;
+            } else if (refcount != 0) {
+                break;
+            }
         }
-    }
 
-    /* And then allocate them */
-    old_free_cluster_index = s->free_cluster_index;
-    s->free_cluster_index = cluster_index + i;
+        /* And then allocate them */
+        ret = update_refcount(bs, offset, i << s->cluster_bits, 1,
+                              QCOW2_DISCARD_NEVER);
+    } while (ret == -EAGAIN);
 
-    ret = update_refcount(bs, offset, i << s->cluster_bits, 1,
-                          QCOW2_DISCARD_NEVER);
     if (ret < 0) {
         return ret;
     }
 
-    s->free_cluster_index = old_free_cluster_index;
-
     return i;
 }
 
diff --git a/block/qcow2.c b/block/qcow2.c
index 3daf019..45f3f8a 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1587,7 +1587,7 @@ static int qcow2_create2(const char *filename, int64_t total_size,
      */
     BlockDriverState* bs;
     QCowHeader *header;
-    uint8_t* refcount_table;
+    uint64_t* refcount_table;
     Error *local_err = NULL;
     int ret;
 
@@ -1637,9 +1637,10 @@ static int qcow2_create2(const char *filename, int64_t total_size,
         goto out;
     }
 
-    /* Write an empty refcount table */
-    refcount_table = g_malloc0(cluster_size);
-    ret = bdrv_pwrite(bs, cluster_size, refcount_table, cluster_size);
+    /* Write a refcount table with one refcount block */
+    refcount_table = g_malloc0(2 * cluster_size);
+    refcount_table[0] = cpu_to_be64(2 * cluster_size);
+    ret = bdrv_pwrite(bs, cluster_size, refcount_table, 2 * cluster_size);
     g_free(refcount_table);
 
     if (ret < 0) {
@@ -1663,7 +1664,7 @@ static int qcow2_create2(const char *filename, int64_t total_size,
         goto out;
     }
 
-    ret = qcow2_alloc_clusters(bs, 2 * cluster_size);
+    ret = qcow2_alloc_clusters(bs, 3 * cluster_size);
     if (ret < 0) {
         error_setg_errno(errp, -ret, "Could not allocate clusters for qcow2 "
                          "header and refcount table");
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
index 1504579..f7c78e7 100644
--- a/tests/qemu-iotests/026.out
+++ b/tests/qemu-iotests/026.out
@@ -475,7 +475,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write 
 write failed: No space left on device
 
-10 leaked clusters were found on the image.
+11 leaked clusters were found on the image.
 This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
@@ -499,7 +499,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write 
 write failed: No space left on device
 
-10 leaked clusters were found on the image.
+11 leaked clusters were found on the image.
 This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
@@ -523,7 +523,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824
 Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write 
 write failed: No space left on device
 
-10 leaked clusters were found on the image.
+11 leaked clusters were found on the image.
 This means waste of disk space, but no harm to data.
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 
 
diff --git a/tests/qemu-iotests/044.out b/tests/qemu-iotests/044.out
index 5c5aa92..4789a53 100644
--- a/tests/qemu-iotests/044.out
+++ b/tests/qemu-iotests/044.out
@@ -1,6 +1,6 @@
 No errors were found on the image.
 7292415/33554432 = 21.73% allocated, 0.00% fragmented, 0.00% compressed clusters
-Image end offset: 4296448000
+Image end offset: 4296152064
 .
 ----------------------------------------------------------------------
 Ran 1 tests
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index f3091a9..56f8903 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -56,6 +56,8 @@ offset_header_size=100
 offset_ext_magic=$header_size
 offset_ext_size=$((header_size + 4))
 
+offset_l2_table_0=$((0x40000))
+
 echo
 echo "== Huge header size =="
 _make_test_img 64M
@@ -143,6 +145,15 @@ poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x1
 poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid L2 entry (huge physical offset) =="
+_make_test_img 64M
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_table_0" "\xbf\xff\xff\xff\xff\xff\x00\x00"
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_table_0" "\x80\x00\x00\xff\xff\xff\x00\x00"
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 8103211..303d6c3 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -63,4 +63,11 @@ no file open, try 'help open'
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
 no file open, try 'help open'
+
+== Invalid L2 entry (huge physical offset) ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-img: Could not create snapshot 'test': -27 (File too large)
+qemu-img: Could not create snapshot 'test': -11 (Resource temporarily unavailable)
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 097/156] qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This ensures that the checks catch all invalid cluster indexes
instead of returning the refcount of a wrong cluster.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit db8a31d11d6a60f48d6817530640d75aa72a9a2f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 22dfb2d..57c1fba 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -89,7 +89,7 @@ static int load_refcount_block(BlockDriverState *bs,
 static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
 {
     BDRVQcowState *s = bs->opaque;
-    int refcount_table_index, block_index;
+    uint64_t refcount_table_index, block_index;
     int64_t refcount_block_offset;
     int ret;
     uint16_t *refcount_block;
-- 
1.9.1

[Qemu-devel] [PATCH 098/156] qcow2: Check new refcount table size on growth

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

If the size becomes larger than what qcow2_open() would accept, fail the
growing operation.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2b5d5953eec0cc541857c3df812bdf8421596ab2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c | 4 ++++
 block/qcow2.c          | 4 +---
 block/qcow2.h          | 9 +++++++++
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 57c1fba..29e25a7 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -310,6 +310,10 @@ static int alloc_refcount_block(BlockDriverState *bs,
     uint64_t refcount_block_clusters = 1 << (s->cluster_bits - REFCOUNT_SHIFT);
     uint64_t blocks_used = DIV_ROUND_UP(cluster_index, refcount_block_clusters);
 
+    if (blocks_used > QCOW_MAX_REFTABLE_SIZE / sizeof(uint64_t)) {
+        return -EFBIG;
+    }
+
     /* And now we need at least one block more for the new metadata */
     uint64_t table_size = next_refcount_table_size(s, blocks_used + 1);
     uint64_t last_table_size;
diff --git a/block/qcow2.c b/block/qcow2.c
index 45f3f8a..447308e 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -611,9 +611,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     s->refcount_table_size =
         header.refcount_table_clusters << (s->cluster_bits - 3);
 
-    if (header.refcount_table_clusters > (0x800000 >> s->cluster_bits)) {
-        /* 8 MB refcount table is enough for 2 PB images at 64k cluster size
-         * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+    if (header.refcount_table_clusters > qcow2_max_refcount_clusters(s)) {
         error_setg(errp, "Reference count table too large");
         ret = -EINVAL;
         goto fail;
diff --git a/block/qcow2.h b/block/qcow2.h
index 99fe092..e1b4c4b 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -40,6 +40,10 @@
 #define QCOW_MAX_CRYPT_CLUSTERS 32
 #define QCOW_MAX_SNAPSHOTS 65536
 
+/* 8 MB refcount table is enough for 2 PB images at 64k cluster size
+ * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+#define QCOW_MAX_REFTABLE_SIZE 0x800000
+
 /* indicate that the refcount of the referenced cluster is exactly one. */
 #define QCOW_OFLAG_COPIED     (1ULL << 63)
 /* indicate that the cluster is compressed (they never have the copied flag) */
@@ -410,6 +414,11 @@ static inline int64_t qcow2_vm_state_offset(BDRVQcowState *s)
     return (int64_t)s->l1_vm_state_index << (s->cluster_bits + s->l2_bits);
 }
 
+static inline uint64_t qcow2_max_refcount_clusters(BDRVQcowState *s)
+{
+    return QCOW_MAX_REFTABLE_SIZE >> s->cluster_bits;
+}
+
 static inline int qcow2_get_cluster_type(uint64_t l2_entry)
 {
     if (l2_entry & QCOW_OFLAG_COMPRESSED) {
-- 
1.9.1

[Qemu-devel] [PATCH 099/156] qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

In order to avoid integer overflows.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit bb572aefbdac290363bfa5ca0e810ccce0a14ed6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c | 11 ++++++-----
 block/qcow2.h          |  6 +++---
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 29e25a7..8a968d1 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -28,7 +28,7 @@
 #include "qemu/range.h"
 #include "qapi/qmp/types.h"
 
-static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size);
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size);
 static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
                             int64_t offset, int64_t length,
                             int addend, enum qcow2_discard_type type);
@@ -634,15 +634,16 @@ int qcow2_update_cluster_refcount(BlockDriverState *bs,
 
 
 /* return < 0 if error */
-static int64_t alloc_clusters_noref(BlockDriverState *bs, int64_t size)
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size)
 {
     BDRVQcowState *s = bs->opaque;
-    int i, nb_clusters, refcount;
+    uint64_t i, nb_clusters;
+    int refcount;
 
     nb_clusters = size_to_clusters(s, size);
 retry:
     for(i = 0; i < nb_clusters; i++) {
-        int64_t next_cluster_index = s->free_cluster_index++;
+        uint64_t next_cluster_index = s->free_cluster_index++;
         refcount = get_refcount(bs, next_cluster_index);
 
         if (refcount < 0) {
@@ -659,7 +660,7 @@ retry:
     return (s->free_cluster_index - nb_clusters) << s->cluster_bits;
 }
 
-int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
+int64_t qcow2_alloc_clusters(BlockDriverState *bs, uint64_t size)
 {
     int64_t offset;
     int ret;
diff --git a/block/qcow2.h b/block/qcow2.h
index e1b4c4b..a20d91f 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -222,8 +222,8 @@ typedef struct BDRVQcowState {
     uint64_t *refcount_table;
     uint64_t refcount_table_offset;
     uint32_t refcount_table_size;
-    int64_t free_cluster_index;
-    int64_t free_byte_offset;
+    uint64_t free_cluster_index;
+    uint64_t free_byte_offset;
 
     CoMutex lock;
 
@@ -467,7 +467,7 @@ void qcow2_refcount_close(BlockDriverState *bs);
 int qcow2_update_cluster_refcount(BlockDriverState *bs, int64_t cluster_index,
                                   int addend, enum qcow2_discard_type type);
 
-int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size);
+int64_t qcow2_alloc_clusters(BlockDriverState *bs, uint64_t size);
 int qcow2_alloc_clusters_at(BlockDriverState *bs, uint64_t offset,
     int nb_clusters);
 int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size);
-- 
1.9.1

[Qemu-devel] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 0abe740f1de899737242bcba1fb4a9857f7a3087)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-refcount.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 8a968d1..99bb9b0 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -1019,8 +1019,7 @@ static void inc_refcounts(BlockDriverState *bs,
                           int64_t offset, int64_t size)
 {
     BDRVQcowState *s = bs->opaque;
-    int64_t start, last, cluster_offset;
-    int k;
+    uint64_t start, last, cluster_offset, k;
 
     if (size <= 0)
         return;
@@ -1030,11 +1029,7 @@ static void inc_refcounts(BlockDriverState *bs,
     for(cluster_offset = start; cluster_offset <= last;
         cluster_offset += s->cluster_size) {
         k = cluster_offset >> s->cluster_bits;
-        if (k < 0) {
-            fprintf(stderr, "ERROR: invalid cluster offset=0x%" PRIx64 "\n",
-                cluster_offset);
-            res->corruptions++;
-        } else if (k >= refcount_table_size) {
+        if (k >= refcount_table_size) {
             fprintf(stderr, "Warning: cluster offset=0x%" PRIx64 " is after "
                 "the end of the image file, can't properly check refcounts.\n",
                 cluster_offset);
@@ -1475,14 +1470,19 @@ int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res,
                           BdrvCheckMode fix)
 {
     BDRVQcowState *s = bs->opaque;
-    int64_t size, i, highest_cluster;
-    int nb_clusters, refcount1, refcount2;
+    int64_t size, i, highest_cluster, nb_clusters;
+    int refcount1, refcount2;
     QCowSnapshot *sn;
     uint16_t *refcount_table;
     int ret;
 
     size = bdrv_getlength(bs->file);
     nb_clusters = size_to_clusters(s, size);
+    if (nb_clusters > INT_MAX) {
+        res->check_errors++;
+        return -EFBIG;
+    }
+
     refcount_table = g_malloc0(nb_clusters * sizeof(uint16_t));
 
     res->bfi.total_clusters =
-- 
1.9.1

[Qemu-devel] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit cab60de930684c33f67d4e32c7509b567f8c445b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 791083a..64a7ee6 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }
 
-- 
1.9.1

[Qemu-devel] [PATCH 102/156] dmg: coding style and indentation cleanup

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Clean up the mix of tabs and spaces, as well as the coding style
violations in block/dmg.c.  There are no semantic changes since this
patch simply reformats the code.

This patch is necessary before we can make meaningful changes to this
file, due to the inconsistent formatting and confusing indentation.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2c1885adcf0312da80c7317b09f9adad97fa0fc6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 224 ++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 120 insertions(+), 104 deletions(-)

diff --git a/block/dmg.c b/block/dmg.c
index d5e9b1f..be2f26e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -96,9 +96,9 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                     Error **errp)
 {
     BDRVDMGState *s = bs->opaque;
-    uint64_t info_begin,info_end,last_in_offset,last_out_offset;
+    uint64_t info_begin, info_end, last_in_offset, last_out_offset;
     uint32_t count, tmp;
-    uint32_t max_compressed_size=1,max_sectors_per_chunk=1,i;
+    uint32_t max_compressed_size = 1, max_sectors_per_chunk = 1, i;
     int64_t offset;
     int ret;
 
@@ -160,37 +160,39 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
             goto fail;
         }
 
-	if (type == 0x6d697368 && count >= 244) {
-	    int new_size, chunk_count;
+        if (type == 0x6d697368 && count >= 244) {
+            int new_size, chunk_count;
 
             offset += 4;
             offset += 200;
 
-	    chunk_count = (count-204)/40;
-	    new_size = sizeof(uint64_t) * (s->n_chunks + chunk_count);
-	    s->types = g_realloc(s->types, new_size/2);
-	    s->offsets = g_realloc(s->offsets, new_size);
-	    s->lengths = g_realloc(s->lengths, new_size);
-	    s->sectors = g_realloc(s->sectors, new_size);
-	    s->sectorcounts = g_realloc(s->sectorcounts, new_size);
+            chunk_count = (count - 204) / 40;
+            new_size = sizeof(uint64_t) * (s->n_chunks + chunk_count);
+            s->types = g_realloc(s->types, new_size / 2);
+            s->offsets = g_realloc(s->offsets, new_size);
+            s->lengths = g_realloc(s->lengths, new_size);
+            s->sectors = g_realloc(s->sectors, new_size);
+            s->sectorcounts = g_realloc(s->sectorcounts, new_size);
 
             for (i = s->n_chunks; i < s->n_chunks + chunk_count; i++) {
                 ret = read_uint32(bs, offset, &s->types[i]);
                 if (ret < 0) {
                     goto fail;
                 }
-		offset += 4;
-		if(s->types[i]!=0x80000005 && s->types[i]!=1 && s->types[i]!=2) {
-		    if(s->types[i]==0xffffffff) {
-			last_in_offset = s->offsets[i-1]+s->lengths[i-1];
-			last_out_offset = s->sectors[i-1]+s->sectorcounts[i-1];
-		    }
-		    chunk_count--;
-		    i--;
-		    offset += 36;
-		    continue;
-		}
-		offset += 4;
+                offset += 4;
+                if (s->types[i] != 0x80000005 && s->types[i] != 1 &&
+                    s->types[i] != 2) {
+                    if (s->types[i] == 0xffffffff) {
+                        last_in_offset = s->offsets[i - 1] + s->lengths[i - 1];
+                        last_out_offset = s->sectors[i - 1] +
+                                          s->sectorcounts[i - 1];
+                    }
+                    chunk_count--;
+                    i--;
+                    offset += 36;
+                    continue;
+                }
+                offset += 4;
 
                 ret = read_uint64(bs, offset, &s->sectors[i]);
                 if (ret < 0) {
@@ -218,19 +220,21 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                 }
                 offset += 8;
 
-		if(s->lengths[i]>max_compressed_size)
-		    max_compressed_size = s->lengths[i];
-		if(s->sectorcounts[i]>max_sectors_per_chunk)
-		    max_sectors_per_chunk = s->sectorcounts[i];
-	    }
-	    s->n_chunks+=chunk_count;
-	}
+                if (s->lengths[i] > max_compressed_size) {
+                    max_compressed_size = s->lengths[i];
+                }
+                if (s->sectorcounts[i] > max_sectors_per_chunk) {
+                    max_sectors_per_chunk = s->sectorcounts[i];
+                }
+            }
+            s->n_chunks += chunk_count;
+        }
     }
 
     /* initialize zlib engine */
-    s->compressed_chunk = g_malloc(max_compressed_size+1);
-    s->uncompressed_chunk = g_malloc(512*max_sectors_per_chunk);
-    if(inflateInit(&s->zstream) != Z_OK) {
+    s->compressed_chunk = g_malloc(max_compressed_size + 1);
+    s->uncompressed_chunk = g_malloc(512 * max_sectors_per_chunk);
+    if (inflateInit(&s->zstream) != Z_OK) {
         ret = -EINVAL;
         goto fail;
     }
@@ -252,27 +256,29 @@ fail:
 }
 
 static inline int is_sector_in_chunk(BDRVDMGState* s,
-		uint32_t chunk_num,int sector_num)
+                uint32_t chunk_num, int sector_num)
 {
-    if(chunk_num>=s->n_chunks || s->sectors[chunk_num]>sector_num ||
-	    s->sectors[chunk_num]+s->sectorcounts[chunk_num]<=sector_num)
-	return 0;
-    else
-	return -1;
+    if (chunk_num >= s->n_chunks || s->sectors[chunk_num] > sector_num ||
+            s->sectors[chunk_num] + s->sectorcounts[chunk_num] <= sector_num) {
+        return 0;
+    } else {
+        return -1;
+    }
 }
 
-static inline uint32_t search_chunk(BDRVDMGState* s,int sector_num)
+static inline uint32_t search_chunk(BDRVDMGState *s, int sector_num)
 {
     /* binary search */
-    uint32_t chunk1=0,chunk2=s->n_chunks,chunk3;
-    while(chunk1!=chunk2) {
-	chunk3 = (chunk1+chunk2)/2;
-	if(s->sectors[chunk3]>sector_num)
-	    chunk2 = chunk3;
-	else if(s->sectors[chunk3]+s->sectorcounts[chunk3]>sector_num)
-	    return chunk3;
-	else
-	    chunk1 = chunk3;
+    uint32_t chunk1 = 0, chunk2 = s->n_chunks, chunk3;
+    while (chunk1 != chunk2) {
+        chunk3 = (chunk1 + chunk2) / 2;
+        if (s->sectors[chunk3] > sector_num) {
+            chunk2 = chunk3;
+        } else if (s->sectors[chunk3] + s->sectorcounts[chunk3] > sector_num) {
+            return chunk3;
+        } else {
+            chunk1 = chunk3;
+        }
     }
     return s->n_chunks; /* error */
 }
@@ -281,54 +287,62 @@ static inline int dmg_read_chunk(BlockDriverState *bs, int sector_num)
 {
     BDRVDMGState *s = bs->opaque;
 
-    if(!is_sector_in_chunk(s,s->current_chunk,sector_num)) {
-	int ret;
-	uint32_t chunk = search_chunk(s,sector_num);
+    if (!is_sector_in_chunk(s, s->current_chunk, sector_num)) {
+        int ret;
+        uint32_t chunk = search_chunk(s, sector_num);
 
-	if(chunk>=s->n_chunks)
-	    return -1;
+        if (chunk >= s->n_chunks) {
+            return -1;
+        }
 
-	s->current_chunk = s->n_chunks;
-	switch(s->types[chunk]) {
-	case 0x80000005: { /* zlib compressed */
-	    int i;
+        s->current_chunk = s->n_chunks;
+        switch (s->types[chunk]) {
+        case 0x80000005: { /* zlib compressed */
+            int i;
 
-	    /* we need to buffer, because only the chunk as whole can be
-	     * inflated. */
-	    i=0;
-	    do {
+            /* we need to buffer, because only the chunk as whole can be
+             * inflated. */
+            i = 0;
+            do {
                 ret = bdrv_pread(bs->file, s->offsets[chunk] + i,
-                                 s->compressed_chunk+i, s->lengths[chunk]-i);
-		if(ret<0 && errno==EINTR)
-		    ret=0;
-		i+=ret;
-	    } while(ret>=0 && ret+i<s->lengths[chunk]);
-
-	    if (ret != s->lengths[chunk])
-		return -1;
-
-	    s->zstream.next_in = s->compressed_chunk;
-	    s->zstream.avail_in = s->lengths[chunk];
-	    s->zstream.next_out = s->uncompressed_chunk;
-	    s->zstream.avail_out = 512*s->sectorcounts[chunk];
-	    ret = inflateReset(&s->zstream);
-	    if(ret != Z_OK)
-		return -1;
-	    ret = inflate(&s->zstream, Z_FINISH);
-	    if(ret != Z_STREAM_END || s->zstream.total_out != 512*s->sectorcounts[chunk])
-		return -1;
-	    break; }
-	case 1: /* copy */
-	    ret = bdrv_pread(bs->file, s->offsets[chunk],
+                                 s->compressed_chunk + i,
+                                 s->lengths[chunk] - i);
+                if (ret < 0 && errno == EINTR) {
+                    ret = 0;
+                }
+                i += ret;
+            } while (ret >= 0 && ret + i < s->lengths[chunk]);
+
+            if (ret != s->lengths[chunk]) {
+                return -1;
+            }
+
+            s->zstream.next_in = s->compressed_chunk;
+            s->zstream.avail_in = s->lengths[chunk];
+            s->zstream.next_out = s->uncompressed_chunk;
+            s->zstream.avail_out = 512 * s->sectorcounts[chunk];
+            ret = inflateReset(&s->zstream);
+            if (ret != Z_OK) {
+                return -1;
+            }
+            ret = inflate(&s->zstream, Z_FINISH);
+            if (ret != Z_STREAM_END ||
+                s->zstream.total_out != 512 * s->sectorcounts[chunk]) {
+                return -1;
+            }
+            break; }
+        case 1: /* copy */
+            ret = bdrv_pread(bs->file, s->offsets[chunk],
                              s->uncompressed_chunk, s->lengths[chunk]);
-	    if (ret != s->lengths[chunk])
-		return -1;
-	    break;
-	case 2: /* zero */
-	    memset(s->uncompressed_chunk, 0, 512*s->sectorcounts[chunk]);
-	    break;
-	}
-	s->current_chunk = chunk;
+            if (ret != s->lengths[chunk]) {
+                return -1;
+            }
+            break;
+        case 2: /* zero */
+            memset(s->uncompressed_chunk, 0, 512 * s->sectorcounts[chunk]);
+            break;
+        }
+        s->current_chunk = chunk;
     }
     return 0;
 }
@@ -339,12 +353,14 @@ static int dmg_read(BlockDriverState *bs, int64_t sector_num,
     BDRVDMGState *s = bs->opaque;
     int i;
 
-    for(i=0;i<nb_sectors;i++) {
-	uint32_t sector_offset_in_chunk;
-	if(dmg_read_chunk(bs, sector_num+i) != 0)
-	    return -1;
-	sector_offset_in_chunk = sector_num+i-s->sectors[s->current_chunk];
-	memcpy(buf+i*512,s->uncompressed_chunk+sector_offset_in_chunk*512,512);
+    for (i = 0; i < nb_sectors; i++) {
+        uint32_t sector_offset_in_chunk;
+        if (dmg_read_chunk(bs, sector_num + i) != 0) {
+            return -1;
+        }
+        sector_offset_in_chunk = sector_num + i - s->sectors[s->current_chunk];
+        memcpy(buf + i * 512,
+               s->uncompressed_chunk + sector_offset_in_chunk * 512, 512);
     }
     return 0;
 }
@@ -376,12 +392,12 @@ static void dmg_close(BlockDriverState *bs)
 }
 
 static BlockDriver bdrv_dmg = {
-    .format_name	= "dmg",
-    .instance_size	= sizeof(BDRVDMGState),
-    .bdrv_probe		= dmg_probe,
-    .bdrv_open		= dmg_open,
-    .bdrv_read          = dmg_co_read,
-    .bdrv_close		= dmg_close,
+    .format_name    = "dmg",
+    .instance_size  = sizeof(BDRVDMGState),
+    .bdrv_probe     = dmg_probe,
+    .bdrv_open      = dmg_open,
+    .bdrv_read      = dmg_co_read,
+    .bdrv_close     = dmg_close,
 };
 
 static void bdrv_dmg_init(void)
-- 
1.9.1

[Qemu-devel] [PATCH 103/156] dmg: prevent out-of-bounds array access on terminator

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

When a terminator is reached the base for offsets and sectors is stored.
The following records that are processed will use this base value.

If the first record we encounter is a terminator, then calculating the
base values would result in out-of-bounds array accesses.  Don't do
that.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 73ed27ec28a1dbebdd2ae792284151f029950fbe)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/dmg.c b/block/dmg.c
index be2f26e..f4f3e8e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -182,7 +182,7 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                 offset += 4;
                 if (s->types[i] != 0x80000005 && s->types[i] != 1 &&
                     s->types[i] != 2) {
-                    if (s->types[i] == 0xffffffff) {
+                    if (s->types[i] == 0xffffffff && i > 0) {
                         last_in_offset = s->offsets[i - 1] + s->lengths[i - 1];
                         last_out_offset = s->sectors[i - 1] +
                                           s->sectorcounts[i - 1];
-- 
1.9.1

[Qemu-devel] [PATCH 104/156] dmg: drop broken bdrv_pread() loop

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

It is not necessary to check errno for EINTR and the block layer does
not produce short reads.  Therefore we can drop the loop that attempts
to read a compressed chunk.

The loop is buggy because it incorrectly adds the transferred bytes
twice:

  do {
      ret = bdrv_pread(...);
      i += ret;
  } while (ret >= 0 && ret + i < s->lengths[chunk]);

Luckily we can drop the loop completely and perform a single
bdrv_pread().

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit b404bf854217dbe8a5649449eb3ad33777f7d900)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/block/dmg.c b/block/dmg.c
index f4f3e8e..1cc5426 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -298,21 +298,10 @@ static inline int dmg_read_chunk(BlockDriverState *bs, int sector_num)
         s->current_chunk = s->n_chunks;
         switch (s->types[chunk]) {
         case 0x80000005: { /* zlib compressed */
-            int i;
-
             /* we need to buffer, because only the chunk as whole can be
              * inflated. */
-            i = 0;
-            do {
-                ret = bdrv_pread(bs->file, s->offsets[chunk] + i,
-                                 s->compressed_chunk + i,
-                                 s->lengths[chunk] - i);
-                if (ret < 0 && errno == EINTR) {
-                    ret = 0;
-                }
-                i += ret;
-            } while (ret >= 0 && ret + i < s->lengths[chunk]);
-
+            ret = bdrv_pread(bs->file, s->offsets[chunk],
+                             s->compressed_chunk, s->lengths[chunk]);
             if (ret != s->lengths[chunk]) {
                 return -1;
             }
-- 
1.9.1

[Qemu-devel] [PATCH 105/156] dmg: use appropriate types when reading chunks

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Use the right types instead of signed int:

  size_t new_size;

  This is a byte count for g_realloc() that is calculated from uint32_t
  and size_t values.

  uint32_t chunk_count;

  Use the same type as s->n_chunks, which is used together with
  chunk_count.

This patch is a cleanup and does not fix bugs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit eb71803b041f55779ea10d860c0f66df285c68de)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/dmg.c b/block/dmg.c
index 1cc5426..f98c94d 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -161,7 +161,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
         }
 
         if (type == 0x6d697368 && count >= 244) {
-            int new_size, chunk_count;
+            size_t new_size;
+            uint32_t chunk_count;
 
             offset += 4;
             offset += 200;
-- 
1.9.1

[Qemu-devel] [PATCH 106/156] dmg: sanitize chunk length and sectorcount (CVE-2014-0145)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Chunk length and sectorcount are used for decompression buffers as well
as the bdrv_pread() count argument.  Ensure that they have reasonable
values so neither memory allocation nor conversion from uint64_t to int
will cause problems.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c165f7758009a4f793c1fc19ebb69cf55313450b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/block/dmg.c b/block/dmg.c
index f98c94d..ad253fe 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -27,6 +27,14 @@
 #include "qemu/module.h"
 #include <zlib.h>
 
+enum {
+    /* Limit chunk sizes to prevent unreasonable amounts of memory being used
+     * or truncating when converting to 32-bit types
+     */
+    DMG_LENGTHS_MAX = 64 * 1024 * 1024, /* 64 MB */
+    DMG_SECTORCOUNTS_MAX = DMG_LENGTHS_MAX / 512,
+};
+
 typedef struct BDRVDMGState {
     CoMutex lock;
     /* each chunk contains a certain number of sectors,
@@ -208,6 +216,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                 }
                 offset += 8;
 
+                if (s->sectorcounts[i] > DMG_SECTORCOUNTS_MAX) {
+                    error_report("sector count %" PRIu64 " for chunk %u is "
+                                 "larger than max (%u)",
+                                 s->sectorcounts[i], i, DMG_SECTORCOUNTS_MAX);
+                    ret = -EINVAL;
+                    goto fail;
+                }
+
                 ret = read_uint64(bs, offset, &s->offsets[i]);
                 if (ret < 0) {
                     goto fail;
@@ -221,6 +237,14 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                 }
                 offset += 8;
 
+                if (s->lengths[i] > DMG_LENGTHS_MAX) {
+                    error_report("length %" PRIu64 " for chunk %u is larger "
+                                 "than max (%u)",
+                                 s->lengths[i], i, DMG_LENGTHS_MAX);
+                    ret = -EINVAL;
+                    goto fail;
+                }
+
                 if (s->lengths[i] > max_compressed_size) {
                     max_compressed_size = s->lengths[i];
                 }
-- 
1.9.1

[Qemu-devel] [PATCH 107/156] dmg: use uint64_t consistently for sectors and lengths

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

The DMG metadata is stored as uint64_t, so use the same type for
sector_num.  int was a particularly poor choice since it is only 32-bit
and would truncate large values.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 686d7148ec23402a172628c800022b3a95a022c9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/block/dmg.c b/block/dmg.c
index ad253fe..be0ee33 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -281,7 +281,7 @@ fail:
 }
 
 static inline int is_sector_in_chunk(BDRVDMGState* s,
-                uint32_t chunk_num, int sector_num)
+                uint32_t chunk_num, uint64_t sector_num)
 {
     if (chunk_num >= s->n_chunks || s->sectors[chunk_num] > sector_num ||
             s->sectors[chunk_num] + s->sectorcounts[chunk_num] <= sector_num) {
@@ -291,7 +291,7 @@ static inline int is_sector_in_chunk(BDRVDMGState* s,
     }
 }
 
-static inline uint32_t search_chunk(BDRVDMGState *s, int sector_num)
+static inline uint32_t search_chunk(BDRVDMGState *s, uint64_t sector_num)
 {
     /* binary search */
     uint32_t chunk1 = 0, chunk2 = s->n_chunks, chunk3;
@@ -308,7 +308,7 @@ static inline uint32_t search_chunk(BDRVDMGState *s, int sector_num)
     return s->n_chunks; /* error */
 }
 
-static inline int dmg_read_chunk(BlockDriverState *bs, int sector_num)
+static inline int dmg_read_chunk(BlockDriverState *bs, uint64_t sector_num)
 {
     BDRVDMGState *s = bs->opaque;
 
-- 
1.9.1

[Qemu-devel] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145)

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

Both compressed and uncompressed I/O is buffered.  dmg_open() calculates
the maximum buffer size needed from the metadata in the image file.

There is currently a buffer overflow since ->lengths[] is accounted
against the maximum compressed buffer size but actually uses the
uncompressed buffer:

  switch (s->types[chunk]) {
  case 1: /* copy */
      ret = bdrv_pread(bs->file, s->offsets[chunk],
                       s->uncompressed_chunk, s->lengths[chunk]);

We must account against the maximum uncompressed buffer size for type=1
chunks.

This patch fixes the maximum buffer size calculation to take into
account the chunk type.  It is critical that we update the correct
maximum since there are two buffers ->compressed_chunk and
->uncompressed_chunk.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f0dce23475b5af5da6b17b97c1765271307734b6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/dmg.c | 39 +++++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/block/dmg.c b/block/dmg.c
index be0ee33..856402e 100644
--- a/block/dmg.c
+++ b/block/dmg.c
@@ -100,6 +100,37 @@ static int read_uint32(BlockDriverState *bs, int64_t offset, uint32_t *result)
     return 0;
 }
 
+/* Increase max chunk sizes, if necessary.  This function is used to calculate
+ * the buffer sizes needed for compressed/uncompressed chunk I/O.
+ */
+static void update_max_chunk_size(BDRVDMGState *s, uint32_t chunk,
+                                  uint32_t *max_compressed_size,
+                                  uint32_t *max_sectors_per_chunk)
+{
+    uint32_t compressed_size = 0;
+    uint32_t uncompressed_sectors = 0;
+
+    switch (s->types[chunk]) {
+    case 0x80000005: /* zlib compressed */
+        compressed_size = s->lengths[chunk];
+        uncompressed_sectors = s->sectorcounts[chunk];
+        break;
+    case 1: /* copy */
+        uncompressed_sectors = (s->lengths[chunk] + 511) / 512;
+        break;
+    case 2: /* zero */
+        uncompressed_sectors = s->sectorcounts[chunk];
+        break;
+    }
+
+    if (compressed_size > *max_compressed_size) {
+        *max_compressed_size = compressed_size;
+    }
+    if (uncompressed_sectors > *max_sectors_per_chunk) {
+        *max_sectors_per_chunk = uncompressed_sectors;
+    }
+}
+
 static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                     Error **errp)
 {
@@ -245,12 +276,8 @@ static int dmg_open(BlockDriverState *bs, QDict *options, int flags,
                     goto fail;
                 }
 
-                if (s->lengths[i] > max_compressed_size) {
-                    max_compressed_size = s->lengths[i];
-                }
-                if (s->sectorcounts[i] > max_sectors_per_chunk) {
-                    max_sectors_per_chunk = s->sectorcounts[i];
-                }
+                update_max_chunk_size(s, i, &max_compressed_size,
+                                      &max_sectors_per_chunk);
             }
             s->n_chunks += chunk_count;
         }
-- 
1.9.1

[Qemu-devel] [PATCH 109/156] block: Limit request size (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Limiting the size of a single request to INT_MAX not only fixes a
direct integer overflow in bdrv_check_request() (which would only
trigger bad behaviour with ridiculously huge images, as in close to
2^64 bytes), but can also prevent overflows in all block drivers.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8f4754ede56e3f9ea3fd7207f4a7c4453e59285b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block.c b/block.c
index 68651a9..202d817 100644
--- a/block.c
+++ b/block.c
@@ -2277,6 +2277,10 @@ static int bdrv_check_byte_request(BlockDriverState *bs, int64_t offset,
 static int bdrv_check_request(BlockDriverState *bs, int64_t sector_num,
                               int nb_sectors)
 {
+    if (nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
+        return -EIO;
+    }
+
     return bdrv_check_byte_request(bs, sector_num * BDRV_SECTOR_SIZE,
                                    nb_sectors * BDRV_SECTOR_SIZE);
 }
-- 
1.9.1

[Qemu-devel] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The qcow2 code assumes that s->snapshots is non-NULL if s->nb_snapshots
!= 0. By having the initialisation of both fields separated in
qcow2_open(), any error occuring in between would cause the error path
to dereference NULL in qcow2_free_snapshots() if the image had any
snapshots.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 11b128f4062dd7f89b14abc8877ff20d41b28be9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2.c              | 7 ++++---
 tests/qemu-iotests/080     | 7 +++++++
 tests/qemu-iotests/080.out | 4 ++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index 447308e..52b73a9 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -639,9 +639,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
-    s->snapshots_offset = header.snapshots_offset;
-    s->nb_snapshots = header.nb_snapshots;
-
     /* read the level 1 table */
     if (header.l1_size > 0x2000000) {
         /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
@@ -736,6 +733,10 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
         bs->backing_file[len] = '\0';
     }
 
+    /* Internal snapshots */
+    s->snapshots_offset = header.snapshots_offset;
+    s->nb_snapshots = header.nb_snapshots;
+
     ret = qcow2_read_snapshots(bs);
     if (ret < 0) {
         error_setg_errno(errp, -ret, "Could not read snapshots");
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 56f8903..59e7a44 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -139,6 +139,13 @@ poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
 echo
+echo "== Invalid L1 table (with internal snapshot in the image) =="
+_make_test_img 64M
+{ $QEMU_IMG snapshot -c foo $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x00"
+_img_info
+
+echo
 echo "== Invalid backing file size =="
 _make_test_img 64M
 poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\x00\x00\x00\x10\x00"
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 303d6c3..4d84fbf 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -59,6 +59,10 @@ no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow2: Invalid L1 table offset
 no file open, try 'help open'
 
+== Invalid L1 table (with internal snapshot in the image) ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-img: Could not open 'TEST_DIR/t.IMGFMT': L1 table is too small
+
 == Invalid backing file size ==
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 qemu-io: can't open device TEST_DIR/t.qcow2: Backing file name too long
-- 
1.9.1

[Qemu-devel] [PATCH 111/156] qcow2: Fix copy_sectors() with VM state

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

bs->total_sectors is not the highest possible sector number that could
be involved in a copy on write operation: VM state is after the end of
the virtual disk. This resulted in wrong values for the number of
sectors to be copied (n).

The code that checks for the end of the image isn't required any more
because the code hasn't been calling the block layer's bdrv_read() for a
long time; instead, it directly calls qcow2_readv(), which doesn't error
out on VM state sector numbers.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6b7d4c55586a849aa8313282d79432917eade3bf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-cluster.c      |  9 ---------
 tests/qemu-iotests/029     | 22 ++++++++++++++++++++--
 tests/qemu-iotests/029.out | 13 +++++++++++++
 3 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 64a7ee6..23f2878 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -359,15 +359,6 @@ static int coroutine_fn copy_sectors(BlockDriverState *bs,
     struct iovec iov;
     int n, ret;
 
-    /*
-     * If this is the last cluster and it is only partially used, we must only
-     * copy until the end of the image, or bdrv_check_request will fail for the
-     * bdrv_read/write calls below.
-     */
-    if (start_sect + n_end > bs->total_sectors) {
-        n_end = bs->total_sectors - start_sect;
-    }
-
     n = n_end - n_start;
     if (n <= 0) {
         return 0;
diff --git a/tests/qemu-iotests/029 b/tests/qemu-iotests/029
index b424726..567e071 100755
--- a/tests/qemu-iotests/029
+++ b/tests/qemu-iotests/029
@@ -1,7 +1,6 @@
 #!/bin/bash
 #
-# Test loading internal snapshots where the L1 table of the snapshot
-# is smaller than the current L1 table.
+# qcow2 internal snapshots/VM state tests
 #
 # Copyright (C) 2011 Red Hat, Inc.
 #
@@ -45,6 +44,11 @@ _supported_fmt qcow2
 _supported_proto generic
 _supported_os Linux
 
+echo
+echo Test loading internal snapshots where the L1 table of the snapshot
+echo is smaller than the current L1 table.
+echo
+
 CLUSTER_SIZE=65536
 _make_test_img 64M
 $QEMU_IMG snapshot -c foo "$TEST_IMG"
@@ -59,6 +63,20 @@ $QEMU_IO -c 'write -b 0 4M' "$TEST_IMG" | _filter_qemu_io
 $QEMU_IMG snapshot -a foo "$TEST_IMG"
 _check_test_img
 
+
+echo
+echo Try using a huge VM state
+echo
+
+CLUSTER_SIZE=65536
+_make_test_img 64M
+{ $QEMU_IO -c "write -b -P 0x11 1T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IMG snapshot -c foo $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IMG snapshot -a foo $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IO -c "read -b -P 0x11 1T 4k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+_check_test_img
+
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/029.out b/tests/qemu-iotests/029.out
index 0eedb3a..9029698 100644
--- a/tests/qemu-iotests/029.out
+++ b/tests/qemu-iotests/029.out
@@ -1,4 +1,8 @@
 QA output created by 029
+
+Test loading internal snapshots where the L1 table of the snapshot
+is smaller than the current L1 table.
+
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 wrote 4096/4096 bytes at offset 0
 4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
@@ -7,4 +11,13 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=16777216
 wrote 4194304/4194304 bytes at offset 0
 4 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 No errors were found on the image.
+
+Try using a huge VM state
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+wrote 4096/4096 bytes at offset 1099511627776
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+read 4096/4096 bytes at offset 1099511627776
+4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+No errors were found on the image.
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 112/156] qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

For the L1 table to loaded for an internal snapshot, the code allocated
only enough memory to hold the currently active L1 table. If the
snapshot's L1 table is actually larger than the current one, this leads
to a buffer overflow.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c05e4667be91b46ab42b5a11babf8e84d476cc6b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-snapshot.c     |  2 +-
 tests/qemu-iotests/029     | 18 +++++++++++++++++-
 tests/qemu-iotests/029.out |  4 ++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 7548165..4170e87 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -673,7 +673,7 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs, const char *snapshot_name)
     sn = &s->snapshots[snapshot_index];
 
     /* Allocate and read in the snapshot's L1 table */
-    new_l1_bytes = s->l1_size * sizeof(uint64_t);
+    new_l1_bytes = sn->l1_size * sizeof(uint64_t);
     new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
 
     ret = bdrv_pread(bs->file, sn->l1_table_offset, new_l1_table, new_l1_bytes);
diff --git a/tests/qemu-iotests/029 b/tests/qemu-iotests/029
index 567e071..fa46ace 100755
--- a/tests/qemu-iotests/029
+++ b/tests/qemu-iotests/029
@@ -30,7 +30,8 @@ status=1	# failure is the default!
 
 _cleanup()
 {
-	_cleanup_test_img
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
 }
 trap "_cleanup; exit \$status" 0 1 2 3 15
 
@@ -44,6 +45,9 @@ _supported_fmt qcow2
 _supported_proto generic
 _supported_os Linux
 
+offset_size=24
+offset_l1_size=36
+
 echo
 echo Test loading internal snapshots where the L1 table of the snapshot
 echo is smaller than the current L1 table.
@@ -77,6 +81,18 @@ _make_test_img 64M
 _check_test_img
 
 
+echo
+echo "qcow2_snapshot_load_tmp() should take the L1 size from the snapshot"
+echo
+
+CLUSTER_SIZE=512
+_make_test_img 64M
+{ $QEMU_IMG snapshot -c foo $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_size" "\x00\x00\x00\x00\x00\x00\x02\x00"
+poke_file "$TEST_IMG" "$offset_l1_size" "\x00\x00\x00\x01"
+{ $QEMU_IMG convert -s foo $TEST_IMG $TEST_IMG.snap; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/029.out b/tests/qemu-iotests/029.out
index 9029698..ce0e64d 100644
--- a/tests/qemu-iotests/029.out
+++ b/tests/qemu-iotests/029.out
@@ -20,4 +20,8 @@ wrote 4096/4096 bytes at offset 1099511627776
 read 4096/4096 bytes at offset 1099511627776
 4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 No errors were found on the image.
+
+qcow2_snapshot_load_tmp() should take the L1 size from the snapshot
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 113/156] qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This avoids an unbounded allocation.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 6a83f8b5bec6f59e56cc49bd49e4c3f8f805d56f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow2-snapshot.c     |  4 ++++
 block/qcow2.c              |  4 +---
 block/qcow2.h              |  4 ++++
 tests/qemu-iotests/080     | 15 ++++++++++++++-
 tests/qemu-iotests/080.out |  6 ++++++
 5 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 4170e87..6218710 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -673,6 +673,10 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs, const char *snapshot_name)
     sn = &s->snapshots[snapshot_index];
 
     /* Allocate and read in the snapshot's L1 table */
+    if (sn->l1_size > QCOW_MAX_L1_SIZE) {
+        error_report("Snapshot L1 table too large");
+        return -EFBIG;
+    }
     new_l1_bytes = sn->l1_size * sizeof(uint64_t);
     new_l1_table = g_malloc0(align_offset(new_l1_bytes, 512));
 
diff --git a/block/qcow2.c b/block/qcow2.c
index 52b73a9..37b0f6c 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -640,9 +640,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
     }
 
     /* read the level 1 table */
-    if (header.l1_size > 0x2000000) {
-        /* 32 MB L1 table is enough for 2 PB images at 64k cluster size
-         * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+    if (header.l1_size > QCOW_MAX_L1_SIZE) {
         error_setg(errp, "Active L1 table too large");
         ret = -EFBIG;
         goto fail;
diff --git a/block/qcow2.h b/block/qcow2.h
index a20d91f..29afb59 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -44,6 +44,10 @@
  * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
 #define QCOW_MAX_REFTABLE_SIZE 0x800000
 
+/* 32 MB L1 table is enough for 2 PB images at 64k cluster size
+ * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
+#define QCOW_MAX_L1_SIZE 0x2000000
+
 /* indicate that the refcount of the referenced cluster is exactly one. */
 #define QCOW_OFLAG_COPIED     (1ULL << 63)
 /* indicate that the cluster is compressed (they never have the copied flag) */
diff --git a/tests/qemu-iotests/080 b/tests/qemu-iotests/080
index 59e7a44..6b3a3e7 100755
--- a/tests/qemu-iotests/080
+++ b/tests/qemu-iotests/080
@@ -30,7 +30,8 @@ status=1	# failure is the default!
 
 _cleanup()
 {
-	_cleanup_test_img
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
 }
 trap "_cleanup; exit \$status" 0 1 2 3 15
 
@@ -58,6 +59,10 @@ offset_ext_size=$((header_size + 4))
 
 offset_l2_table_0=$((0x40000))
 
+offset_snap1=$((0x70000))
+offset_snap1_l1_offset=$((offset_snap1 + 0))
+offset_snap1_l1_size=$((offset_snap1 + 8))
+
 echo
 echo "== Huge header size =="
 _make_test_img 64M
@@ -161,6 +166,14 @@ poke_file "$TEST_IMG" "$offset_l2_table_0" "\xbf\xff\xff\xff\xff\xff\x00\x00"
 poke_file "$TEST_IMG" "$offset_l2_table_0" "\x80\x00\x00\xff\xff\xff\x00\x00"
 { $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid snapshot L1 table =="
+_make_test_img 64M
+{ $QEMU_IO -c "write 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+{ $QEMU_IMG snapshot -c test $TEST_IMG; } 2>&1 | _filter_testdir
+poke_file "$TEST_IMG" "$offset_snap1_l1_size" "\x10\x00\x00\x00"
+{ $QEMU_IMG convert -s test $TEST_IMG $TEST_IMG.snap; } 2>&1 | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/080.out b/tests/qemu-iotests/080.out
index 4d84fbf..f7a943c 100644
--- a/tests/qemu-iotests/080.out
+++ b/tests/qemu-iotests/080.out
@@ -74,4 +74,10 @@ wrote 512/512 bytes at offset 0
 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 qemu-img: Could not create snapshot 'test': -27 (File too large)
 qemu-img: Could not create snapshot 'test': -11 (Resource temporarily unavailable)
+
+== Invalid snapshot L1 table ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+wrote 512/512 bytes at offset 0
+512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-img: Failed to load snapshot: Snapshot L1 table too large
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 114/156] parallels: Fix catalog size integer overflow (CVE-2014-0143)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

The first test case would cause a huge memory allocation, leading to a
qemu abort; the second one to a too small malloc() for the catalog
(smaller than s->catalog_size), which causes a read-only out-of-bounds
array access and on big endian hosts an endianess conversion for an
undefined memory area.

The sample image used here is not an original Parallels image. It was
created using an hexeditor on the basis of the struct that qemu uses.
Good enough for trying to crash the driver, but not for ensuring
compatibility.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afbcc40bee4ef51731102d7d4b499ee12fc182e1)

Conflicts:
	tests/qemu-iotests/group

*fixed mismatches in group file

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/parallels.c                                  |   7 ++-
 tests/qemu-iotests/076                             |  69 +++++++++++++++++++++
 tests/qemu-iotests/076.out                         |  14 +++++
 tests/qemu-iotests/common                          |   7 +++
 tests/qemu-iotests/group                           |   1 +
 .../qemu-iotests/sample_images/fake.parallels.bz2  | Bin 0 -> 141 bytes
 6 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100755 tests/qemu-iotests/076
 create mode 100644 tests/qemu-iotests/076.out
 create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2

diff --git a/block/parallels.c b/block/parallels.c
index 2121e43..5d1c0af 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -49,7 +49,7 @@ typedef struct BDRVParallelsState {
     CoMutex lock;
 
     uint32_t *catalog_bitmap;
-    int catalog_size;
+    unsigned int catalog_size;
 
     int tracks;
 } BDRVParallelsState;
@@ -94,6 +94,11 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
     s->tracks = le32_to_cpu(ph.tracks);
 
     s->catalog_size = le32_to_cpu(ph.catalog_entries);
+    if (s->catalog_size > INT_MAX / 4) {
+        error_setg(errp, "Catalog too large");
+        ret = -EFBIG;
+        goto fail;
+    }
     s->catalog_bitmap = g_malloc(s->catalog_size * 4);
 
     ret = bdrv_pread(bs->file, 64, s->catalog_bitmap, s->catalog_size * 4);
diff --git a/tests/qemu-iotests/076 b/tests/qemu-iotests/076
new file mode 100755
index 0000000..6028ac5
--- /dev/null
+++ b/tests/qemu-iotests/076
@@ -0,0 +1,69 @@
+#!/bin/bash
+#
+# parallels format input validation tests
+#
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+	_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt parallels
+_supported_proto generic
+_supported_os Linux
+
+catalog_entries_offset=$((0x20))
+nb_sectors_offset=$((0x24))
+
+echo
+echo "== Read from a valid (enough) image =="
+_use_sample_img fake.parallels.bz2
+{ $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Negative catalog size =="
+_use_sample_img fake.parallels.bz2
+poke_file "$TEST_IMG" "$catalog_entries_offset" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+echo
+echo "== Overflow in catalog allocation =="
+_use_sample_img fake.parallels.bz2
+poke_file "$TEST_IMG" "$nb_sectors_offset" "\xff\xff\xff\xff"
+poke_file "$TEST_IMG" "$catalog_entries_offset" "\x01\x00\x00\x40"
+{ $QEMU_IO -c "read 64M 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/076.out b/tests/qemu-iotests/076.out
new file mode 100644
index 0000000..12af42a
--- /dev/null
+++ b/tests/qemu-iotests/076.out
@@ -0,0 +1,14 @@
+QA output created by 076
+
+== Read from a valid (enough) image ==
+read 65536/65536 bytes at offset 0
+64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+
+== Negative catalog size ==
+qemu-io: can't open device TEST_DIR/fake.parallels: Catalog too large
+no file open, try 'help open'
+
+== Overflow in catalog allocation ==
+qemu-io: can't open device TEST_DIR/fake.parallels: Catalog too large
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/common b/tests/qemu-iotests/common
index 35abbfc..f8c1b56 100644
--- a/tests/qemu-iotests/common
+++ b/tests/qemu-iotests/common
@@ -131,6 +131,7 @@ check options
     -bochs              test bochs
     -cow                test cow
     -cloop              test cloop
+    -parallels          test parallels
     -qcow               test qcow
     -qcow2              test qcow2
     -qed                test qed
@@ -181,6 +182,12 @@ testlist options
             xpand=false
             ;;
 
+        -parallels)
+            IMGFMT=parallels
+            IMGFMT_GENERIC=false
+            xpand=false
+            ;;
+
         -qcow)
             IMGFMT=qcow
             xpand=false
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index d0b762c..7e0e9a8 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -78,6 +78,7 @@
 070 rw auto
 073 rw auto
 075 rw auto
+076 auto
 078 rw auto
 080 rw auto
 088 rw auto
diff --git a/tests/qemu-iotests/sample_images/fake.parallels.bz2 b/tests/qemu-iotests/sample_images/fake.parallels.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..ffb5f13bac31bc9ab6e1ea5c0cfa26786f2c4cc6
GIT binary patch
literal 141
zcmV;80CN9AT4*^jL0KkKS*i&LJ^%_Hf6(xNVE_;S2ml2D2!JYJ)&M{N00969FaWp;
z000b`1pojBOn|7QnnOSv)YEF7cgIVO0ByGSdk7e?fW`f$x`2Bi3t$bd06owJs09G{
vKo+1B1LXi)0CVe)J@eC^zBuEJbFFJA24D=p8Gt*$AL8yvrwS4kK_LggA5<|C

literal 0
HcmV?d00001

-- 
1.9.1

[Qemu-devel] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

This avoids a possible division by zero.

Convert s->tracks to unsigned as well because it feels better than
surviving just because the results of calculations with s->tracks are
converted to unsigned anyway.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 9302e863aa8baa5d932fc078967050c055fa1a7f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/parallels.c          | 7 ++++++-
 tests/qemu-iotests/076     | 7 +++++++
 tests/qemu-iotests/076.out | 4 ++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/block/parallels.c b/block/parallels.c
index 5d1c0af..d83cde4 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -51,7 +51,7 @@ typedef struct BDRVParallelsState {
     uint32_t *catalog_bitmap;
     unsigned int catalog_size;
 
-    int tracks;
+    unsigned int tracks;
 } BDRVParallelsState;
 
 static int parallels_probe(const uint8_t *buf, int buf_size, const char *filename)
@@ -92,6 +92,11 @@ static int parallels_open(BlockDriverState *bs, QDict *options, int flags,
     bs->total_sectors = le32_to_cpu(ph.nb_sectors);
 
     s->tracks = le32_to_cpu(ph.tracks);
+    if (s->tracks == 0) {
+        error_setg(errp, "Invalid image: Zero sectors per track");
+        ret = -EINVAL;
+        goto fail;
+    }
 
     s->catalog_size = le32_to_cpu(ph.catalog_entries);
     if (s->catalog_size > INT_MAX / 4) {
diff --git a/tests/qemu-iotests/076 b/tests/qemu-iotests/076
index 6028ac5..b614a7d 100755
--- a/tests/qemu-iotests/076
+++ b/tests/qemu-iotests/076
@@ -42,6 +42,7 @@ _supported_fmt parallels
 _supported_proto generic
 _supported_os Linux
 
+tracks_offset=$((0x1c))
 catalog_entries_offset=$((0x20))
 nb_sectors_offset=$((0x24))
 
@@ -63,6 +64,12 @@ poke_file "$TEST_IMG" "$nb_sectors_offset" "\xff\xff\xff\xff"
 poke_file "$TEST_IMG" "$catalog_entries_offset" "\x01\x00\x00\x40"
 { $QEMU_IO -c "read 64M 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Zero sectors per track =="
+_use_sample_img fake.parallels.bz2
+poke_file "$TEST_IMG" "$tracks_offset" "\x00\x00\x00\x00"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/076.out b/tests/qemu-iotests/076.out
index 12af42a..f7745d8 100644
--- a/tests/qemu-iotests/076.out
+++ b/tests/qemu-iotests/076.out
@@ -11,4 +11,8 @@ no file open, try 'help open'
 == Overflow in catalog allocation ==
 qemu-io: can't open device TEST_DIR/fake.parallels: Catalog too large
 no file open, try 'help open'
+
+== Zero sectors per track ==
+qemu-io: can't open device TEST_DIR/fake.parallels: Invalid image: Zero sectors per track
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 116/156] qcow1: Make padding in the header explicit

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

We were relying on all compilers inserting the same padding in the
header struct that is used for the on-disk format. Let's not do that.
Mark the struct as packed and insert an explicit padding field for
compatibility.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/qcow.c b/block/qcow.c
index c470e05..1ca04e6 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -48,9 +48,10 @@ typedef struct QCowHeader {
     uint64_t size; /* in bytes */
     uint8_t cluster_bits;
     uint8_t l2_bits;
+    uint16_t padding;
     uint32_t crypt_method;
     uint64_t l1_table_offset;
-} QCowHeader;
+} QEMU_PACKED QCowHeader;
 
 #define L2_CACHE_SIZE 16
 
-- 
1.9.1

[Qemu-devel] [PATCH 117/156] qcow1: Check maximum cluster size

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.

The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)

Conflicts:
	block/qcow.c
	tests/qemu-iotests/group

*removed mismatch due to error msgs from upstream's b6d5066d
*removed context from upstream block tests

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow.c               |  9 ++++++-
 tests/qemu-iotests/092     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 tests/qemu-iotests/092.out | 13 ++++++++++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100755 tests/qemu-iotests/092
 create mode 100644 tests/qemu-iotests/092.out

diff --git a/block/qcow.c b/block/qcow.c
index 1ca04e6..c04ec42 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -126,10 +126,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
-    if (header.size <= 1 || header.cluster_bits < 9) {
+    if (header.size <= 1) {
+        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
         ret = -EINVAL;
         goto fail;
     }
+    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+        error_setg(errp, "Cluster size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         ret = -EINVAL;
         goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
new file mode 100755
index 0000000..d060e6f
--- /dev/null
+++ b/tests/qemu-iotests/092
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# qcow1 format input validation tests
+#
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# creator
+owner=kwolf@redhat.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+
+_cleanup()
+{
+    rm -f $TEST_IMG.snap
+    _cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto generic
+_supported_os Linux
+
+offset_cluster_bits=32
+
+echo
+echo "== Invalid cluster size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x1f"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
new file mode 100644
index 0000000..8bf8158
--- /dev/null
+++ b/tests/qemu-iotests/092.out
@@ -0,0 +1,13 @@
+QA output created by 092
+
+== Invalid cluster size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
+no file open, try 'help open'
+*** done
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
index 7e0e9a8..b5abc5b 100644
--- a/tests/qemu-iotests/group
+++ b/tests/qemu-iotests/group
@@ -82,3 +82,4 @@
 078 rw auto
 080 rw auto
 088 rw auto
+092 rw auto quick
-- 
1.9.1

[Qemu-devel] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.

To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).

This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow.c               |  8 ++++++++
 tests/qemu-iotests/092     | 15 +++++++++++++++
 tests/qemu-iotests/092.out | 11 +++++++++++
 3 files changed, 34 insertions(+)

diff --git a/block/qcow.c b/block/qcow.c
index c04ec42..73a96a0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -137,6 +137,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
         goto fail;
     }
 
+    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+     * so bytes = num_entries << 3. */
+    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+        error_setg(errp, "L2 table size must be between 512 and 64k");
+        ret = -EINVAL;
+        goto fail;
+    }
+
     if (header.crypt_method > QCOW_CRYPT_AES) {
         ret = -EINVAL;
         goto fail;
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index d060e6f..fb8bacc 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -44,6 +44,7 @@ _supported_proto generic
 _supported_os Linux
 
 offset_cluster_bits=32
+offset_l2_bits=33
 
 echo
 echo "== Invalid cluster size =="
@@ -57,6 +58,20 @@ poke_file "$TEST_IMG" "$offset_cluster_bits" "\x08"
 poke_file "$TEST_IMG" "$offset_cluster_bits" "\x11"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid L2 table size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_l2_bits" "\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x05"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
+# 1 << 0x1b = 2^31 / L2_CACHE_SIZE
+poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 8bf8158..73918b3 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -10,4 +10,15 @@ qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: Cluster size must be between 512 and 64k
 no file open, try 'help open'
+
+== Invalid L2 table size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 119/156] qcow1: Validate image size (CVE-2014-0223)

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.

This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow.c               | 16 ++++++++++++++--
 tests/qemu-iotests/092     |  9 +++++++++
 tests/qemu-iotests/092.out |  7 +++++++
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/block/qcow.c b/block/qcow.c
index 73a96a0..2840386 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
     int cluster_sectors;
     int l2_bits;
     int l2_size;
-    int l1_size;
+    unsigned int l1_size;
     uint64_t cluster_offset_mask;
     uint64_t l1_table_offset;
     uint64_t *l1_table;
@@ -163,7 +163,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
 
     /* read the level 1 table */
     shift = s->cluster_bits + s->l2_bits;
-    s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
+    if (header.size > UINT64_MAX - (1LL << shift)) {
+        error_setg(errp, "Image too large");
+        ret = -EINVAL;
+        goto fail;
+    } else {
+        uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
+        if (l1_size > INT_MAX / sizeof(uint64_t)) {
+            error_setg(errp, "Image too large");
+            ret = -EINVAL;
+            goto fail;
+        }
+        s->l1_size = l1_size;
+    }
 
     s->l1_table_offset = header.l1_table_offset;
     s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index fb8bacc..ae6ca76 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,7 @@ _supported_fmt qcow
 _supported_proto generic
 _supported_os Linux
 
+offset_size=24
 offset_cluster_bits=32
 offset_l2_bits=33
 
@@ -72,6 +73,14 @@ poke_file "$TEST_IMG" "$offset_l2_bits" "\x0e"
 poke_file "$TEST_IMG" "$offset_l2_bits" "\x1b"
 { $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid size =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
+{ $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index 73918b3..ac03302 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -21,4 +21,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 an
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: L2 table size must be between 512 and 64k
 no file open, try 'help open'
+
+== Invalid size ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Image too large
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 120/156] qcow1: Stricter backing file length check

[Michael Roth]

From: Kevin Wolf <kwolf@redhat.com>

Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.

Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qcow.c               |  7 +++++--
 tests/qemu-iotests/092     | 11 +++++++++++
 tests/qemu-iotests/092.out |  7 +++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/block/qcow.c b/block/qcow.c
index 2840386..276a4d0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
                      Error **errp)
 {
     BDRVQcowState *s = bs->opaque;
-    int len, i, shift, ret;
+    unsigned int len, i, shift;
+    int ret;
     QCowHeader header;
 
     ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
@@ -199,7 +200,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
         if (len > 1023) {
-            len = 1023;
+            error_setg(errp, "Backing file name too long");
+            ret = -EINVAL;
+            goto fail;
         }
         ret = bdrv_pread(bs->file, header.backing_file_offset,
                    bs->backing_file, len);
diff --git a/tests/qemu-iotests/092 b/tests/qemu-iotests/092
index ae6ca76..a8c0c9c 100755
--- a/tests/qemu-iotests/092
+++ b/tests/qemu-iotests/092
@@ -43,6 +43,8 @@ _supported_fmt qcow
 _supported_proto generic
 _supported_os Linux
 
+offset_backing_file_offset=8
+offset_backing_file_size=16
 offset_size=24
 offset_cluster_bits=32
 offset_l2_bits=33
@@ -81,6 +83,15 @@ poke_file "$TEST_IMG" "$offset_size" "\xee\xee\xee\xee\xee\xee\xee\xee"
 poke_file "$TEST_IMG" "$offset_size" "\x7f\xff\xff\xff\xff\xff\xff\xff"
 { $QEMU_IO -c "write 0 64M" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
 
+echo
+echo "== Invalid backing file length =="
+_make_test_img 64M
+poke_file "$TEST_IMG" "$offset_backing_file_offset" "\x00\x00\x00\xff"
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\xff\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+poke_file "$TEST_IMG" "$offset_backing_file_size" "\x7f\xff\xff\xff"
+{ $QEMU_IO -c "read 0 512" $TEST_IMG; } 2>&1 | _filter_qemu_io | _filter_testdir
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/092.out b/tests/qemu-iotests/092.out
index ac03302..496d8f0 100644
--- a/tests/qemu-iotests/092.out
+++ b/tests/qemu-iotests/092.out
@@ -28,4 +28,11 @@ qemu-io: can't open device TEST_DIR/t.qcow: Image too large
 no file open, try 'help open'
 qemu-io: can't open device TEST_DIR/t.qcow: Image too large
 no file open, try 'help open'
+
+== Invalid backing file length ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
+qemu-io: can't open device TEST_DIR/t.qcow: Backing file name too long
+no file open, try 'help open'
 *** done
-- 
1.9.1

[Qemu-devel] [PATCH 121/156] virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 91e7fcca4743cf694eb0c8e7a8d938cf359b5bd8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/virtio-scsi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 3c867c6..4f238c2 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -496,7 +496,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
                                    uint32_t event, uint32_t reason)
 {
     VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
-    VirtIOSCSIReq *req = virtio_scsi_pop_req(s, vs->event_vq);
+    VirtIOSCSIReq *req;
     VirtIOSCSIEvent *evt;
     VirtIODevice *vdev = VIRTIO_DEVICE(s);
     int in_size;
@@ -505,6 +505,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
         return;
     }
 
+    req = virtio_scsi_pop_req(s, vs->event_vq);
     if (!req) {
         s->events_dropped = true;
         return;
-- 
1.9.1

[Qemu-devel] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB

[Michael Roth]

From: Max Filippov <jcmvbkbc@gmail.com>

Use tb->pc instead of dc->pc to check for cross-page jumps.
When TB translation stops at the page boundary dc->pc points to the next
page allowing chaining to TBs in it, which is wrong.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
(cherry picked from commit 433d33c555deeed375996e338df1a9510df401c6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-xtensa/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target-xtensa/translate.c b/target-xtensa/translate.c
index 2d2df33..7d34326 100644
--- a/target-xtensa/translate.c
+++ b/target-xtensa/translate.c
@@ -414,7 +414,7 @@ static void gen_jump(DisasContext *dc, TCGv dest)
 static void gen_jumpi(DisasContext *dc, uint32_t dest, int slot)
 {
     TCGv_i32 tmp = tcg_const_i32(dest);
-    if (((dc->pc ^ dest) & TARGET_PAGE_MASK) != 0) {
+    if (((dc->tb->pc ^ dest) & TARGET_PAGE_MASK) != 0) {
         slot = -1;
     }
     gen_jump_slot(dc, tmp, slot);
@@ -442,7 +442,7 @@ static void gen_callw(DisasContext *dc, int callinc, TCGv_i32 dest)
 static void gen_callwi(DisasContext *dc, int callinc, uint32_t dest, int slot)
 {
     TCGv_i32 tmp = tcg_const_i32(dest);
-    if (((dc->pc ^ dest) & TARGET_PAGE_MASK) != 0) {
+    if (((dc->tb->pc ^ dest) & TARGET_PAGE_MASK) != 0) {
         slot = -1;
     }
     gen_callw_slot(dc, callinc, tmp, slot);
-- 
1.9.1

[Qemu-devel] [PATCH 123/156] cputlb: Fix regression with TCG interpreter (bug 1310324)

[Michael Roth]

From: Stefan Weil <sw@weilnetz.de>

Commit 0f842f8a246f2b5b51a11c13f933bf7a90ae8e96 replaced GETPC_EXT() which
was derived from GETPC() by GETRA_EXT() without fixing cputlb.c. A later
patch replaced GETRA_EXT() by GETRA() in exec/softmmu_template.h which
is included in cputlb.c.

The TCG interpreter failed because the values returned by GETRA() were no
longer explicitly set to 0. The redefinition of GETRA() introduced here
fixes this.

In addition, GETPC_ADJ which is also used in exec/softmmu_template.h is
set to 0. Both changes reduce the compiled code size for cputlb.c by more
than 100 bytes, so the normal TCG without interpreter also profits from
the reduced code size and slightly faster code.

Cc: qemu-stable@nongnu.org
Reported-by: Giovanni Mascellani <gio@debian.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7e4e88656c1e6192e9e47a2054d2dc190c1b840b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 cputlb.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cputlb.c b/cputlb.c
index fff0afb..6c030c8 100644
--- a/cputlb.c
+++ b/cputlb.c
@@ -344,8 +344,10 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env1, target_ulong addr)
 }
 
 #define MMUSUFFIX _cmmu
-#undef GETPC
-#define GETPC() ((uintptr_t)0)
+#undef GETPC_ADJ
+#define GETPC_ADJ 0
+#undef GETRA
+#define GETRA() ((uintptr_t)0)
 #define SOFTMMU_CODE_ACCESS
 
 #define SHIFT 0
-- 
1.9.1

[Qemu-devel] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init()

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

blockdev_init() leaks bs_opts when qemu_opts_create() fails, i.e. when
the ID is bad.  Missed in commit ec9c10d.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6376f9522372d589f3efe60001dc0486237dd375)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/blockdev.c b/blockdev.c
index 29b44a5..31b66cc 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -334,7 +334,7 @@ static DriveInfo *blockdev_init(QDict *bs_opts,
     opts = qemu_opts_create(&qemu_common_drive_opts, id, 1, &error);
     if (error_is_set(&error)) {
         error_propagate(errp, error);
-        return NULL;
+        goto err_no_opts;
     }
 
     qemu_opts_absorb_qdict(opts, bs_opts, &error);
@@ -535,8 +535,9 @@ err:
     QTAILQ_REMOVE(&drives, dinfo, next);
     g_free(dinfo);
 early_err:
-    QDECREF(bs_opts);
     qemu_opts_del(opts);
+err_no_opts:
+    QDECREF(bs_opts);
     return NULL;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 125/156] blockdev: Plug memory leak in drive_init()

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

bs_opts is leaked on all paths from its qdev_new() that don't got
through blockdev_init().  Add the missing QDECREF(), and zap bs_opts
after blockdev_init(), so the new QDECREF() does nothing when we go
through blockdev_init().

Leak introduced in commit f298d07.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 3cb0e25c4b417b7336816bd92de458f0770d49ff)

Conflicts:
	blockdev.c

*fixed trivial context mismatch due to blockdev_init signature change

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/blockdev.c b/blockdev.c
index 31b66cc..4d911f9 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -868,6 +868,7 @@ DriveInfo *drive_init(QemuOpts *all_opts, BlockInterfaceType block_default_type)
 
     /* Actual block device init: Functionality shared with blockdev-add */
     dinfo = blockdev_init(bs_opts, type, &local_err);
+    bs_opts = NULL;
     if (dinfo == NULL) {
         if (error_is_set(&local_err)) {
             qerror_report_err(local_err);
@@ -904,6 +905,7 @@ DriveInfo *drive_init(QemuOpts *all_opts, BlockInterfaceType block_default_type)
 
 fail:
     qemu_opts_del(legacy_opts);
+    QDECREF(bs_opts);
     return dinfo;
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 126/156] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Introduced in commit a8d8ecb.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit f25391c2a6ef1674384204265429520ea50e82bc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/qapi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/qapi.c b/block/qapi.c
index 5880b3e..e9007c9 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -471,6 +471,7 @@ static void dump_qobject(fprintf_function func_fprintf, void *f,
         case QTYPE_QERROR: {
             QString *value = qerror_human((QError *)obj);
             func_fprintf(f, "%s", qstring_get_str(value));
+            QDECREF(value);
             break;
         }
         case QTYPE_NONE:
-- 
1.9.1

[Qemu-devel] [PATCH 127/156] block/vvfat: Plug memory leak in check_directory_consistency()

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

On error path.  Introduced in commit a046433a.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6262bbd363b53a1f19c473345d7cc40254dd5c73)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vvfat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/vvfat.c b/block/vvfat.c
index 3ddaa0b..e71d71e 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -1866,7 +1866,7 @@ static int check_directory_consistency(BDRVVVFATState *s,
 
 	if (s->used_clusters[cluster_num] & USED_ANY) {
 	    fprintf(stderr, "cluster %d used more than once\n", (int)cluster_num);
-	    return 0;
+            goto fail;
 	}
 	s->used_clusters[cluster_num] = USED_DIRECTORY;
 
-- 
1.9.1

[Qemu-devel] [PATCH 128/156] block/vvfat: Plug memory leak in read_directory()

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Has always been leaky.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b122c3b6d020e529b203836efb8f611ece787293)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/vvfat.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/vvfat.c b/block/vvfat.c
index e71d71e..e9e4fad 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -788,7 +788,9 @@ static int read_directory(BDRVVVFATState* s, int mapping_index)
 	    s->current_mapping->path=buffer;
 	    s->current_mapping->read_only =
 		(st.st_mode & (S_IWUSR | S_IWGRP | S_IWOTH)) == 0;
-	}
+        } else {
+            g_free(buffer);
+        }
     }
     closedir(dir);
 
-- 
1.9.1

[Qemu-devel] [PATCH 129/156] block/sheepdog: Plug memory leak in sd_snapshot_create()

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Has always been leaky.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2df5fee2dbd56a9c34afd6d7df6744da2d951ccb)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 block/sheepdog.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/block/sheepdog.c b/block/sheepdog.c
index ef387de..43a23df 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -2082,6 +2082,7 @@ static int sd_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
     strncpy(s->inode.tag, sn_info->name, sizeof(s->inode.tag));
     /* we don't need to update entire object */
     datalen = SD_INODE_SIZE - sizeof(s->inode.data_vdi_id);
+    inode = g_malloc(datalen);
 
     /* refresh inode. */
     fd = connect_to_sdog(s);
@@ -2105,8 +2106,6 @@ static int sd_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
         goto cleanup;
     }
 
-    inode = (SheepdogInode *)g_malloc(datalen);
-
     ret = read_object(fd, (char *)inode, vid_to_vdi_oid(new_vid),
                       s->inode.nr_copies, datalen, 0, s->cache_flags);
 
@@ -2120,6 +2119,7 @@ static int sd_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
             s->inode.name, s->inode.snap_id, s->inode.vdi_id);
 
 cleanup:
+    g_free(inode);
     closesocket(fd);
     return ret;
 }
-- 
1.9.1

[Qemu-devel] [PATCH 130/156] qemu-img: Plug memory leak in convert command

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

Introduced in commit 661a0f7.  Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit bb9cd2ee99f6537c072d5f4bac441717d3cd2bed)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qemu-img.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu-img.c b/qemu-img.c
index b6b5644..1d5caa3 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1355,7 +1355,7 @@ static int img_convert(int argc, char **argv)
     ret = bdrv_parse_cache_flags(cache, &flags);
     if (ret < 0) {
         error_report("Invalid cache option: %s", cache);
-        return -1;
+        goto out;
     }
 
     out_bs = bdrv_new_open(out_filename, out_fmt, flags, true, quiet);
-- 
1.9.1

[Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.

Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
(cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 linux-user/syscall.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 81f79f9..de8918d 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7479,6 +7479,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask));
 
             if (!is_error(ret)) {
+                if (ret > arg2) {
+                    /* More data returned than the caller's buffer will fit.
+                     * This only happens if sizeof(abi_long) < sizeof(long)
+                     * and the caller passed us a buffer holding an odd number
+                     * of abi_longs. If the host kernel is actually using the
+                     * extra 4 bytes then fail EINVAL; otherwise we can just
+                     * ignore them and only copy the interesting part.
+                     */
+                    int numcpus = sysconf(_SC_NPROCESSORS_CONF);
+                    if (numcpus > arg2 * 8) {
+                        ret = -TARGET_EINVAL;
+                        break;
+                    }
+                    ret = arg2;
+                }
+
                 if (copy_to_user(arg3, mask, ret)) {
                     goto efault;
                 }
-- 
1.9.1

[Qemu-devel] [PATCH 132/156] tcg-i386: Fix win64 qemu store

[Michael Roth]

From: Richard Henderson <rth@twiddle.net>

The first non-register argument isn't placed at offset 0.

Cc: qemu-stable@nongnu.org
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit 0b919667302aa395bfde0328749dc21a0b123c44)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 tcg/i386/tcg-target.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tcg/i386/tcg-target.c b/tcg/i386/tcg-target.c
index 7ac8e45..60d3325 100644
--- a/tcg/i386/tcg-target.c
+++ b/tcg/i386/tcg-target.c
@@ -1306,7 +1306,8 @@ static void tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         } else {
             retaddr = TCG_REG_RAX;
             tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
-            tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP, 0);
+            tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP,
+                       TCG_TARGET_CALL_STACK_OFFSET);
         }
     }
 
-- 
1.9.1

[Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

The code for handling writes to the generic timer control registers
had several bugs:
 * ISTATUS (bit 2) is read-only but we forced it to zero on any write
 * the check for "was IMASK (bit 1) toggled?" incorrectly used '&' where
   it should be '^'
 * the handling of IMASK was inverted: we should set the IRQ if
   ISTATUS is set and IMASK is clear, not if both are set

The combination of these bugs meant that when running a Linux guest
that uses the generic timers we would fairly quickly end up either
forgetting that the timer output should be asserted, or failing to
set the IRQ when the timer was unmasked. The result is that the guest
never gets any more timer interrupts.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1401803208-1281-1-git-send-email-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit d3afacc7269fee45d54d1501a46b51f12ea7bb15)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index c3e4910..6e67317 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -859,16 +859,16 @@ static int gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
     int timeridx = ri->crm & 1;
     uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
 
-    env->cp15.c14_timer[timeridx].ctl = value & 3;
+    env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
     if ((oldval ^ value) & 1) {
         /* Enable toggled */
         gt_recalc_timer(cpu, timeridx);
-    } else if ((oldval & value) & 2) {
+    } else if ((oldval ^ value) & 2) {
         /* IMASK toggled: don't need to recalculate,
          * just set the interrupt line based on ISTATUS
          */
         qemu_set_irq(cpu->gt_timer_outputs[timeridx],
-                     (oldval & 4) && (value & 2));
+                     (oldval & 4) && !(value & 2));
     }
     return 0;
 }
-- 
1.9.1

[Qemu-devel] [PATCH 134/156] s390x/css: handle emw correctly for tsch

[Michael Roth]

From: Cornelia Huck <cornelia.huck@de.ibm.com>

We should not try to store the emw portion of the irb if extended
measurements are not applicable. In particular, we should not surprise
the guest by storing a larger irb if it did not enable extended
measurements.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit f068d320def7fd83bf0fcdca37b305f1c2ac5413)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/s390x/css.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/hw/s390x/css.c b/hw/s390x/css.c
index 101da63..ebe44ae 100644
--- a/hw/s390x/css.c
+++ b/hw/s390x/css.c
@@ -722,9 +722,11 @@ out:
     return ret;
 }
 
-static void copy_irb_to_guest(IRB *dest, const IRB *src)
+static void copy_irb_to_guest(IRB *dest, const IRB *src, PMCW *pmcw)
 {
     int i;
+    uint16_t stctl = src->scsw.ctrl & SCSW_CTRL_MASK_STCTL;
+    uint16_t actl = src->scsw.ctrl & SCSW_CTRL_MASK_ACTL;
 
     copy_scsw_to_guest(&dest->scsw, &src->scsw);
 
@@ -734,8 +736,22 @@ static void copy_irb_to_guest(IRB *dest, const IRB *src)
     for (i = 0; i < ARRAY_SIZE(dest->ecw); i++) {
         dest->ecw[i] = cpu_to_be32(src->ecw[i]);
     }
-    for (i = 0; i < ARRAY_SIZE(dest->emw); i++) {
-        dest->emw[i] = cpu_to_be32(src->emw[i]);
+    /* extended measurements enabled? */
+    if ((src->scsw.flags & SCSW_FLAGS_MASK_ESWF) ||
+        !(pmcw->flags & PMCW_FLAGS_MASK_TF) ||
+        !(pmcw->chars & PMCW_CHARS_MASK_XMWME)) {
+        return;
+    }
+    /* extended measurements pending? */
+    if (!(stctl & SCSW_STCTL_STATUS_PEND)) {
+        return;
+    }
+    if ((stctl & SCSW_STCTL_PRIMARY) ||
+        (stctl == SCSW_STCTL_SECONDARY) ||
+        ((stctl & SCSW_STCTL_INTERMEDIATE) && (actl & SCSW_ACTL_SUSP))) {
+        for (i = 0; i < ARRAY_SIZE(dest->emw); i++) {
+            dest->emw[i] = cpu_to_be32(src->emw[i]);
+        }
     }
 }
 
@@ -781,7 +797,7 @@ int css_do_tsch(SubchDev *sch, IRB *target_irb)
         }
     }
     /* Store the irb to the guest. */
-    copy_irb_to_guest(target_irb, &irb);
+    copy_irb_to_guest(target_irb, &irb, p);
 
     /* Clear conditions on subchannel, if applicable. */
     if (stctl & SCSW_STCTL_STATUS_PEND) {
-- 
1.9.1

[Qemu-devel] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition

[Michael Roth]

From: Stefan Hajnoczi <stefanha@redhat.com>

qemu_bh_schedule() is supposed to be thread-safe at least the first time
it is called.  Unfortunately this is not quite true:

  bh->scheduled = 1;
  aio_notify(bh->ctx);

Since another thread may run the BH callback once it has been scheduled,
there is a race condition if the callback frees the BH before
aio_notify(bh->ctx) has a chance to run.

Reported-by: Stefan Priebe <s.priebe@profihost.ag>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Stefan Priebe <s.priebe@profihost.ag>
(cherry picked from commit 924fe1293c3e7a3c787bbdfb351e7f168caee3e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 async.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/async.c b/async.c
index 5fb3fa6..c6d810d 100644
--- a/async.c
+++ b/async.c
@@ -117,15 +117,21 @@ void qemu_bh_schedule_idle(QEMUBH *bh)
 
 void qemu_bh_schedule(QEMUBH *bh)
 {
+    AioContext *ctx;
+
     if (bh->scheduled)
         return;
+    ctx = bh->ctx;
     bh->idle = 0;
-    /* Make sure that idle & any writes needed by the callback are done
-     * before the locations are read in the aio_bh_poll.
+    /* Make sure that:
+     * 1. idle & any writes needed by the callback are done before the
+     *    locations are read in the aio_bh_poll.
+     * 2. ctx is loaded before scheduled is set and the callback has a chance
+     *    to execute.
      */
-    smp_wmb();
+    smp_mb();
     bh->scheduled = 1;
-    aio_notify(bh->ctx);
+    aio_notify(ctx);
 }
 
 
-- 
1.9.1

[Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward

[Michael Roth]

From: Alexander Graf <agraf@suse.de>

When we migrate we ask the kernel about its current belief on what the guest
time would be. However, I've seen cases where the kvmclock guest structure
indicates a time more recent than the kvm returned time.

To make sure we never go backwards, calculate what the guest would have seen
as time at the point of migration and use that value instead of the kernel
returned one when it's more recent.  This bases the view of the kvmclock
after migration on the same foundation in host as well as guest.

Signed-off-by: Alexander Graf <agraf@suse.de>
Cc: qemu-stable@nongnu.org
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a096b3a6732f846ec57dc28b47ee9435aa0609bf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvm/clock.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index 383938d..be5f867 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -14,6 +14,7 @@
  */
 
 #include "qemu-common.h"
+#include "qemu/host-utils.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
 #include "hw/sysbus.h"
@@ -34,6 +35,47 @@ typedef struct KVMClockState {
     bool clock_valid;
 } KVMClockState;
 
+struct pvclock_vcpu_time_info {
+    uint32_t   version;
+    uint32_t   pad0;
+    uint64_t   tsc_timestamp;
+    uint64_t   system_time;
+    uint32_t   tsc_to_system_mul;
+    int8_t     tsc_shift;
+    uint8_t    flags;
+    uint8_t    pad[2];
+} __attribute__((__packed__)); /* 32 bytes */
+
+static uint64_t kvmclock_current_nsec(KVMClockState *s)
+{
+    CPUState *cpu = first_cpu;
+    CPUX86State *env = cpu->env_ptr;
+    hwaddr kvmclock_struct_pa = env->system_time_msr & ~1ULL;
+    uint64_t migration_tsc = env->tsc;
+    struct pvclock_vcpu_time_info time;
+    uint64_t delta;
+    uint64_t nsec_lo;
+    uint64_t nsec_hi;
+    uint64_t nsec;
+
+    if (!(env->system_time_msr & 1ULL)) {
+        /* KVM clock not active */
+        return 0;
+    }
+
+    cpu_physical_memory_read(kvmclock_struct_pa, &time, sizeof(time));
+
+    delta = migration_tsc - time.tsc_timestamp;
+    if (time.tsc_shift < 0) {
+        delta >>= -time.tsc_shift;
+    } else {
+        delta <<= time.tsc_shift;
+    }
+
+    mulu64(&nsec_lo, &nsec_hi, delta, time.tsc_to_system_mul);
+    nsec = (nsec_lo >> 32) | (nsec_hi << 32);
+    return nsec + time.system_time;
+}
 
 static void kvmclock_vm_state_change(void *opaque, int running,
                                      RunState state)
@@ -45,9 +87,15 @@ static void kvmclock_vm_state_change(void *opaque, int running,
 
     if (running) {
         struct kvm_clock_data data;
+        uint64_t time_at_migration = kvmclock_current_nsec(s);
 
         s->clock_valid = false;
 
+	/* We can't rely on the migrated clock value, just discard it */
+	if (time_at_migration) {
+	        s->clock = time_at_migration;
+	}
+
         data.clock = s->clock;
         data.flags = 0;
         ret = kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, &data);
-- 
1.9.1

[Qemu-devel] [PATCH 137/156] kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation

[Michael Roth]

From: Marcelo Tosatti <mtosatti@redhat.com>

Ensure proper env->tsc value for kvmclock_current_nsec calculation.

Reported-by: Marcin Gibuła <m.gibula@beyond.pl>
Cc: qemu-stable@nongnu.org
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 9b1786829aefb83f37a8f3135e3ea91c56001b56)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/kvm/clock.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
index be5f867..6f62498 100644
--- a/hw/i386/kvm/clock.c
+++ b/hw/i386/kvm/clock.c
@@ -17,6 +17,7 @@
 #include "qemu/host-utils.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
+#include "sysemu/cpus.h"
 #include "hw/sysbus.h"
 #include "hw/kvm/clock.h"
 
@@ -65,6 +66,7 @@ static uint64_t kvmclock_current_nsec(KVMClockState *s)
 
     cpu_physical_memory_read(kvmclock_struct_pa, &time, sizeof(time));
 
+    assert(time.tsc_timestamp <= migration_tsc);
     delta = migration_tsc - time.tsc_timestamp;
     if (time.tsc_shift < 0) {
         delta >>= -time.tsc_shift;
@@ -123,6 +125,8 @@ static void kvmclock_vm_state_change(void *opaque, int running,
         if (s->clock_valid) {
             return;
         }
+
+        cpu_synchronize_all_states();
         ret = kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, &data);
         if (ret < 0) {
             fprintf(stderr, "KVM_GET_CLOCK failed: %s\n", strerror(ret));
-- 
1.9.1

[Qemu-devel] [PATCH 138/156] qga: Fix handle fd leak in acquire_privilege()

[Michael Roth]

From: Gonglei <arei.gonglei@huawei.com>

token should be closed in all conditions.
So move CloseHandle(token) to "out" branch.

Signed-off-by: Wang Rui <moon.wangrui@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit 374044f08fe18a18469b981812cd8695f5b3569c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 qga/commands-win32.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/qga/commands-win32.c b/qga/commands-win32.c
index a6a0af2..c59e144 100644
--- a/qga/commands-win32.c
+++ b/qga/commands-win32.c
@@ -31,7 +31,7 @@
 
 static void acquire_privilege(const char *name, Error **err)
 {
-    HANDLE token;
+    HANDLE token = NULL;
     TOKEN_PRIVILEGES priv;
     Error *local_err = NULL;
 
@@ -57,13 +57,15 @@ static void acquire_privilege(const char *name, Error **err)
             goto out;
         }
 
-        CloseHandle(token);
     } else {
         error_set(&local_err, QERR_QGA_COMMAND_FAILED,
                   "failed to open privilege token");
     }
 
 out:
+    if (token) {
+        CloseHandle(token);
+    }
     if (local_err) {
         error_propagate(err, local_err);
     }
-- 
1.9.1

[Qemu-devel] [PATCH 139/156] rdma: bug fixes

[Michael Roth]

From: "Michael R. Hines" <mrhines@us.ibm.com>

1. Fix small memory leak in parsing inet address from command line in data_init()
2. Fix ibv_post_send() return value check and pass error code back up correctly.
3. Fix rdma_destroy_qp() segfault after failure to connect to destination.

Reported-by: frank.yangjie@gmail.com
Reported-by: dgilbert@redhat.com
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit e325b49a320b493cc5d69e263751ff716dc458fe)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 migration-rdma.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/migration-rdma.c b/migration-rdma.c
index f94f3b4..29351a6 100644
--- a/migration-rdma.c
+++ b/migration-rdma.c
@@ -1589,13 +1589,11 @@ static int qemu_rdma_post_send_control(RDMAContext *rdma, uint8_t *buf,
     }
 
 
-    if (ibv_post_send(rdma->qp, &send_wr, &bad_wr)) {
-        return -1;
-    }
+    ret = ibv_post_send(rdma->qp, &send_wr, &bad_wr);
 
-    if (ret < 0) {
+    if (ret > 0) {
         fprintf(stderr, "Failed to use post IB SEND for control!\n");
-        return ret;
+        return -ret;
     }
 
     ret = qemu_rdma_block_for_wrid(rdma, RDMA_WRID_SEND_CONTROL, NULL);
@@ -2237,10 +2235,6 @@ static void qemu_rdma_cleanup(RDMAContext *rdma)
         }
     }
 
-    if (rdma->qp) {
-        rdma_destroy_qp(rdma->cm_id);
-        rdma->qp = NULL;
-    }
     if (rdma->cq) {
         ibv_destroy_cq(rdma->cq);
         rdma->cq = NULL;
@@ -2258,6 +2252,10 @@ static void qemu_rdma_cleanup(RDMAContext *rdma)
         rdma->listen_id = NULL;
     }
     if (rdma->cm_id) {
+        if (rdma->qp) {
+            rdma_destroy_qp(rdma->cm_id);
+            rdma->qp = NULL;
+        }
         rdma_destroy_id(rdma->cm_id);
         rdma->cm_id = NULL;
     }
@@ -2512,8 +2510,10 @@ static void *qemu_rdma_data_init(const char *host_port, Error **errp)
         } else {
             ERROR(errp, "bad RDMA migration address '%s'", host_port);
             g_free(rdma);
-            return NULL;
+            rdma = NULL;
         }
+
+        qapi_free_InetSocketAddress(addr);
     }
 
     return rdma;
-- 
1.9.1

[Qemu-devel] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c

[Michael Roth]

From: Ulrich Obergfell <uobergfe@redhat.com>

This patch fixes a bug in scsi_block_new_request() that was introduced
by commit 137745c5c60f083ec982fe9e861e8c16ebca1ba8. If the host cache
is used - i.e. if BDRV_O_NOCACHE is _not_ set - the 'break' statement
needs to be executed to 'fall back' to SG_IO.

Cc: qemu-stable@nongnu.org
Signed-off-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2fe5a9f73b3446690db2cae8a58473b0b4beaa32)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/scsi-disk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index ade5d4a..06c31e9 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2372,7 +2372,7 @@ static SCSIRequest *scsi_block_new_request(SCSIDevice *d, uint32_t tag,
 	 * ones (such as WRITE SAME or EXTENDED COPY, etc.).  So, without
 	 * O_DIRECT everything must go through SG_IO.
          */
-        if (bdrv_get_flags(s->qdev.conf.bs) & BDRV_O_NOCACHE) {
+        if (!(bdrv_get_flags(s->qdev.conf.bs) & BDRV_O_NOCACHE)) {
             break;
         }
 
-- 
1.9.1

[Qemu-devel] [PATCH 141/156] vhost: fix resource leak in error handling

[Michael Roth]

From: "Michael S. Tsirkin" <mst@redhat.com>

vhost_verify_ring_mappings leaks mappings on error.
Fix this up.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

(cherry picked from commit 8617343faae6ba7e916137c6c9e3ef22c00565d8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/virtio/vhost.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 9e336ad..1d349e0 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -309,7 +309,9 @@ static int vhost_verify_ring_mappings(struct vhost_dev *dev,
                                       uint64_t size)
 {
     int i;
-    for (i = 0; i < dev->nvqs; ++i) {
+    int r = 0;
+
+    for (i = 0; !r && i < dev->nvqs; ++i) {
         struct vhost_virtqueue *vq = dev->vqs + i;
         hwaddr l;
         void *p;
@@ -321,15 +323,15 @@ static int vhost_verify_ring_mappings(struct vhost_dev *dev,
         p = cpu_physical_memory_map(vq->ring_phys, &l, 1);
         if (!p || l != vq->ring_size) {
             fprintf(stderr, "Unable to map ring buffer for ring %d\n", i);
-            return -ENOMEM;
+            r = -ENOMEM;
         }
         if (p != vq->ring) {
             fprintf(stderr, "Ring buffer relocated for ring %d\n", i);
-            return -EBUSY;
+            r = -EBUSY;
         }
         cpu_physical_memory_unmap(p, l, 0, 0);
     }
-    return 0;
+    return r;
 }
 
 static struct vhost_memory_region *vhost_dev_find_reg(struct vhost_dev *dev,
-- 
1.9.1

[Qemu-devel] [PATCH 142/156] usb: Fix usb-bt-dongle initialization.

[Michael Roth]

From: Hani Benhabiles <kroosec@gmail.com>

Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.

Signed-off-by: Hani Benhabiles <hani@linux.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c340a284f382a5f40774521f41b4bade76ddfa58)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/usb/dev-bluetooth.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/hw/usb/dev-bluetooth.c b/hw/usb/dev-bluetooth.c
index 7f292b1..43a9a6d 100644
--- a/hw/usb/dev-bluetooth.c
+++ b/hw/usb/dev-bluetooth.c
@@ -19,6 +19,7 @@
  */
 
 #include "qemu-common.h"
+#include "qemu/error-report.h"
 #include "hw/usb.h"
 #include "hw/usb/desc.h"
 #include "sysemu/bt.h"
@@ -506,6 +507,14 @@ static int usb_bt_initfn(USBDevice *dev)
 
     usb_desc_create_serial(dev);
     usb_desc_init(dev);
+    s->dev.opaque = s;
+    if (!s->hci) {
+        s->hci = bt_new_hci(qemu_find_bt_vlan(0));
+    }
+    s->hci->opaque = s;
+    s->hci->evt_recv = usb_bt_out_hci_packet_event;
+    s->hci->acl_recv = usb_bt_out_hci_packet_acl;
+    usb_bt_handle_reset(&s->dev);
     s->intr = usb_ep_get(dev, USB_TOKEN_IN, USB_EVT_EP);
 
     return 0;
@@ -516,6 +525,7 @@ static USBDevice *usb_bt_init(USBBus *bus, const char *cmdline)
     USBDevice *dev;
     struct USBBtState *s;
     HCIInfo *hci;
+    const char *name = "usb-bt-dongle";
 
     if (*cmdline) {
         hci = hci_init(cmdline);
@@ -525,19 +535,17 @@ static USBDevice *usb_bt_init(USBBus *bus, const char *cmdline)
 
     if (!hci)
         return NULL;
-    dev = usb_create_simple(bus, "usb-bt-dongle");
+    dev = usb_create(bus, name);
     if (!dev) {
+        error_report("Failed to create USB device '%s'", name);
         return NULL;
     }
     s = DO_UPCAST(struct USBBtState, dev, dev);
-    s->dev.opaque = s;
-
     s->hci = hci;
-    s->hci->opaque = s;
-    s->hci->evt_recv = usb_bt_out_hci_packet_event;
-    s->hci->acl_recv = usb_bt_out_hci_packet_acl;
-
-    usb_bt_handle_reset(&s->dev);
+    if (qdev_init(&dev->qdev) < 0) {
+        error_report("Failed to initialize USB device '%s'", name);
+        return NULL;
+    }
 
     return dev;
 }
-- 
1.9.1

[Qemu-devel] [PATCH 143/156] KVM: Fix GSI number space limit

[Michael Roth]

From: Alexander Graf <agraf@suse.de>

KVM tells us the number of GSIs it can handle inside the kernel. That value is
basically KVM_MAX_IRQ_ROUTES. However when we try to set the GSI mapping table,
it checks for

    r = -EINVAL;
    if (routing.nr >= KVM_MAX_IRQ_ROUTES)
        goto out;

erroring out even when we're only using all of the GSIs. To make sure we never
hit that limit, let's reduce the number of GSIs we get from KVM by one.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 00008418aa22700f6c49e794e79f53aeb157d10f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 kvm-all.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kvm-all.c b/kvm-all.c
index 9f18ea3..7e05f08 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -965,7 +965,7 @@ void kvm_init_irq_routing(KVMState *s)
 {
     int gsi_count, i;
 
-    gsi_count = kvm_check_extension(s, KVM_CAP_IRQ_ROUTING);
+    gsi_count = kvm_check_extension(s, KVM_CAP_IRQ_ROUTING) - 1;
     if (gsi_count > 0) {
         unsigned int gsi_bits, i;
 
-- 
1.9.1

[Qemu-devel] [PATCH 144/156] coroutine-win32.c: Add noinline attribute to work around gcc bug

[Michael Roth]

From: Peter Maydell <peter.maydell@linaro.org>

A gcc codegen bug in x86_64-w64-mingw32-gcc (GCC) 4.6.3 means that
non-debug builds of QEMU for Windows tend to assert when using
coroutines. Work around this by marking qemu_coroutine_switch
as noinline.

If we allow gcc to inline qemu_coroutine_switch into
coroutine_trampoline, then it hoists the code to get the
address of the TLS variable "current" out of the while() loop.
This is an invalid transformation because the SwitchToFiber()
call may be called when running thread A but return in thread B,
and so we might be in a different thread context each time
round the loop. This can happen quite often.  Typically.
a coroutine is started when a VCPU thread does bdrv_aio_readv:

     VCPU thread

     main VCPU thread coroutine      I/O coroutine
        bdrv_aio_readv ----->
                                     start I/O operation
                                       thread_pool_submit_co
                       <------------ yields
        back to emulation

Then I/O finishes and the thread-pool.c event notifier triggers in
the I/O thread.  event_notifier_ready calls thread_pool_co_cb, and
the I/O coroutine now restarts *in another thread*:

     iothread

     main iothread coroutine         I/O coroutine (formerly in VCPU thread)
        event_notifier_ready
          thread_pool_co_cb ----->   current = I/O coroutine;
                                     call AIO callback

But on Win32, because of the bug, the "current" being set here the
current coroutine of the VCPU thread, not the iothread.

noinline is a good-enough workaround, and quite unlikely to break in
the future.

(Thanks to Paolo Bonzini for assistance in diagnosing the problem
and providing the detailed example/ascii art quoted above.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1403535303-14939-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
(cherry picked from commit ff4873cb8c81db89668d8b56e19e57b852edb5f5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 coroutine-win32.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/coroutine-win32.c b/coroutine-win32.c
index edc1f72..17ace37 100644
--- a/coroutine-win32.c
+++ b/coroutine-win32.c
@@ -36,8 +36,17 @@ typedef struct
 static __thread CoroutineWin32 leader;
 static __thread Coroutine *current;
 
-CoroutineAction qemu_coroutine_switch(Coroutine *from_, Coroutine *to_,
-                                      CoroutineAction action)
+/* This function is marked noinline to prevent GCC from inlining it
+ * into coroutine_trampoline(). If we allow it to do that then it
+ * hoists the code to get the address of the TLS variable "current"
+ * out of the while() loop. This is an invalid transformation because
+ * the SwitchToFiber() call may be called when running thread A but
+ * return in thread B, and so we might be in a different thread
+ * context each time round the loop.
+ */
+CoroutineAction __attribute__((noinline))
+qemu_coroutine_switch(Coroutine *from_, Coroutine *to_,
+                      CoroutineAction action)
 {
     CoroutineWin32 *from = DO_UPCAST(CoroutineWin32, base, from_);
     CoroutineWin32 *to = DO_UPCAST(CoroutineWin32, base, to_);
-- 
1.9.1

[Qemu-devel] [PATCH 145/156] target-i386: Filter FEAT_7_0_EBX TCG features too

[Michael Roth]

From: Eduardo Habkost <ehabkost@redhat.com>

The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a
typo that was never noticed). Make the existing TCG feature filtering
code use it.

Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f)

Conflicts:
	target-i386/cpu.c

*fixed simple context mismatch

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-i386/cpu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 654a04e..d6bc332 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -539,7 +539,7 @@ typedef struct x86_def_t {
 #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
           CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
 #define TCG_SVM_FEATURES 0
-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP \
+#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \
           CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX)
           /* missing:
           CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2,
@@ -2562,6 +2562,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
     if (!kvm_enabled()) {
         env->features[FEAT_1_EDX] &= TCG_FEATURES;
         env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES;
+        env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES;
         env->features[FEAT_8000_0001_EDX] &= (TCG_EXT2_FEATURES
 #ifdef TARGET_X86_64
             | CPUID_EXT2_SYSCALL | CPUID_EXT2_LM
-- 
1.9.1

[Qemu-devel] [PATCH 146/156] virtio-net: byteswap virtio-net header

[Michael Roth]

From: Cédric Le Goater <clg@fr.ibm.com>

TCP connectivity fails when the guest has a different endianness.
The packets are silently dropped on the host by the tap backend
when they are read from user space because the endianness of the
virtio-net header is in the wrong order. These lines may appear
in the guest console:

[  454.709327] skbuff: bad partial csum: csum=8704/4096 len=74
[  455.702554] skbuff: bad partial csum: csum=8704/4096 len=74

The issue that got first spotted with a ppc64le PowerKVM guest,
but it also exists for the less common case of a x86_64 guest run
by a big-endian ppc64 TCG hypervisor.

Signed-off-by: Cédric Le Goater <clg@fr.ibm.com>
[ Ported from PowerKVM,
  Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

(cherry picked from commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/virtio-net.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 29c5f35..6246725 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -843,6 +843,14 @@ static int virtio_net_has_buffers(VirtIONetQueue *q, int bufsize)
     return 1;
 }
 
+static void virtio_net_hdr_swap(struct virtio_net_hdr *hdr)
+{
+    tswap16s(&hdr->hdr_len);
+    tswap16s(&hdr->gso_size);
+    tswap16s(&hdr->csum_start);
+    tswap16s(&hdr->csum_offset);
+}
+
 /* dhclient uses AF_PACKET but doesn't pass auxdata to the kernel so
  * it never finds out that the packets don't have valid checksums.  This
  * causes dhclient to get upset.  Fedora's carried a patch for ages to
@@ -878,6 +886,7 @@ static void receive_header(VirtIONet *n, const struct iovec *iov, int iov_cnt,
         void *wbuf = (void *)buf;
         work_around_broken_dhclient(wbuf, wbuf + n->host_hdr_len,
                                     size - n->host_hdr_len);
+        virtio_net_hdr_swap(wbuf);
         iov_from_buf(iov, iov_cnt, 0, buf, sizeof(struct virtio_net_hdr));
     } else {
         struct virtio_net_hdr hdr = {
@@ -1086,6 +1095,14 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
             exit(1);
         }
 
+        if (n->has_vnet_hdr) {
+            if (out_sg[0].iov_len < n->guest_hdr_len) {
+                error_report("virtio-net header incorrect");
+                exit(1);
+            }
+            virtio_net_hdr_swap((void *) out_sg[0].iov_base);
+        }
+
         /*
          * If host wants to see the guest header as is, we can
          * pass it on unchanged. Otherwise, copy just the parts
-- 
1.9.1

[Qemu-devel] [PATCH 147/156] virtio-serial: don't migrate the config space

[Michael Roth]

From: Alexander Graf <agraf@suse.de>

The device configuration is set at realize time and never changes. It
should not be migrated as it is done today. For the sake of compatibility,
let's just skip them at load time.

Signed-off-by: Alexander Graf <agraf@suse.de>
[ added missing casts to uint16_t *,
  added From, SoB and commit message,
  Greg Kurz <gkurz@linux.vnet.ibm.com> ]
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

(cherry picked from commit e38e943a1fa20d04deb1899be19b12aadec7a585)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/char/virtio-serial-bus.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index a7ede90..f3e496f 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -670,6 +670,7 @@ static int virtio_serial_load(QEMUFile *f, void *opaque, int version_id)
     uint32_t max_nr_ports, nr_active_ports, ports_map;
     unsigned int i;
     int ret;
+    uint32_t tmp;
 
     if (version_id > 3) {
         return -EINVAL;
@@ -685,17 +686,12 @@ static int virtio_serial_load(QEMUFile *f, void *opaque, int version_id)
         return 0;
     }
 
-    /* The config space */
-    qemu_get_be16s(f, &s->config.cols);
-    qemu_get_be16s(f, &s->config.rows);
-
-    qemu_get_be32s(f, &max_nr_ports);
-    tswap32s(&max_nr_ports);
-    if (max_nr_ports > tswap32(s->config.max_nr_ports)) {
-        /* Source could have had more ports than us. Fail migration. */
-        return -EINVAL;
-    }
+    /* Unused */
+    qemu_get_be16s(f, (uint16_t *) &tmp);
+    qemu_get_be16s(f, (uint16_t *) &tmp);
+    qemu_get_be32s(f, &tmp);
 
+    max_nr_ports = tswap32(s->config.max_nr_ports);
     for (i = 0; i < (max_nr_ports + 31) / 32; i++) {
         qemu_get_be32s(f, &ports_map);
 
-- 
1.9.1

[Qemu-devel] [PATCH 148/156] nbd: Don't export a block device with no medium.

[Michael Roth]

From: Hani Benhabiles <kroosec@gmail.com>

The device is exported with erroneous values and can't be read.

Before the patch:
$ sudo nbd-client localhost -p 10809 /dev/nbd0 -name floppy0
Negotiation: ..size = 17592186044415MB
bs=1024, sz=18446744073709547520 bytes

$ sudo mount /dev/nbd0 /mnt/tmp/
mount: block device /dev/nbd0 is write-protected, mounting read-only
mount: /dev/nbd0: can't read superblock

After the patch:
(qemu) nbd_server_add ide0-hd0
(qemu) nbd_server_add floppy0
Device 'floppy0' has no medium

Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 60fe4fac22895576973e317d7148b084c31cc64c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev-nbd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index 922cf56..a700d52 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -91,6 +91,10 @@ void qmp_nbd_server_add(const char *device, bool has_writable, bool writable,
         error_set(errp, QERR_DEVICE_NOT_FOUND, device);
         return;
     }
+    if (!bdrv_is_inserted(bs)) {
+        error_set(errp, QERR_DEVICE_HAS_NO_MEDIUM, device);
+        return;
+    }
 
     if (!has_writable) {
         writable = false;
-- 
1.9.1

[Qemu-devel] [PATCH 149/156] nbd: Don't validate from and len in NBD_CMD_DISC.

[Michael Roth]

From: Hani Benhabiles <kroosec@gmail.com>

These values aren't used in this case.

Currently, the from field in the request sent by the nbd kernel module leading
to a false error message when ending the connection with the client.

$ qemu-nbd some.img -v
// After nbd-client -d /dev/nbd0
nbd.c:nbd_trip():L1031: From: 18446744073709551104, Len: 0, Size: 20971520,
Offset: 0
nbd.c:nbd_trip():L1032: requested operation past EOF--bad client?
nbd.c:nbd_receive_request():L638: read failed

Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 8c5d1abbb79193dca8e4823ef53d8d1e650362ae)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 nbd.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/nbd.c b/nbd.c
index f847940..d097457 100644
--- a/nbd.c
+++ b/nbd.c
@@ -1069,6 +1069,7 @@ static void nbd_trip(void *opaque)
     struct nbd_request request;
     struct nbd_reply reply;
     ssize_t ret;
+    uint32_t command;
 
     TRACE("Reading request.");
     if (client->closing) {
@@ -1091,8 +1092,8 @@ static void nbd_trip(void *opaque)
         reply.error = -ret;
         goto error_reply;
     }
-
-    if ((request.from + request.len) > exp->size) {
+    command = request.type & NBD_CMD_MASK_COMMAND;
+    if (command != NBD_CMD_DISC && (request.from + request.len) > exp->size) {
             LOG("From: %" PRIu64 ", Len: %u, Size: %" PRIu64
             ", Offset: %" PRIu64 "\n",
                     request.from, request.len,
@@ -1101,7 +1102,7 @@ static void nbd_trip(void *opaque)
         goto invalid_request;
     }
 
-    switch (request.type & NBD_CMD_MASK_COMMAND) {
+    switch (command) {
     case NBD_CMD_READ:
         TRACE("Request type is READ");
 
-- 
1.9.1

[Qemu-devel] [PATCH 150/156] nbd: Close socket on negotiation failure.

[Michael Roth]

From: Hani Benhabiles <kroosec@gmail.com>

Otherwise, the nbd client may hang waiting for the server response.

Signed-off-by: Hani Benhabiles <hani@linux.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 36af599417dde11747a27dc8550ff2281657a8ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev-nbd.c | 4 ++--
 qemu-nbd.c     | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index a700d52..18dc528 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -27,8 +27,8 @@ static void nbd_accept(void *opaque)
     socklen_t addr_len = sizeof(addr);
 
     int fd = accept(server_fd, (struct sockaddr *)&addr, &addr_len);
-    if (fd >= 0) {
-        nbd_client_new(NULL, fd, nbd_client_put);
+    if (fd >= 0 && !nbd_client_new(NULL, fd, nbd_client_put)) {
+        close(fd);
     }
 }
 
diff --git a/qemu-nbd.c b/qemu-nbd.c
index c26c98e..7a2cff9 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -299,8 +299,10 @@ static void nbd_accept(void *opaque)
         return;
     }
 
-    if (fd >= 0 && nbd_client_new(exp, fd, nbd_client_closed)) {
+    if (nbd_client_new(exp, fd, nbd_client_closed)) {
         nb_fds++;
+    } else {
+        close(fd);
     }
 }
 
-- 
1.9.1

[Qemu-devel] [PATCH 151/156] nbd: Shutdown socket before closing.

[Michael Roth]

From: Hani Benhabiles <kroosec@gmail.com>

This forces finishing data sending to client before closing the socket like in
exports listing or replying with NBD_REP_ERR_UNSUP cases.

Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 27e5eae4577316f7e86a56eb7363d4e78f79e3e5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 blockdev-nbd.c | 1 +
 qemu-nbd.c     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index 18dc528..b3a2474 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -28,6 +28,7 @@ static void nbd_accept(void *opaque)
 
     int fd = accept(server_fd, (struct sockaddr *)&addr, &addr_len);
     if (fd >= 0 && !nbd_client_new(NULL, fd, nbd_client_put)) {
+        shutdown(fd, 2);
         close(fd);
     }
 }
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 7a2cff9..474966f 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -302,6 +302,7 @@ static void nbd_accept(void *opaque)
     if (nbd_client_new(exp, fd, nbd_client_closed)) {
         nb_fds++;
     } else {
+        shutdown(fd, 2);
         close(fd);
     }
 }
-- 
1.9.1

[Qemu-devel] [PATCH 152/156] qapi: zero-initialize all QMP command parameters

[Michael Roth]

In general QMP command parameter values are specified by consumers of the
QMP/HMP interface, but in the case of optional parameters these values may
be left uninitialized.

It is considered a bug for code to make use of optional parameters that have
not been flagged as being present by the marshalling code (via corresponding
has_<parameter> parameter), however our marshalling code will still pass
these uninitialized values on to the corresponding QMP function (to then
be ignored). Some compilers (clang in particular) consider this unsafe
however, and generate warnings as a result. As reported by Peter Maydell:

  This is something clang's -fsanitize=undefined spotted. The
  code generated by qapi-commands.py in qmp-marshal.c for
  qmp_marshal_* functions where there are some optional
  arguments looks like this:

      bool has_force = false;
      bool force;

      mi = qmp_input_visitor_new_strict(QOBJECT(args));
      v = qmp_input_get_visitor(mi);
      visit_type_str(v, &device, "device", errp);
      visit_start_optional(v, &has_force, "force", errp);
      if (has_force) {
          visit_type_bool(v, &force, "force", errp);
      }
      visit_end_optional(v, errp);
      qmp_input_visitor_cleanup(mi);

      if (error_is_set(errp)) {
          goto out;
      }
      qmp_eject(device, has_force, force, errp);

  In the case where has_force is false, we never initialize
  force, but then we use it by passing it to qmp_eject.
  I imagine we don't then actually use the value, but clang
  complains in particular for 'bool' variables because the value
  that ends up being loaded from memory for 'force' is not either
  0 or 1 (being uninitialized stack contents).

Fix this by initializing all QMP command parameters to {0} in the
marshalling code prior to passing them on to the QMP functions.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
(cherry picked from commit fc13d937269c1cd01a4b7720c1dcce01722727a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 scripts/qapi-commands.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/qapi-commands.py b/scripts/qapi-commands.py
index b12b696..b9c41fb 100644
--- a/scripts/qapi-commands.py
+++ b/scripts/qapi-commands.py
@@ -119,7 +119,7 @@ bool has_%(argname)s = false;
                          argname=c_var(argname), argtype=c_type(argtype))
         else:
             ret += mcgen('''
-%(argtype)s %(argname)s;
+%(argtype)s %(argname)s = {0};
 ''',
                          argname=c_var(argname), argtype=c_type(argtype))
 
-- 
1.9.1

[Qemu-devel] [PATCH 153/156] vnc: Fix tight_detect_smooth_image() for lossless case

[Michael Roth]

From: Markus Armbruster <armbru@redhat.com>

VncTight member uint8_t quality is either (uint8_t)-1 for lossless or
less than 10 for lossy.

tight_detect_smooth_image() first promotes it to int, then compares
with -1.  Always unequal, so we always execute the lossy code.  Reads
beyond tight_conf[] and returns crap when quality is actually
lossless.

Compare to (uint8_t)-1 instead, like we do elsewhere.

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 2e7bcdb99adbd8fc10ad9ddcf93bd2bf3c0f1f2d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 ui/vnc-enc-tight.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index e6966ae..59b59c0 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -330,7 +330,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
     } else {
         errors = tight_detect_smooth_image16(vs, w, h);
     }
-    if (quality != -1) {
+    if (quality != (uint8_t)-1) {
         return (errors < tight_conf[quality].jpeg_threshold);
     }
     return (errors < tight_conf[compression].gradient_threshold);
-- 
1.9.1

[Qemu-devel] [PATCH 154/156] sdhci: Fix misuse of qemu_free_irqs()

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

It does a g_free() on the pointer, so don't pass a local &foo reference.

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
(cherry picked from commit 127a4e1a51c038ec9167083b65d376dddcc64530)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/sd/sdhci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 0906a1d..9e8a236 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1185,8 +1185,8 @@ static void sdhci_uninitfn(Object *obj)
     timer_free(s->insert_timer);
     timer_del(s->transfer_timer);
     timer_free(s->transfer_timer);
-    qemu_free_irqs(&s->eject_cb);
-    qemu_free_irqs(&s->ro_cb);
+    qemu_free_irq(s->eject_cb);
+    qemu_free_irq(s->ro_cb);
 
     if (s->fifo_buffer) {
         g_free(s->fifo_buffer);
-- 
1.9.1

[Qemu-devel] [PATCH 155/156] hw: Fix qemu_allocate_irqs() leaks

[Michael Roth]

From: Andreas Färber <afaerber@suse.de>

Replace qemu_allocate_irqs(foo, bar, 1)[0]
with qemu_allocate_irq(foo, bar, 0).

This avoids leaking the dereferenced qemu_irq *.

Cc: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[PC Changes:
 * Applied change to instance in sh4/sh7750.c
]
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Kirill Batuzov <batuzovk@ispras.ru>
[AF: Fix IRQ index in sh4/sh7750.c]
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>

(cherry picked from commit f3c7d0389fe8a2792fd4c1cf151b885de03c8f62)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/arm/omap1.c          | 14 +++++++-------
 hw/arm/omap2.c          |  2 +-
 hw/arm/pxa2xx.c         |  4 ++--
 hw/arm/spitz.c          |  4 ++--
 hw/arm/z2.c             |  2 +-
 hw/core/irq.c           |  4 ++--
 hw/dma/omap_dma.c       |  4 ++--
 hw/ide/microdrive.c     |  2 +-
 hw/misc/cbus.c          |  6 +++---
 hw/pcmcia/pxa2xx.c      |  2 +-
 hw/sd/omap_mmc.c        |  2 +-
 hw/sd/sdhci.c           |  4 ++--
 hw/sh4/sh7750.c         |  3 +--
 hw/timer/omap_gptimer.c |  4 ++--
 14 files changed, 28 insertions(+), 29 deletions(-)

diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
index 47511d2..e97eacd 100644
--- a/hw/arm/omap1.c
+++ b/hw/arm/omap1.c
@@ -172,7 +172,7 @@ static void omap_timer_clk_update(void *opaque, int line, int on)
 static void omap_timer_clk_setup(struct omap_mpu_timer_s *timer)
 {
     omap_clk_adduser(timer->clk,
-                    qemu_allocate_irqs(omap_timer_clk_update, timer, 1)[0]);
+                    qemu_allocate_irq(omap_timer_clk_update, timer, 0));
     timer->rate = omap_clk_getrate(timer->clk);
 }
 
@@ -2094,7 +2094,7 @@ static struct omap_mpuio_s *omap_mpuio_init(MemoryRegion *memory,
                           "omap-mpuio", 0x800);
     memory_region_add_subregion(memory, base, &s->iomem);
 
-    omap_clk_adduser(clk, qemu_allocate_irqs(omap_mpuio_onoff, s, 1)[0]);
+    omap_clk_adduser(clk, qemu_allocate_irq(omap_mpuio_onoff, s, 0));
 
     return s;
 }
@@ -2397,7 +2397,7 @@ static struct omap_pwl_s *omap_pwl_init(MemoryRegion *system_memory,
                           "omap-pwl", 0x800);
     memory_region_add_subregion(system_memory, base, &s->iomem);
 
-    omap_clk_adduser(clk, qemu_allocate_irqs(omap_pwl_clk_update, s, 1)[0]);
+    omap_clk_adduser(clk, qemu_allocate_irq(omap_pwl_clk_update, s, 0));
     return s;
 }
 
@@ -3481,8 +3481,8 @@ static void omap_mcbsp_i2s_start(void *opaque, int line, int level)
 void omap_mcbsp_i2s_attach(struct omap_mcbsp_s *s, I2SCodec *slave)
 {
     s->codec = slave;
-    slave->rx_swallow = qemu_allocate_irqs(omap_mcbsp_i2s_swallow, s, 1)[0];
-    slave->tx_start = qemu_allocate_irqs(omap_mcbsp_i2s_start, s, 1)[0];
+    slave->rx_swallow = qemu_allocate_irq(omap_mcbsp_i2s_swallow, s, 0);
+    slave->tx_start = qemu_allocate_irq(omap_mcbsp_i2s_start, s, 0);
 }
 
 /* LED Pulse Generators */
@@ -3630,7 +3630,7 @@ static struct omap_lpg_s *omap_lpg_init(MemoryRegion *system_memory,
     memory_region_init_io(&s->iomem, NULL, &omap_lpg_ops, s, "omap-lpg", 0x800);
     memory_region_add_subregion(system_memory, base, &s->iomem);
 
-    omap_clk_adduser(clk, qemu_allocate_irqs(omap_lpg_clk_update, s, 1)[0]);
+    omap_clk_adduser(clk, qemu_allocate_irq(omap_lpg_clk_update, s, 0));
 
     return s;
 }
@@ -3844,7 +3844,7 @@ struct omap_mpu_state_s *omap310_mpu_init(MemoryRegion *system_memory,
     s->sdram_size = sdram_size;
     s->sram_size = OMAP15XX_SRAM_SIZE;
 
-    s->wakeup = qemu_allocate_irqs(omap_mpu_wakeup, s, 1)[0];
+    s->wakeup = qemu_allocate_irq(omap_mpu_wakeup, s, 0);
 
     /* Clocks */
     omap_clk_init(s);
diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index 36efde0..dc53a7a 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -2260,7 +2260,7 @@ struct omap_mpu_state_s *omap2420_mpu_init(MemoryRegion *sysmem,
     s->sdram_size = sdram_size;
     s->sram_size = OMAP242X_SRAM_SIZE;
 
-    s->wakeup = qemu_allocate_irqs(omap_mpu_wakeup, s, 1)[0];
+    s->wakeup = qemu_allocate_irq(omap_mpu_wakeup, s, 0);
 
     /* Clocks */
     omap_clk_init(s);
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index daec57d..30cf71f 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -2057,7 +2057,7 @@ PXA2xxState *pxa270_init(MemoryRegion *address_space,
         fprintf(stderr, "Unable to find CPU definition\n");
         exit(1);
     }
-    s->reset = qemu_allocate_irqs(pxa2xx_reset, s, 1)[0];
+    s->reset = qemu_allocate_irq(pxa2xx_reset, s, 0);
 
     /* SDRAM & Internal Memory Storage */
     memory_region_init_ram(&s->sdram, NULL, "pxa270.sdram", sdram_size);
@@ -2188,7 +2188,7 @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
         fprintf(stderr, "Unable to find CPU definition\n");
         exit(1);
     }
-    s->reset = qemu_allocate_irqs(pxa2xx_reset, s, 1)[0];
+    s->reset = qemu_allocate_irq(pxa2xx_reset, s, 0);
 
     /* SDRAM & Internal Memory Storage */
     memory_region_init_ram(&s->sdram, NULL, "pxa255.sdram", sdram_size);
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index ba17283..54f2166 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -743,7 +743,7 @@ static void spitz_i2c_setup(PXA2xxState *cpu)
 
     spitz_wm8750_addr(wm, 0, 0);
     qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_WM,
-                    qemu_allocate_irqs(spitz_wm8750_addr, wm, 1)[0]);
+                          qemu_allocate_irq(spitz_wm8750_addr, wm, 0));
     /* .. and to the sound interface.  */
     cpu->i2s->opaque = wm;
     cpu->i2s->codec_out = wm8750_dac_dat;
@@ -849,7 +849,7 @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
      * wouldn't guarantee that a guest ever exits the loop.
      */
     spitz_hsync = 0;
-    lcd_hsync = qemu_allocate_irqs(spitz_lcd_hsync_handler, cpu, 1)[0];
+    lcd_hsync = qemu_allocate_irq(spitz_lcd_hsync_handler, cpu, 0);
     pxa2xx_gpio_read_notifier(cpu->gpio, lcd_hsync);
     pxa2xx_lcd_vsync_notifier(cpu->lcd, lcd_hsync);
 
diff --git a/hw/arm/z2.c b/hw/arm/z2.c
index d52c501..d662130 100644
--- a/hw/arm/z2.c
+++ b/hw/arm/z2.c
@@ -359,7 +359,7 @@ static void z2_init(QEMUMachineInitArgs *args)
     wm8750_data_req_set(wm, mpu->i2s->data_req, mpu->i2s);
 
     qdev_connect_gpio_out(mpu->gpio, Z2_GPIO_LCD_CS,
-        qemu_allocate_irqs(z2_lcd_cs, z2_lcd, 1)[0]);
+                          qemu_allocate_irq(z2_lcd_cs, z2_lcd, 0));
 
     z2_binfo.kernel_filename = kernel_filename;
     z2_binfo.kernel_cmdline = kernel_cmdline;
diff --git a/hw/core/irq.c b/hw/core/irq.c
index 03c8cb3..3d284c6 100644
--- a/hw/core/irq.c
+++ b/hw/core/irq.c
@@ -102,7 +102,7 @@ qemu_irq qemu_irq_invert(qemu_irq irq)
 {
     /* The default state for IRQs is low, so raise the output now.  */
     qemu_irq_raise(irq);
-    return qemu_allocate_irqs(qemu_notirq, irq, 1)[0];
+    return qemu_allocate_irq(qemu_notirq, irq, 0);
 }
 
 static void qemu_splitirq(void *opaque, int line, int level)
@@ -117,7 +117,7 @@ qemu_irq qemu_irq_split(qemu_irq irq1, qemu_irq irq2)
     qemu_irq *s = g_malloc0(2 * sizeof(qemu_irq));
     s[0] = irq1;
     s[1] = irq2;
-    return qemu_allocate_irqs(qemu_splitirq, s, 1)[0];
+    return qemu_allocate_irq(qemu_splitirq, s, 0);
 }
 
 static void proxy_irq_handler(void *opaque, int n, int level)
diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c
index 0e8cccd..bb02279 100644
--- a/hw/dma/omap_dma.c
+++ b/hw/dma/omap_dma.c
@@ -1660,7 +1660,7 @@ struct soc_dma_s *omap_dma_init(hwaddr base, qemu_irq *irqs,
     }
 
     omap_dma_setcaps(s);
-    omap_clk_adduser(s->clk, qemu_allocate_irqs(omap_dma_clk_update, s, 1)[0]);
+    omap_clk_adduser(s->clk, qemu_allocate_irq(omap_dma_clk_update, s, 0));
     omap_dma_reset(s->dma);
     omap_dma_clk_update(s, 0, 1);
 
@@ -2082,7 +2082,7 @@ struct soc_dma_s *omap_dma4_init(hwaddr base, qemu_irq *irqs,
     s->intr_update = omap_dma_interrupts_4_update;
 
     omap_dma_setcaps(s);
-    omap_clk_adduser(s->clk, qemu_allocate_irqs(omap_dma_clk_update, s, 1)[0]);
+    omap_clk_adduser(s->clk, qemu_allocate_irq(omap_dma_clk_update, s, 0));
     omap_dma_reset(s->dma);
     omap_dma_clk_update(s, 0, !!s->dma->freq);
 
diff --git a/hw/ide/microdrive.c b/hw/ide/microdrive.c
index 21d6495..c73c5a7 100644
--- a/hw/ide/microdrive.c
+++ b/hw/ide/microdrive.c
@@ -594,7 +594,7 @@ static void microdrive_realize(DeviceState *dev, Error **errp)
 {
     MicroDriveState *md = MICRODRIVE(dev);
 
-    ide_init2(&md->bus, qemu_allocate_irqs(md_set_irq, md, 1)[0]);
+    ide_init2(&md->bus, qemu_allocate_irq(md_set_irq, md, 0));
 }
 
 static void microdrive_init(Object *obj)
diff --git a/hw/misc/cbus.c b/hw/misc/cbus.c
index 29b467b..495d507 100644
--- a/hw/misc/cbus.c
+++ b/hw/misc/cbus.c
@@ -135,9 +135,9 @@ CBus *cbus_init(qemu_irq dat)
     CBusPriv *s = (CBusPriv *) g_malloc0(sizeof(*s));
 
     s->dat_out = dat;
-    s->cbus.clk = qemu_allocate_irqs(cbus_clk, s, 1)[0];
-    s->cbus.dat = qemu_allocate_irqs(cbus_dat, s, 1)[0];
-    s->cbus.sel = qemu_allocate_irqs(cbus_sel, s, 1)[0];
+    s->cbus.clk = qemu_allocate_irq(cbus_clk, s, 0);
+    s->cbus.dat = qemu_allocate_irq(cbus_dat, s, 0);
+    s->cbus.sel = qemu_allocate_irq(cbus_sel, s, 0);
 
     s->sel = 1;
     s->clk = 0;
diff --git a/hw/pcmcia/pxa2xx.c b/hw/pcmcia/pxa2xx.c
index 8f17596..4a126b3 100644
--- a/hw/pcmcia/pxa2xx.c
+++ b/hw/pcmcia/pxa2xx.c
@@ -195,7 +195,7 @@ static void pxa2xx_pcmcia_initfn(Object *obj)
     memory_region_add_subregion(&s->container_mem, 0x0c000000,
                                 &s->common_iomem);
 
-    s->slot.irq = qemu_allocate_irqs(pxa2xx_pcmcia_set_irq, s, 1)[0];
+    s->slot.irq = qemu_allocate_irq(pxa2xx_pcmcia_set_irq, s, 0);
 
     object_property_add_link(obj, "card", TYPE_PCMCIA_CARD,
                              (Object **)&s->card, NULL);
diff --git a/hw/sd/omap_mmc.c b/hw/sd/omap_mmc.c
index 937a478..6c92149 100644
--- a/hw/sd/omap_mmc.c
+++ b/hw/sd/omap_mmc.c
@@ -625,7 +625,7 @@ struct omap_mmc_s *omap2_mmc_init(struct omap_target_agent_s *ta,
         exit(1);
     }
 
-    s->cdet = qemu_allocate_irqs(omap_mmc_cover_cb, s, 1)[0];
+    s->cdet = qemu_allocate_irq(omap_mmc_cover_cb, s, 0);
     sd_set_cb(s->card, NULL, s->cdet);
 
     return s;
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 9e8a236..79a2b1d 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1169,8 +1169,8 @@ static void sdhci_initfn(Object *obj)
     if (s->card == NULL) {
         exit(1);
     }
-    s->eject_cb = qemu_allocate_irqs(sdhci_insert_eject_cb, s, 1)[0];
-    s->ro_cb = qemu_allocate_irqs(sdhci_card_readonly_cb, s, 1)[0];
+    s->eject_cb = qemu_allocate_irq(sdhci_insert_eject_cb, s, 0);
+    s->ro_cb = qemu_allocate_irq(sdhci_card_readonly_cb, s, 0);
     sd_set_cb(s->card, s->ro_cb, s->eject_cb);
 
     s->insert_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sdhci_raise_insertion_irq, s);
diff --git a/hw/sh4/sh7750.c b/hw/sh4/sh7750.c
index 1439ba4..6ad66c9 100644
--- a/hw/sh4/sh7750.c
+++ b/hw/sh4/sh7750.c
@@ -838,6 +838,5 @@ SH7750State *sh7750_init(SuperHCPU *cpu, MemoryRegion *sysmem)
 qemu_irq sh7750_irl(SH7750State *s)
 {
     sh_intc_toggle_source(sh_intc_source(&s->intc, IRL), 1, 0); /* enable */
-    return qemu_allocate_irqs(sh_intc_set_irl, sh_intc_source(&s->intc, IRL),
-                               1)[0];
+    return qemu_allocate_irq(sh_intc_set_irl, sh_intc_source(&s->intc, IRL), 0);
 }
diff --git a/hw/timer/omap_gptimer.c b/hw/timer/omap_gptimer.c
index 016207f..b7f3d49 100644
--- a/hw/timer/omap_gptimer.c
+++ b/hw/timer/omap_gptimer.c
@@ -227,7 +227,7 @@ static void omap_gp_timer_clk_update(void *opaque, int line, int on)
 static void omap_gp_timer_clk_setup(struct omap_gp_timer_s *timer)
 {
     omap_clk_adduser(timer->clk,
-                    qemu_allocate_irqs(omap_gp_timer_clk_update, timer, 1)[0]);
+                     qemu_allocate_irq(omap_gp_timer_clk_update, timer, 0));
     timer->rate = omap_clk_getrate(timer->clk);
 }
 
@@ -476,7 +476,7 @@ struct omap_gp_timer_s *omap_gp_timer_init(struct omap_target_agent_s *ta,
     s->clk = fclk;
     s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, omap_gp_timer_tick, s);
     s->match = timer_new_ns(QEMU_CLOCK_VIRTUAL, omap_gp_timer_match, s);
-    s->in = qemu_allocate_irqs(omap_gp_timer_input, s, 1)[0];
+    s->in = qemu_allocate_irq(omap_gp_timer_input, s, 0);
     omap_gp_timer_reset(s);
     omap_gp_timer_clk_setup(s);
 
-- 
1.9.1

[Qemu-devel] [PATCH 156/156] pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()

[Michael Roth]

From: Le Tan <tamlokveer@gmail.com>

In function do_pci_register_device() in file hw/pci/pci.c, move the assignment
of pci_dev->devfn to the position before the call to
pci_device_iommu_address_space(pci_dev) which will use the value of
pci_dev->devfn.

Fixes: 9eda7d373e9c691c070eddcbe3467b991f67f6bd
    pci: Introduce helper to retrieve a PCI device's DMA address space

Cc: qemu-stable@nongnu.org
Signed-off-by: Le Tan <tamlokveer@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit efc8188e9398e54567b238b756eec2cc746cd2a4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/pci/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 347d0c0..e1bc1e3 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -820,6 +820,7 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
     }
 
     pci_dev->bus = bus;
+    pci_dev->devfn = devfn;
     dma_as = pci_device_iommu_address_space(pci_dev);
 
     memory_region_init_alias(&pci_dev->bus_master_enable_region,
@@ -829,7 +830,6 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
     address_space_init(&pci_dev->bus_master_as, &pci_dev->bus_master_enable_region,
                        name);
 
-    pci_dev->devfn = devfn;
     pstrcpy(pci_dev->name, sizeof(pci_dev->name), name);
     pci_dev->irq_state = 0;
     pci_config_alloc(pci_dev);
-- 
1.9.1

Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14

[Dr. David Alan Gilbert]

* Michael Roth (mdroth@linux.vnet.ibm.com) wrote:
> Hi everyone,
> 
> The following new patches are queued for QEMU stable v1.7.2:
> 
>   https://github.com/mdroth/qemu/commits/stable-1.7-staging
> 
> The release is planned for 2014-07-21:
> 
>   http://wiki.qemu.org/Planning/1.7
> 
> Please respond here or CC qemu-stable@nongnu.org on any patches
> you think should be included in the release.

You might want to include:
a890a2f9137ac3cf5b607649e66a6f3a5512d8dc - virtio: validate config_len on load

which guards against a mismatched config len on the migration stream
overwriting things.

however, if you do you should also include:
2f5732e9648fcddc8759a8fd25c0b41a38352be6 - Allow mismatched virtio config-len
which instead of erroring, just discards the data to cope with
changes in the config len.

Dave


> Testing/feedback is greatly appreciated.
> 
> 
> As you maybe have noticed, the 1.7.2 stable release is late by
> almost an entire release cycle. There were some important fixes
> planned for 1.7.2 however, so hopefully better late than never.
> Due to the delay the patch queue for this release is quite a bit
> longer than usual, so anyone interested in this release is highly
> encouraged to review/test.
> 
> 2.0.1 has similarly slipped by half a release cycle, so 2.0.1 will
> be going out during the originally planned date release date for
> 2.0.2, and is the only planned stable release for the 2.0 series:
> 
>   http://wiki.qemu.org/Planning/2.0
> 
> My apologies for the delays. For 2.1.x, we should be back on track
> for the normal stable release schedule (2.1.1 midway through 2.2
> development, and 2.1.2 roughly coinciding with 2.2 release).
> 
> Thanks! 
> 
> ----------------------------------------------------------------
> Alexander Graf (3):
>       kvmclock: Ensure time in migration never goes backward
>       KVM: Fix GSI number space limit
>       virtio-serial: don't migrate the config space
> 
> Alexey Kardashevskiy (1):
>       spapr_pci: Fix number of returned vectors in ibm, change-msi
> 
> Andreas Färber (2):
>       sdhci: Fix misuse of qemu_free_irqs()
>       hw: Fix qemu_allocate_irqs() leaks
> 
> Benoît Canet (2):
>       ide: Correct improper smart self test counter reset in ide core.
>       block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file.
> 
> ChenLiang (1):
>       migration: remove duplicate code
> 
> Cornelia Huck (1):
>       s390x/css: handle emw correctly for tsch
> 
> Cédric Le Goater (1):
>       virtio-net: byteswap virtio-net header
> 
> David Hildenbrand (1):
>       s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG
> 
> Dmitry Fleytman (4):
>       vmxnet3: validate interrupt indices coming from guest
>       vmxnet3: validate queues configuration coming from guest
>       vmxnet3: validate interrupt indices read on migration
>       vmxnet3: validate queues configuration read on migration
> 
> Dr. David Alan Gilbert (1):
>       Fix vmstate_info_int32_le comparison/assign
> 
> Edgar E. Iglesias (1):
>       target-arm: Make vbar_write 64bit friendly on 32bit hosts
> 
> Eduardo Habkost (1):
>       target-i386: Filter FEAT_7_0_EBX TCG features too
> 
> Fam Zheng (2):
>       scsi: Change scsi sense buf size to 252
>       curl: check data size before memcpy to local buffer. (CVE-2014-0144)
> 
> Gal Hammer (1):
>       char: restore read callback on a reattached (hotplug) chardev
> 
> Gonglei (1):
>       qga: Fix handle fd leak in acquire_privilege()
> 
> Hani Benhabiles (5):
>       usb: Fix usb-bt-dongle initialization.
>       nbd: Don't export a block device with no medium.
>       nbd: Don't validate from and len in NBD_CMD_DISC.
>       nbd: Close socket on negotiation failure.
>       nbd: Shutdown socket before closing.
> 
> Hannes Reinecke (1):
>       megasas: Implement LD_LIST_QUERY
> 
> Hu Tao (1):
>       qcow2: fix offset overflow in qcow2_alloc_clusters_at()
> 
> Jeff Cody (3):
>       vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
>       vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
>       vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
> 
> Kevin Wolf (35):
>       qcow2: Flush metadata during read-only reopen
>       block: Use BDRV_O_NO_BACKING where appropriate
>       qemu-iotests: Support for bochs format
>       bochs: Unify header structs and make them QEMU_PACKED
>       bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
>       bochs: Check catalog_size header field (CVE-2014-0143)
>       bochs: Check extent_size header field (CVE-2014-0142)
>       bochs: Fix bitmap offset calculation
>       vpc: Validate block size (CVE-2014-0142)
>       qcow2: Check header_length (CVE-2014-0144)
>       qcow2: Check backing_file_offset (CVE-2014-0144)
>       qcow2: Check refcount table size (CVE-2014-0144)
>       qcow2: Validate refcount table offset
>       qcow2: Validate snapshot table offset/size (CVE-2014-0144)
>       qcow2: Validate active L1 table offset and size (CVE-2014-0144)
>       qcow2: Fix backing file name length check
>       qcow2: Zero-initialise first cluster for new images
>       qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
>       qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
>       qcow2: Check new refcount table size on growth
>       qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
>       qcow2: Protect against some integer overflows in bdrv_check
>       qcow2: Fix new L1 table size check (CVE-2014-0143)
>       block: Limit request size (CVE-2014-0143)
>       qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
>       qcow2: Fix copy_sectors() with VM state
>       qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
>       qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
>       parallels: Fix catalog size integer overflow (CVE-2014-0143)
>       parallels: Sanity check for s->tracks (CVE-2014-0142)
>       qcow1: Make padding in the header explicit
>       qcow1: Check maximum cluster size
>       qcow1: Validate L2 table size (CVE-2014-0222)
>       qcow1: Validate image size (CVE-2014-0223)
>       qcow1: Stricter backing file length check
> 
> Le Tan (1):
>       pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
> 
> Marcelo Tosatti (1):
>       kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation
> 
> Markus Armbruster (10):
>       scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b
>       virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path
>       blockdev: Plug memory leak in blockdev_init()
>       blockdev: Plug memory leak in drive_init()
>       block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR
>       block/vvfat: Plug memory leak in check_directory_consistency()
>       block/vvfat: Plug memory leak in read_directory()
>       block/sheepdog: Plug memory leak in sd_snapshot_create()
>       qemu-img: Plug memory leak in convert command
>       vnc: Fix tight_detect_smooth_image() for lossless case
> 
> Max Filippov (1):
>       target-xtensa: fix cross-page jumps/calls at the end of TB
> 
> Max Reitz (1):
>       block-commit: speed is an optional parameter
> 
> Michael R. Hines (1):
>       rdma: bug fixes
> 
> Michael Roth (3):
>       virtio: avoid buffer overrun on incoming migration
>       openpic: avoid buffer overrun on incoming migration
>       qapi: zero-initialize all QMP command parameters
> 
> Michael S. Tsirkin (27):
>       acpi: fix tables for no-hpet configuration
>       vmstate: reduce code duplication
>       vmstate: add VMS_MUST_EXIST
>       vmstate: add VMSTATE_VALIDATE
>       virtio-net: fix buffer overflow on invalid state load
>       virtio-net: out-of-bounds buffer write on invalid state load
>       virtio-net: out-of-bounds buffer write on load
>       virtio: out-of-bounds buffer write on invalid state load
>       ahci: fix buffer overrun on invalid state load
>       hpet: fix buffer overrun on invalid state load
>       hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
>       pl022: fix buffer overun on invalid state load
>       vmstate: fix buffer overflow in target-arm/machine.c
>       virtio: validate num_sg when mapping
>       pxa2xx: avoid buffer overrun on incoming migration
>       ssi-sd: fix buffer overrun on invalid state load
>       ssd0323: fix buffer overun on invalid state load
>       tsc210x: fix buffer overrun on invalid state load
>       zaurus: fix buffer overrun on invalid state load
>       virtio-scsi: fix buffer overrun on invalid state load
>       vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
>       usb: sanity check setup_index+setup_len in post_load
>       virtio: validate config_len on load
>       stellaris_enet: block migration
>       pci-assign: limit # of msix vectors
>       virtio: allow mapping up to max queue size
>       vhost: fix resource leak in error handling
> 
> Michael Tokarev (1):
>       po/Makefile: fix $SRC_PATH reference
> 
> Paolo Bonzini (2):
>       mirror: fix throttling delay calculation
>       target-i386: fix set of registers zeroed on reset
> 
> Peter Crosthwaite (1):
>       arm: translate.c: Fix smlald Instruction
> 
> Peter Lieven (2):
>       block/iscsi: fix deadlock on scsi check condition
>       migration: catch unknown flags in ram_load
> 
> Peter Maydell (9):
>       hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
>       hw/net/stellaris_enet: Correct handling of packet padding
>       savevm: Ignore minimum_version_id_old if there is no load_state_old
>       linux-user/elfload.c: Fix incorrect ARM HWCAP bits
>       linux-user/elfload.c: Update ARM HWCAP bits
>       linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
>       linux-user: Don't overrun guest buffer in sched_getaffinity
>       target-arm: Fix errors in writes to generic timer control registers
>       coroutine-win32.c: Add noinline attribute to work around gcc bug
> 
> Richard Henderson (3):
>       target-i386: Fix CC_OP_CLR vs PF
>       target-i386: Fix ucomis and comis memory access
>       tcg-i386: Fix win64 qemu store
> 
> Stefan Fritsch (1):
>       virtio-net: Do not filter VLANs without F_CTRL_VLAN
> 
> Stefan Hajnoczi (18):
>       qom: Avoid leaking str and bool properties on failure
>       tap: avoid deadlocking rx
>       mirror: fix early wake from sleep due to aio
>       qemu-iotests: add ./check -cloop support
>       qemu-iotests: add cloop input validation tests
>       block/cloop: validate block_size header field (CVE-2014-0144)
>       block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
>       block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
>       block/cloop: refuse images with bogus offsets (CVE-2014-0144)
>       block/cloop: fix offsets[] size off-by-one
>       dmg: coding style and indentation cleanup
>       dmg: prevent out-of-bounds array access on terminator
>       dmg: drop broken bdrv_pread() loop
>       dmg: use appropriate types when reading chunks
>       dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
>       dmg: use uint64_t consistently for sectors and lengths
>       dmg: prevent chunk buffer overflow (CVE-2014-0145)
>       aio: fix qemu_bh_schedule() bh->ctx race condition
> 
> Stefan Weil (3):
>       tests: Fix 'make test' for i686 hosts (build regression)
>       configure: Don't use __int128_t for clang versions before 3.2
>       cputlb: Fix regression with TCG interpreter (bug 1310324)
> 
> Thomas Huth (2):
>       s390x/virtio-hcall: Add range check for hypervisor call
>       s390x/helper: Added format control bit to MMU translation
> 
> Ulrich Obergfell (1):
>       scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c
> 
>  arch_init.c                                            |  96 ++++----
>  async.c                                                |  14 +-
>  block.c                                                |  40 ++--
>  block/bochs.c                                          | 109 +++++----
>  block/cloop.c                                          |  81 ++++++-
>  block/curl.c                                           |   5 +
>  block/dmg.c                                            | 275 +++++++++++++---------
>  block/iscsi.c                                          |   5 +-
>  block/mirror.c                                         |  37 +--
>  block/parallels.c                                      |  14 +-
>  block/qapi.c                                           |   1 +
>  block/qcow.c                                           |  43 +++-
>  block/qcow2-cluster.c                                  |  11 +-
>  block/qcow2-refcount.c                                 | 119 ++++++----
>  block/qcow2-snapshot.c                                 |  35 +--
>  block/qcow2.c                                          | 198 ++++++++++++----
>  block/qcow2.h                                          |  48 +++-
>  block/sheepdog.c                                       |   4 +-
>  block/vdi.c                                            |  31 ++-
>  block/vhdx.c                                           |  12 +-
>  block/vmdk.c                                           |   2 +-
>  block/vpc.c                                            |  32 ++-
>  block/vvfat.c                                          |   6 +-
>  blockdev-nbd.c                                         |   9 +-
>  blockdev.c                                             |  11 +-
>  configure                                              |   5 +
>  coroutine-win32.c                                      |  13 +-
>  cputlb.c                                               |   6 +-
>  docs/migration.txt                                     |  12 +-
>  hw/arm/omap1.c                                         |  14 +-
>  hw/arm/omap2.c                                         |   2 +-
>  hw/arm/pxa2xx.c                                        |  12 +-
>  hw/arm/spitz.c                                         |   4 +-
>  hw/arm/z2.c                                            |   2 +-
>  hw/char/virtio-serial-bus.c                            |  16 +-
>  hw/core/irq.c                                          |   4 +-
>  hw/display/ssd0323.c                                   |  24 ++
>  hw/dma/omap_dma.c                                      |   4 +-
>  hw/gpio/zaurus.c                                       |  10 +
>  hw/i386/acpi-build.c                                   |   7 +-
>  hw/i386/kvm/clock.c                                    |  52 ++++
>  hw/i386/kvm/pci-assign.c                               |  12 +-
>  hw/ide/ahci.c                                          |   2 +-
>  hw/ide/core.c                                          |   2 +-
>  hw/ide/microdrive.c                                    |   2 +-
>  hw/input/tsc210x.c                                     |  12 +
>  hw/intc/openpic.c                                      |  16 +-
>  hw/misc/cbus.c                                         |   6 +-
>  hw/net/stellaris_enet.c                                |  23 +-
>  hw/net/virtio-net.c                                    |  43 +++-
>  hw/net/vmxnet3.c                                       |  58 ++++-
>  hw/pci/pci.c                                           |   6 +-
>  hw/pci/pcie_aer.c                                      |  10 +-
>  hw/pcmcia/pxa2xx.c                                     |   2 +-
>  hw/ppc/spapr_pci.c                                     |  16 ++
>  hw/s390x/css.c                                         |  24 +-
>  hw/s390x/s390-virtio-hcall.c                           |  11 +-
>  hw/scsi/megasas.c                                      |  17 ++
>  hw/scsi/mfi.h                                          |   9 +
>  hw/scsi/scsi-bus.c                                     |   2 +-
>  hw/scsi/scsi-disk.c                                    |   2 +-
>  hw/scsi/scsi-generic.c                                 |   2 -
>  hw/scsi/spapr_vscsi.c                                  |   1 -
>  hw/scsi/virtio-scsi.c                                  |  12 +-
>  hw/sd/omap_mmc.c                                       |   2 +-
>  hw/sd/sdhci.c                                          |   8 +-
>  hw/sd/ssi-sd.c                                         |   9 +
>  hw/sh4/sh7750.c                                        |   3 +-
>  hw/ssi/pl022.c                                         |  14 ++
>  hw/timer/hpet.c                                        |  13 +
>  hw/timer/omap_gptimer.c                                |   4 +-
>  hw/usb/bus.c                                           |   4 +-
>  hw/usb/dev-bluetooth.c                                 |  24 +-
>  hw/virtio/vhost.c                                      |  10 +-
>  hw/virtio/virtio.c                                     |  25 +-
>  include/hw/scsi/scsi.h                                 |   2 +-
>  include/hw/virtio/virtio-net.h                         |   4 +-
>  include/migration/vmstate.h                            |  11 +-
>  kvm-all.c                                              |   2 +-
>  linux-user/elfload.c                                   | 115 +++++++--
>  linux-user/syscall.c                                   |  16 ++
>  migration-rdma.c                                       |  20 +-
>  migration.c                                            |   2 +-
>  nbd.c                                                  |   7 +-
>  net/tap.c                                              |   7 +-
>  po/Makefile                                            |   4 +-
>  qemu-char.c                                            |  17 +-
>  qemu-img.c                                             |   2 +-
>  qemu-nbd.c                                             |   5 +-
>  qga/commands-win32.c                                   |   6 +-
>  qom/object.c                                           |  14 +-
>  savevm.c                                               | 136 ++++++-----
>  scripts/qapi-commands.py                               |   2 +-
>  target-arm/helper.c                                    |   8 +-
>  target-arm/machine.c                                   |   2 +-
>  target-arm/translate.c                                 |  34 ++-
>  target-i386/cc_helper.c                                |   2 +-
>  target-i386/cpu.c                                      |   5 +-
>  target-i386/cpu.h                                      |   4 +-
>  target-i386/translate.c                                |  46 +++-
>  target-s390x/cpu.h                                     |   4 +
>  target-s390x/helper.c                                  |  70 ++++--
>  target-s390x/kvm.c                                     |  28 +++
>  target-xtensa/translate.c                              |   4 +-
>  tcg/i386/tcg-target.c                                  |   3 +-
>  tests/qemu-iotests/026.out                             |   6 +-
>  tests/qemu-iotests/029                                 |  40 +++-
>  tests/qemu-iotests/029.out                             |  17 ++
>  tests/qemu-iotests/039                                 |  20 ++
>  tests/qemu-iotests/039.out                             |  11 +
>  tests/qemu-iotests/044.out                             |   2 +-
>  tests/qemu-iotests/075                                 | 106 +++++++++
>  tests/qemu-iotests/075.out                             |  38 +++
>  tests/qemu-iotests/076                                 |  76 ++++++
>  tests/qemu-iotests/076.out                             |  18 ++
>  tests/qemu-iotests/078                                 |  87 +++++++
>  tests/qemu-iotests/078.out                             |  26 ++
>  tests/qemu-iotests/080                                 | 180 ++++++++++++++
>  tests/qemu-iotests/080.out                             |  83 +++++++
>  tests/qemu-iotests/088                                 |  64 +++++
>  tests/qemu-iotests/088.out                             |  17 ++
>  tests/qemu-iotests/092                                 |  98 ++++++++
>  tests/qemu-iotests/092.out                             |  38 +++
>  tests/qemu-iotests/common                              |  21 ++
>  tests/qemu-iotests/common.rc                           |   3 +
>  tests/qemu-iotests/group                               |   6 +
>  tests/qemu-iotests/sample_images/empty.bochs.bz2       | Bin 0 -> 118 bytes
>  tests/qemu-iotests/sample_images/fake.parallels.bz2    | Bin 0 -> 141 bytes
>  .../sample_images/simple-pattern.cloop.bz2             | Bin 0 -> 488 bytes
>  tests/tcg/test_path.c                                  |  13 +-
>  trace-events                                           |   3 +-
>  ui/vnc-enc-tight.c                                     |   2 +-
>  132 files changed, 2692 insertions(+), 696 deletions(-)
>  create mode 100755 tests/qemu-iotests/075
>  create mode 100644 tests/qemu-iotests/075.out
>  create mode 100755 tests/qemu-iotests/076
>  create mode 100644 tests/qemu-iotests/076.out
>  create mode 100755 tests/qemu-iotests/078
>  create mode 100644 tests/qemu-iotests/078.out
>  create mode 100755 tests/qemu-iotests/080
>  create mode 100644 tests/qemu-iotests/080.out
>  create mode 100755 tests/qemu-iotests/088
>  create mode 100644 tests/qemu-iotests/088.out
>  create mode 100755 tests/qemu-iotests/092
>  create mode 100644 tests/qemu-iotests/092.out
>  create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
>  create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
>  create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] Patch Round-up for stable 1.7.2, freeze on 2014-07-14

[Michael Roth]

Quoting Dr. David Alan Gilbert (2014-07-09 12:43:49)
> * Michael Roth (mdroth@linux.vnet.ibm.com) wrote:
> > Hi everyone,
> > 
> > The following new patches are queued for QEMU stable v1.7.2:
> > 
> >   https://github.com/mdroth/qemu/commits/stable-1.7-staging
> > 
> > The release is planned for 2014-07-21:
> > 
> >   http://wiki.qemu.org/Planning/1.7
> > 
> > Please respond here or CC qemu-stable@nongnu.org on any patches
> > you think should be included in the release.
> 
> You might want to include:
> a890a2f9137ac3cf5b607649e66a6f3a5512d8dc - virtio: validate config_len on load
> 
> which guards against a mismatched config len on the migration stream
> overwriting things.
> 
> however, if you do you should also include:
> 2f5732e9648fcddc8759a8fd25c0b41a38352be6 - Allow mismatched virtio config-len
> which instead of erroring, just discards the data to cope with
> changes in the config len.

Thanks, first one was already in, but just pushed the 2nd to avoid
compat issues.

> 
> Dave
> 
> 
> > Testing/feedback is greatly appreciated.
> > 
> > 
> > As you maybe have noticed, the 1.7.2 stable release is late by
> > almost an entire release cycle. There were some important fixes
> > planned for 1.7.2 however, so hopefully better late than never.
> > Due to the delay the patch queue for this release is quite a bit
> > longer than usual, so anyone interested in this release is highly
> > encouraged to review/test.
> > 
> > 2.0.1 has similarly slipped by half a release cycle, so 2.0.1 will
> > be going out during the originally planned date release date for
> > 2.0.2, and is the only planned stable release for the 2.0 series:
> > 
> >   http://wiki.qemu.org/Planning/2.0
> > 
> > My apologies for the delays. For 2.1.x, we should be back on track
> > for the normal stable release schedule (2.1.1 midway through 2.2
> > development, and 2.1.2 roughly coinciding with 2.2 release).
> > 
> > Thanks! 
> > 
> > ----------------------------------------------------------------
> > Alexander Graf (3):
> >       kvmclock: Ensure time in migration never goes backward
> >       KVM: Fix GSI number space limit
> >       virtio-serial: don't migrate the config space
> > 
> > Alexey Kardashevskiy (1):
> >       spapr_pci: Fix number of returned vectors in ibm, change-msi
> > 
> > Andreas Färber (2):
> >       sdhci: Fix misuse of qemu_free_irqs()
> >       hw: Fix qemu_allocate_irqs() leaks
> > 
> > Benoît Canet (2):
> >       ide: Correct improper smart self test counter reset in ide core.
> >       block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file.
> > 
> > ChenLiang (1):
> >       migration: remove duplicate code
> > 
> > Cornelia Huck (1):
> >       s390x/css: handle emw correctly for tsch
> > 
> > Cédric Le Goater (1):
> >       virtio-net: byteswap virtio-net header
> > 
> > David Hildenbrand (1):
> >       s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG
> > 
> > Dmitry Fleytman (4):
> >       vmxnet3: validate interrupt indices coming from guest
> >       vmxnet3: validate queues configuration coming from guest
> >       vmxnet3: validate interrupt indices read on migration
> >       vmxnet3: validate queues configuration read on migration
> > 
> > Dr. David Alan Gilbert (1):
> >       Fix vmstate_info_int32_le comparison/assign
> > 
> > Edgar E. Iglesias (1):
> >       target-arm: Make vbar_write 64bit friendly on 32bit hosts
> > 
> > Eduardo Habkost (1):
> >       target-i386: Filter FEAT_7_0_EBX TCG features too
> > 
> > Fam Zheng (2):
> >       scsi: Change scsi sense buf size to 252
> >       curl: check data size before memcpy to local buffer. (CVE-2014-0144)
> > 
> > Gal Hammer (1):
> >       char: restore read callback on a reattached (hotplug) chardev
> > 
> > Gonglei (1):
> >       qga: Fix handle fd leak in acquire_privilege()
> > 
> > Hani Benhabiles (5):
> >       usb: Fix usb-bt-dongle initialization.
> >       nbd: Don't export a block device with no medium.
> >       nbd: Don't validate from and len in NBD_CMD_DISC.
> >       nbd: Close socket on negotiation failure.
> >       nbd: Shutdown socket before closing.
> > 
> > Hannes Reinecke (1):
> >       megasas: Implement LD_LIST_QUERY
> > 
> > Hu Tao (1):
> >       qcow2: fix offset overflow in qcow2_alloc_clusters_at()
> > 
> > Jeff Cody (3):
> >       vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
> >       vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
> >       vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
> > 
> > Kevin Wolf (35):
> >       qcow2: Flush metadata during read-only reopen
> >       block: Use BDRV_O_NO_BACKING where appropriate
> >       qemu-iotests: Support for bochs format
> >       bochs: Unify header structs and make them QEMU_PACKED
> >       bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
> >       bochs: Check catalog_size header field (CVE-2014-0143)
> >       bochs: Check extent_size header field (CVE-2014-0142)
> >       bochs: Fix bitmap offset calculation
> >       vpc: Validate block size (CVE-2014-0142)
> >       qcow2: Check header_length (CVE-2014-0144)
> >       qcow2: Check backing_file_offset (CVE-2014-0144)
> >       qcow2: Check refcount table size (CVE-2014-0144)
> >       qcow2: Validate refcount table offset
> >       qcow2: Validate snapshot table offset/size (CVE-2014-0144)
> >       qcow2: Validate active L1 table offset and size (CVE-2014-0144)
> >       qcow2: Fix backing file name length check
> >       qcow2: Zero-initialise first cluster for new images
> >       qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
> >       qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
> >       qcow2: Check new refcount table size on growth
> >       qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref
> >       qcow2: Protect against some integer overflows in bdrv_check
> >       qcow2: Fix new L1 table size check (CVE-2014-0143)
> >       block: Limit request size (CVE-2014-0143)
> >       qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
> >       qcow2: Fix copy_sectors() with VM state
> >       qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
> >       qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
> >       parallels: Fix catalog size integer overflow (CVE-2014-0143)
> >       parallels: Sanity check for s->tracks (CVE-2014-0142)
> >       qcow1: Make padding in the header explicit
> >       qcow1: Check maximum cluster size
> >       qcow1: Validate L2 table size (CVE-2014-0222)
> >       qcow1: Validate image size (CVE-2014-0223)
> >       qcow1: Stricter backing file length check
> > 
> > Le Tan (1):
> >       pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
> > 
> > Marcelo Tosatti (1):
> >       kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation
> > 
> > Markus Armbruster (10):
> >       scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b
> >       virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path
> >       blockdev: Plug memory leak in blockdev_init()
> >       blockdev: Plug memory leak in drive_init()
> >       block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR
> >       block/vvfat: Plug memory leak in check_directory_consistency()
> >       block/vvfat: Plug memory leak in read_directory()
> >       block/sheepdog: Plug memory leak in sd_snapshot_create()
> >       qemu-img: Plug memory leak in convert command
> >       vnc: Fix tight_detect_smooth_image() for lossless case
> > 
> > Max Filippov (1):
> >       target-xtensa: fix cross-page jumps/calls at the end of TB
> > 
> > Max Reitz (1):
> >       block-commit: speed is an optional parameter
> > 
> > Michael R. Hines (1):
> >       rdma: bug fixes
> > 
> > Michael Roth (3):
> >       virtio: avoid buffer overrun on incoming migration
> >       openpic: avoid buffer overrun on incoming migration
> >       qapi: zero-initialize all QMP command parameters
> > 
> > Michael S. Tsirkin (27):
> >       acpi: fix tables for no-hpet configuration
> >       vmstate: reduce code duplication
> >       vmstate: add VMS_MUST_EXIST
> >       vmstate: add VMSTATE_VALIDATE
> >       virtio-net: fix buffer overflow on invalid state load
> >       virtio-net: out-of-bounds buffer write on invalid state load
> >       virtio-net: out-of-bounds buffer write on load
> >       virtio: out-of-bounds buffer write on invalid state load
> >       ahci: fix buffer overrun on invalid state load
> >       hpet: fix buffer overrun on invalid state load
> >       hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
> >       pl022: fix buffer overun on invalid state load
> >       vmstate: fix buffer overflow in target-arm/machine.c
> >       virtio: validate num_sg when mapping
> >       pxa2xx: avoid buffer overrun on incoming migration
> >       ssi-sd: fix buffer overrun on invalid state load
> >       ssd0323: fix buffer overun on invalid state load
> >       tsc210x: fix buffer overrun on invalid state load
> >       zaurus: fix buffer overrun on invalid state load
> >       virtio-scsi: fix buffer overrun on invalid state load
> >       vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
> >       usb: sanity check setup_index+setup_len in post_load
> >       virtio: validate config_len on load
> >       stellaris_enet: block migration
> >       pci-assign: limit # of msix vectors
> >       virtio: allow mapping up to max queue size
> >       vhost: fix resource leak in error handling
> > 
> > Michael Tokarev (1):
> >       po/Makefile: fix $SRC_PATH reference
> > 
> > Paolo Bonzini (2):
> >       mirror: fix throttling delay calculation
> >       target-i386: fix set of registers zeroed on reset
> > 
> > Peter Crosthwaite (1):
> >       arm: translate.c: Fix smlald Instruction
> > 
> > Peter Lieven (2):
> >       block/iscsi: fix deadlock on scsi check condition
> >       migration: catch unknown flags in ram_load
> > 
> > Peter Maydell (9):
> >       hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
> >       hw/net/stellaris_enet: Correct handling of packet padding
> >       savevm: Ignore minimum_version_id_old if there is no load_state_old
> >       linux-user/elfload.c: Fix incorrect ARM HWCAP bits
> >       linux-user/elfload.c: Update ARM HWCAP bits
> >       linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
> >       linux-user: Don't overrun guest buffer in sched_getaffinity
> >       target-arm: Fix errors in writes to generic timer control registers
> >       coroutine-win32.c: Add noinline attribute to work around gcc bug
> > 
> > Richard Henderson (3):
> >       target-i386: Fix CC_OP_CLR vs PF
> >       target-i386: Fix ucomis and comis memory access
> >       tcg-i386: Fix win64 qemu store
> > 
> > Stefan Fritsch (1):
> >       virtio-net: Do not filter VLANs without F_CTRL_VLAN
> > 
> > Stefan Hajnoczi (18):
> >       qom: Avoid leaking str and bool properties on failure
> >       tap: avoid deadlocking rx
> >       mirror: fix early wake from sleep due to aio
> >       qemu-iotests: add ./check -cloop support
> >       qemu-iotests: add cloop input validation tests
> >       block/cloop: validate block_size header field (CVE-2014-0144)
> >       block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
> >       block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
> >       block/cloop: refuse images with bogus offsets (CVE-2014-0144)
> >       block/cloop: fix offsets[] size off-by-one
> >       dmg: coding style and indentation cleanup
> >       dmg: prevent out-of-bounds array access on terminator
> >       dmg: drop broken bdrv_pread() loop
> >       dmg: use appropriate types when reading chunks
> >       dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
> >       dmg: use uint64_t consistently for sectors and lengths
> >       dmg: prevent chunk buffer overflow (CVE-2014-0145)
> >       aio: fix qemu_bh_schedule() bh->ctx race condition
> > 
> > Stefan Weil (3):
> >       tests: Fix 'make test' for i686 hosts (build regression)
> >       configure: Don't use __int128_t for clang versions before 3.2
> >       cputlb: Fix regression with TCG interpreter (bug 1310324)
> > 
> > Thomas Huth (2):
> >       s390x/virtio-hcall: Add range check for hypervisor call
> >       s390x/helper: Added format control bit to MMU translation
> > 
> > Ulrich Obergfell (1):
> >       scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c
> > 
> >  arch_init.c                                            |  96 ++++----
> >  async.c                                                |  14 +-
> >  block.c                                                |  40 ++--
> >  block/bochs.c                                          | 109 +++++----
> >  block/cloop.c                                          |  81 ++++++-
> >  block/curl.c                                           |   5 +
> >  block/dmg.c                                            | 275 +++++++++++++---------
> >  block/iscsi.c                                          |   5 +-
> >  block/mirror.c                                         |  37 +--
> >  block/parallels.c                                      |  14 +-
> >  block/qapi.c                                           |   1 +
> >  block/qcow.c                                           |  43 +++-
> >  block/qcow2-cluster.c                                  |  11 +-
> >  block/qcow2-refcount.c                                 | 119 ++++++----
> >  block/qcow2-snapshot.c                                 |  35 +--
> >  block/qcow2.c                                          | 198 ++++++++++++----
> >  block/qcow2.h                                          |  48 +++-
> >  block/sheepdog.c                                       |   4 +-
> >  block/vdi.c                                            |  31 ++-
> >  block/vhdx.c                                           |  12 +-
> >  block/vmdk.c                                           |   2 +-
> >  block/vpc.c                                            |  32 ++-
> >  block/vvfat.c                                          |   6 +-
> >  blockdev-nbd.c                                         |   9 +-
> >  blockdev.c                                             |  11 +-
> >  configure                                              |   5 +
> >  coroutine-win32.c                                      |  13 +-
> >  cputlb.c                                               |   6 +-
> >  docs/migration.txt                                     |  12 +-
> >  hw/arm/omap1.c                                         |  14 +-
> >  hw/arm/omap2.c                                         |   2 +-
> >  hw/arm/pxa2xx.c                                        |  12 +-
> >  hw/arm/spitz.c                                         |   4 +-
> >  hw/arm/z2.c                                            |   2 +-
> >  hw/char/virtio-serial-bus.c                            |  16 +-
> >  hw/core/irq.c                                          |   4 +-
> >  hw/display/ssd0323.c                                   |  24 ++
> >  hw/dma/omap_dma.c                                      |   4 +-
> >  hw/gpio/zaurus.c                                       |  10 +
> >  hw/i386/acpi-build.c                                   |   7 +-
> >  hw/i386/kvm/clock.c                                    |  52 ++++
> >  hw/i386/kvm/pci-assign.c                               |  12 +-
> >  hw/ide/ahci.c                                          |   2 +-
> >  hw/ide/core.c                                          |   2 +-
> >  hw/ide/microdrive.c                                    |   2 +-
> >  hw/input/tsc210x.c                                     |  12 +
> >  hw/intc/openpic.c                                      |  16 +-
> >  hw/misc/cbus.c                                         |   6 +-
> >  hw/net/stellaris_enet.c                                |  23 +-
> >  hw/net/virtio-net.c                                    |  43 +++-
> >  hw/net/vmxnet3.c                                       |  58 ++++-
> >  hw/pci/pci.c                                           |   6 +-
> >  hw/pci/pcie_aer.c                                      |  10 +-
> >  hw/pcmcia/pxa2xx.c                                     |   2 +-
> >  hw/ppc/spapr_pci.c                                     |  16 ++
> >  hw/s390x/css.c                                         |  24 +-
> >  hw/s390x/s390-virtio-hcall.c                           |  11 +-
> >  hw/scsi/megasas.c                                      |  17 ++
> >  hw/scsi/mfi.h                                          |   9 +
> >  hw/scsi/scsi-bus.c                                     |   2 +-
> >  hw/scsi/scsi-disk.c                                    |   2 +-
> >  hw/scsi/scsi-generic.c                                 |   2 -
> >  hw/scsi/spapr_vscsi.c                                  |   1 -
> >  hw/scsi/virtio-scsi.c                                  |  12 +-
> >  hw/sd/omap_mmc.c                                       |   2 +-
> >  hw/sd/sdhci.c                                          |   8 +-
> >  hw/sd/ssi-sd.c                                         |   9 +
> >  hw/sh4/sh7750.c                                        |   3 +-
> >  hw/ssi/pl022.c                                         |  14 ++
> >  hw/timer/hpet.c                                        |  13 +
> >  hw/timer/omap_gptimer.c                                |   4 +-
> >  hw/usb/bus.c                                           |   4 +-
> >  hw/usb/dev-bluetooth.c                                 |  24 +-
> >  hw/virtio/vhost.c                                      |  10 +-
> >  hw/virtio/virtio.c                                     |  25 +-
> >  include/hw/scsi/scsi.h                                 |   2 +-
> >  include/hw/virtio/virtio-net.h                         |   4 +-
> >  include/migration/vmstate.h                            |  11 +-
> >  kvm-all.c                                              |   2 +-
> >  linux-user/elfload.c                                   | 115 +++++++--
> >  linux-user/syscall.c                                   |  16 ++
> >  migration-rdma.c                                       |  20 +-
> >  migration.c                                            |   2 +-
> >  nbd.c                                                  |   7 +-
> >  net/tap.c                                              |   7 +-
> >  po/Makefile                                            |   4 +-
> >  qemu-char.c                                            |  17 +-
> >  qemu-img.c                                             |   2 +-
> >  qemu-nbd.c                                             |   5 +-
> >  qga/commands-win32.c                                   |   6 +-
> >  qom/object.c                                           |  14 +-
> >  savevm.c                                               | 136 ++++++-----
> >  scripts/qapi-commands.py                               |   2 +-
> >  target-arm/helper.c                                    |   8 +-
> >  target-arm/machine.c                                   |   2 +-
> >  target-arm/translate.c                                 |  34 ++-
> >  target-i386/cc_helper.c                                |   2 +-
> >  target-i386/cpu.c                                      |   5 +-
> >  target-i386/cpu.h                                      |   4 +-
> >  target-i386/translate.c                                |  46 +++-
> >  target-s390x/cpu.h                                     |   4 +
> >  target-s390x/helper.c                                  |  70 ++++--
> >  target-s390x/kvm.c                                     |  28 +++
> >  target-xtensa/translate.c                              |   4 +-
> >  tcg/i386/tcg-target.c                                  |   3 +-
> >  tests/qemu-iotests/026.out                             |   6 +-
> >  tests/qemu-iotests/029                                 |  40 +++-
> >  tests/qemu-iotests/029.out                             |  17 ++
> >  tests/qemu-iotests/039                                 |  20 ++
> >  tests/qemu-iotests/039.out                             |  11 +
> >  tests/qemu-iotests/044.out                             |   2 +-
> >  tests/qemu-iotests/075                                 | 106 +++++++++
> >  tests/qemu-iotests/075.out                             |  38 +++
> >  tests/qemu-iotests/076                                 |  76 ++++++
> >  tests/qemu-iotests/076.out                             |  18 ++
> >  tests/qemu-iotests/078                                 |  87 +++++++
> >  tests/qemu-iotests/078.out                             |  26 ++
> >  tests/qemu-iotests/080                                 | 180 ++++++++++++++
> >  tests/qemu-iotests/080.out                             |  83 +++++++
> >  tests/qemu-iotests/088                                 |  64 +++++
> >  tests/qemu-iotests/088.out                             |  17 ++
> >  tests/qemu-iotests/092                                 |  98 ++++++++
> >  tests/qemu-iotests/092.out                             |  38 +++
> >  tests/qemu-iotests/common                              |  21 ++
> >  tests/qemu-iotests/common.rc                           |   3 +
> >  tests/qemu-iotests/group                               |   6 +
> >  tests/qemu-iotests/sample_images/empty.bochs.bz2       | Bin 0 -> 118 bytes
> >  tests/qemu-iotests/sample_images/fake.parallels.bz2    | Bin 0 -> 141 bytes
> >  .../sample_images/simple-pattern.cloop.bz2             | Bin 0 -> 488 bytes
> >  tests/tcg/test_path.c                                  |  13 +-
> >  trace-events                                           |   3 +-
> >  ui/vnc-enc-tight.c                                     |   2 +-
> >  132 files changed, 2692 insertions(+), 696 deletions(-)
> >  create mode 100755 tests/qemu-iotests/075
> >  create mode 100644 tests/qemu-iotests/075.out
> >  create mode 100755 tests/qemu-iotests/076
> >  create mode 100644 tests/qemu-iotests/076.out
> >  create mode 100755 tests/qemu-iotests/078
> >  create mode 100644 tests/qemu-iotests/078.out
> >  create mode 100755 tests/qemu-iotests/080
> >  create mode 100644 tests/qemu-iotests/080.out
> >  create mode 100755 tests/qemu-iotests/088
> >  create mode 100644 tests/qemu-iotests/088.out
> >  create mode 100755 tests/qemu-iotests/092
> >  create mode 100644 tests/qemu-iotests/092.out
> >  create mode 100644 tests/qemu-iotests/sample_images/empty.bochs.bz2
> >  create mode 100644 tests/qemu-iotests/sample_images/fake.parallels.bz2
> >  create mode 100644 tests/qemu-iotests/sample_images/simple-pattern.cloop.bz2
> > 
> > 
> --
> Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward

[Paolo Bonzini]

Il 08/07/2014 19:18, Michael Roth ha scritto:
> From: Alexander Graf <agraf@suse.de>
>
> When we migrate we ask the kernel about its current belief on what the guest
> time would be. However, I've seen cases where the kvmclock guest structure
> indicates a time more recent than the kvm returned time.
>
> To make sure we never go backwards, calculate what the guest would have seen
> as time at the point of migration and use that value instead of the kernel
> returned one when it's more recent.  This bases the view of the kvmclock
> after migration on the same foundation in host as well as guest.
>
> Signed-off-by: Alexander Graf <agraf@suse.de>
> Cc: qemu-stable@nongnu.org
> Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> (cherry picked from commit a096b3a6732f846ec57dc28b47ee9435aa0609bf)
> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
> ---
>  hw/i386/kvm/clock.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
>
> diff --git a/hw/i386/kvm/clock.c b/hw/i386/kvm/clock.c
> index 383938d..be5f867 100644
> --- a/hw/i386/kvm/clock.c
> +++ b/hw/i386/kvm/clock.c
> @@ -14,6 +14,7 @@
>   */
>
>  #include "qemu-common.h"
> +#include "qemu/host-utils.h"
>  #include "sysemu/sysemu.h"
>  #include "sysemu/kvm.h"
>  #include "hw/sysbus.h"
> @@ -34,6 +35,47 @@ typedef struct KVMClockState {
>      bool clock_valid;
>  } KVMClockState;
>
> +struct pvclock_vcpu_time_info {
> +    uint32_t   version;
> +    uint32_t   pad0;
> +    uint64_t   tsc_timestamp;
> +    uint64_t   system_time;
> +    uint32_t   tsc_to_system_mul;
> +    int8_t     tsc_shift;
> +    uint8_t    flags;
> +    uint8_t    pad[2];
> +} __attribute__((__packed__)); /* 32 bytes */
> +
> +static uint64_t kvmclock_current_nsec(KVMClockState *s)
> +{
> +    CPUState *cpu = first_cpu;
> +    CPUX86State *env = cpu->env_ptr;
> +    hwaddr kvmclock_struct_pa = env->system_time_msr & ~1ULL;
> +    uint64_t migration_tsc = env->tsc;
> +    struct pvclock_vcpu_time_info time;
> +    uint64_t delta;
> +    uint64_t nsec_lo;
> +    uint64_t nsec_hi;
> +    uint64_t nsec;
> +
> +    if (!(env->system_time_msr & 1ULL)) {
> +        /* KVM clock not active */
> +        return 0;
> +    }
> +
> +    cpu_physical_memory_read(kvmclock_struct_pa, &time, sizeof(time));
> +
> +    delta = migration_tsc - time.tsc_timestamp;
> +    if (time.tsc_shift < 0) {
> +        delta >>= -time.tsc_shift;
> +    } else {
> +        delta <<= time.tsc_shift;
> +    }
> +
> +    mulu64(&nsec_lo, &nsec_hi, delta, time.tsc_to_system_mul);
> +    nsec = (nsec_lo >> 32) | (nsec_hi << 32);
> +    return nsec + time.system_time;
> +}
>
>  static void kvmclock_vm_state_change(void *opaque, int running,
>                                       RunState state)
> @@ -45,9 +87,15 @@ static void kvmclock_vm_state_change(void *opaque, int running,
>
>      if (running) {
>          struct kvm_clock_data data;
> +        uint64_t time_at_migration = kvmclock_current_nsec(s);
>
>          s->clock_valid = false;
>
> +	/* We can't rely on the migrated clock value, just discard it */
> +	if (time_at_migration) {
> +	        s->clock = time_at_migration;
> +	}
> +
>          data.clock = s->clock;
>          data.flags = 0;
>          ret = kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, &data);
>

Michael, please skip this patch and the next one, as I'll be reverting 
them from 2.1 as well.

Paolo