aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-05-07xen: move Xen PV machine files to hw/xenpvWei Liu
Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07qemu-xen: free all the pirqs for msi/msix when driver unloadZhenzhong Duan
Pirqs are not freed when driver unload, then new pirqs are allocated when driver reload. This could exhaust pirqs if do it in a loop. This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in msi/msix control reg. There is also other way of fixing it such as reuse pirqs between driver reload, but this way is better. Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2 Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07exec: Limit translation limiting in address_space_translate to xenAlexey Kardashevskiy
The address_space_translate() function cuts the returned plen (page size) to hardcoded TARGET_PAGE_SIZE. This function can be used on pages bigger than that so this limiting should not be used on such pages. Since originally the limiting was introduced for XEN, we can safely limit this piece of code to XEN. So does the patch. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2014-05-07Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140507' into stagingPeter Maydell
Some improvements for s390. Two patches deal with address translation, one fixes a problem in the channel subsystem code. # gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF # gpg: Can't check signature: public key not found * remotes/cohuck/tags/s390x-20140507: s390x/css: Don't save orb in subchannel. s390x/helper: Added format control bit to MMU translation s390x/helper: Fixed real-to-absolute address translation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' ↵Peter Maydell
into staging migration/next for 20140505 # gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723 # gpg: Can't check signature: public key not found * remotes/juanquintela/tags/migration/20140505: (36 commits) migration: expose xbzrle cache miss rate migration: expose the bitmap_sync_count to the end migration: Add counts of updating the dirty bitmap XBZRLE: Fix one XBZRLE corruption issues migration: remove duplicate code Coverity: Fix failure path for qemu_accept in migration Init the XBZRLE.lock in ram_mig_init Provide init function for ram migration Count used RAMBlock pages for migration_dirty_pages Make qemu_peek_buffer loop until it gets it's data Disallow outward migration while awaiting incoming migration virtio: validate config_len on load virtio-net: out-of-bounds buffer write on load openpic: avoid buffer overrun on incoming migration ssi-sd: fix buffer overrun on invalid state load savevm: Ignore minimum_version_id_old if there is no load_state_old usb: sanity check setup_index+setup_len in post_load vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ virtio-scsi: fix buffer overrun on invalid state load zaurus: fix buffer overrun on invalid state load ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' ↵Peter Maydell
into staging QOM/QTest infrastructure fixes and device conversions * -device / device_add assertion fix * QEMUMachine conversion to MachineClass * Device error handling improvements * QTest cleanups and test cases for some more PCI devices * PortIO memory leak fixes # gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F # gpg: Good signature from "Andreas Färber <afaerber@suse.de>" # gpg: aka "Andreas Färber <afaerber@suse.com>" * remotes/afaerber/tags/qom-devices-for-peter: PortioList: Store PortioList in device state tests: Add EHCI qtest tests: Add ioh3420 qtest tests: Add intel-hda qtests tests: Add es1370 qtest tests: Add ac97 qtest qtest: Be paranoid about accept() addrlen argument qtest: Add error reporting to socket_accept() qtest: Assure that init_socket()'s listen() does not fail MAINTAINERS: Document QOM arm: Clean up fragile use of error_is_set() in realize() methods qom: Clean up fragile use of error_is_set() in set() methods hw: Consistently name Error ** objects errp, and not err hw: Consistently name Error * objects err, and not errp machine: Remove QEMUMachine indirection from MachineClass machine: Replace QEMUMachine by MachineClass in accelerator configuration vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs machine: Copy QEMUMachine's fields to MachineClass machine: Remove obsoleted field from QEMUMachine qdev: Fix crash by validating the object type Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07s390x/css: Don't save orb in subchannel.Cornelia Huck
Current css code saves the operation request block (orb) in the subchannel structure for later consumption by the start function handler. This might make sense for asynchronous execution of the start function (which qemu doesn't support), but not in our case; it would even be wrong since orb contains a reference to a local variable in the base ssch handler. Let's just pass the orb through the start function call chain for ssch; for rsch, we can pass NULL as the backend function does not use any information passed via the orb there. Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-05-07s390x/helper: Added format control bit to MMU translationThomas Huth
With the EDAT-1 facility, the MMU translation can stop at the segment table already, pointing to a 1 MB block. And while we're at it, move the page table entry handling to a separate function, too, as suggested by Alexander Graf. Acked-by: Alexander Graf <agraf@suse.de> Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-05-07s390x/helper: Fixed real-to-absolute address translationThomas Huth
The real-to-absolute address translation in mmu_translate() was missing the second part for translating the page at the prefix address back to the 0 page. And while we're at it, also moved the code into a separate helper function since this might come in handy for other parts of the code, too. Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2014-05-06Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-6' into stagingPeter Maydell
ohci live migration. mtp bugfixes. # gpg: Signature made Mon 05 May 2014 12:08:48 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-usb-6: usb: mtp: reply INCOMPLETE_TRANSFER on read errors usb: mtp: fix possible buffer overflow usb: mtp: drop data-out hexdump usb: mtp: avoid empty description string usb: mtp: fix error path memory leak usb: mtp: fix serial (must be exact 32 chars) usb: mtp: fix version (is decimal not bcd) usb: mtp: fix usb_mtp_add_u64 usb: mtp: replace debug printfs with trace points usb-ohci: Add vmstate descriptor Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-06Merge remote-tracking branch 'remotes/kraxel/tags/pull-smbios-2' into stagingPeter Maydell
smbios: make qemu generate smbios tables. # gpg: Signature made Mon 05 May 2014 12:20:27 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-smbios-2: SMBIOS: Build aggregate smbios tables and entry point SMBIOS: Use bitmaps to prevent incompatible comand line options SMBIOS: Use macro to set smbios defaults SMBIOS: Update header file definitions SMBIOS: Rename symbols to better reflect future use E820: Add interface for accessing e820 table pc: add 2.1 machine type Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-06Merge remote-tracking branch 'remotes/rth/tgt-axp' into stagingPeter Maydell
* remotes/rth/tgt-axp: target-alpha: Fix RDUSP Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-06Merge remote-tracking branch 'remotes/riku/linux-user-for-upstream' into stagingPeter Maydell
* remotes/riku/linux-user-for-upstream: linux-user: fix getrusage and wait4 failures with invalid rusage struct linux-user/elfload.c: Support ARM HWCAP2 flags linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32 linux-user/elfload.c: Update ARM HWCAP bits linux-user/elfload.c: Fix incorrect ARM HWCAP bits linux-user: remove configure option for setting uname release linux-user: move uname functions to uname.c linux-user: rename cpu-uname -> uname linux-user/signal.c: Set fault address in AArch64 signal info linux-user: avoid using glibc internals in _syscall5 and in definition of target_sigevent struct linux-user: Handle arches with llseek instead of _llseek linux-user: Add support for SCM_CREDENTIALS. linux-user: Move if-elses to a switch statement. linux-user: Assert stack used for auxvec, envp, argv linux-user: Add /proc/self/exe open forwarding Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-05migration: expose xbzrle cache miss rateChenLiang
expose xbzrle cache miss rate Signed-off-by: ChenLiang <chenliang88@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05migration: expose the bitmap_sync_count to the endChenLiang
expose the count that logs the times of updating the dirty bitmap to end user. Signed-off-by: ChenLiang <chenliang88@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05migration: Add counts of updating the dirty bitmapChenLiang
Add counts to log the times of updating the dirty bitmap. Signed-off-by: ChenLiang <chenliang88@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05XBZRLE: Fix one XBZRLE corruption issuesChenLiang
The page may not be inserted into cache after executing save_xbzrle_page. In case of failure to insert, the original page should be sent rather than the page in the cache. Signed-off-by: ChenLiang <chenliang88@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05migration: remove duplicate codeChenLiang
version_id is checked twice in the ram_load. Signed-off-by: ChenLiang <chenliang88@huawei.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Coverity: Fix failure path for qemu_accept in migrationDr. David Alan Gilbert
Coverity defects 1005733 & 1005734 complain about passing a negative value to closesocket in the error paths on incoming migration. Stash the error value and print it in the message (previously we gave no indication of the reason for the failure) Use error_report Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Init the XBZRLE.lock in ram_mig_initDr. David Alan Gilbert
Initialising the XBZRLE.lock earlier simplifies the lock use. Based on Markus's patch in: http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Provide init function for ram migrationDr. David Alan Gilbert
Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff to do with ram migration (currently in arch_init.c). Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Count used RAMBlock pages for migration_dirty_pagesDr. David Alan Gilbert
This is a fix for a bug* triggered by a migration after hot unplugging a few virtio-net NICs, that caused migration never to converge, because 'migration_dirty_pages' is incorrectly initialised. 'migration_dirty_pages' is used as a tally of the number of outstanding dirty pages, to give the migration code an idea of how much more data will need to be transferred, and thus whether it can end the iterative phase. It was initialised to the total size of the RAMBlock address space, however hotunplug can leave this space sparse, and hence migration_dirty_pages ended up too large. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> (* https://bugzilla.redhat.com/show_bug.cgi?id=1074913 ) Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Make qemu_peek_buffer loop until it gets it's dataDr. David Alan Gilbert
Make qemu_peek_buffer repeatedly call fill_buffer until it gets all the data it requires, or until there is an error. At the moment, qemu_peek_buffer will try one qemu_fill_buffer if there isn't enough data waiting, however the kernel is entitled to return just a few bytes, and still leave qemu_peek_buffer with less bytes than it needed. I've seen this fail in a dev world, and I think it could theoretically fail in the peeking of the subsection headers in the current world. Comment qemu_peek_byte to point out it's not guaranteed to work for non-continuous peeks Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: ChenLiang <chenliang0016@icloud.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05Disallow outward migration while awaiting incoming migrationDr. David Alan Gilbert
QEMU will assert if you attempt to start an outgoing migration on a QEMU that's sitting waiting for an incoming migration (started with -incoming), so disallow it with a proper error. (This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1086987 ) Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: validate config_len on loadMichael S. Tsirkin
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio-net: out-of-bounds buffer write on loadMichael S. Tsirkin
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c > } else if (n->mac_table.in_use) { > uint8_t *buf = g_malloc0(n->mac_table.in_use); We are allocating buffer of size n->mac_table.in_use > qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN); and read to the n->mac_table.in_use size buffer n->mac_table.in_use * ETH_ALEN bytes, corrupting memory. If adversary controls state then memory written there is controlled by adversary. Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05openpic: avoid buffer overrun on incoming migrationMichael Roth
CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the value read from the wire exceeds MAX_CPU. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ssi-sd: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05savevm: Ignore minimum_version_id_old if there is no load_state_oldPeter Maydell
At the moment we require vmstate definitions to set minimum_version_id_old to the same value as minimum_version_id if they do not provide a load_state_old handler. Since the load_state_old functionality is required only for a handful of devices that need to retain migration compatibility with a pre-vmstate implementation, this means the bulk of devices have pointless boilerplate. Relax the definition so that minimum_version_id_old is ignored if there is no load_state_old handler. Note that under the old scheme we would segfault if the vmstate specified a minimum_version_id_old that was less than minimum_version_id but did not provide a load_state_old function, and the incoming state specified a version number between minimum_version_id_old and minimum_version_id. Under the new scheme this will just result in our failing the migration. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05usb: sanity check setup_index+setup_len in post_loadMichael S. Tsirkin
CVE-2013-4541 s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data. setup_len and setup_index should be checked to make sure they are not negative. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/Michael S. Tsirkin
As the macro verifies the value is positive, rename it to make the function clearer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio-scsi: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4542 hw/scsi/scsi-bus.c invokes load_request. virtio_scsi_load_request does: qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem)); this probably can make elem invalid, for example, make in_num or out_num huge, then: virtio_scsi_parse_req(s, vs->cmd_vqs[n], req); will do: if (req->elem.out_num > 1) { qemu_sgl_init_external(req, &req->elem.out_sg[1], &req->elem.out_addr[1], req->elem.out_num - 1); } else { qemu_sgl_init_external(req, &req->elem.in_sg[1], &req->elem.in_addr[1], req->elem.in_num - 1); } and this will access out of array bounds. Note: this adds security checks within assert calls since SCSIBusInfo's load_request cannot fail. For now simply disable builds with NDEBUG - there seems to be little value in supporting these. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05zaurus: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4540 Within scoop_gpio_handler_update, if prev_level has a high bit set, then we get bit > 16 and that causes a buffer overrun. Since prev_level comes from wire indirectly, this can happen on invalid state load. Similarly for gpio_level and gpio_dir. To fix, limit to 16 bit. Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05tsc210x: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4539 s->precision, nextprecision, function and nextfunction come from wire and are used as idx into resolution[] in TSC_CUT_RESOLUTION. Validate after load to avoid buffer overrun. Cc: Andreas Färber <afaerber@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ssd0323: fix buffer overun on invalid state loadMichael S. Tsirkin
CVE-2013-4538 s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. Possible this field might then be supplied by guest to overwrite a return addr somewhere. Same for row/col fields, which are indicies into framebuffer array. To fix validate after load. Additionally, validate that the row/col_start/end are within bounds; otherwise the guest can provoke an overrun by either setting the _end field so large that the row++ increments just walk off the end of the array, or by setting the _start value to something bogus and then letting the "we hit end of row" logic reset row to row_start. For completeness, validate mode as well. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05pxa2xx: avoid buffer overrun on incoming migrationMichael S. Tsirkin
CVE-2013-4533 s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire. Fix this by validating rx_level against the size of s->rx_fifo. Cc: Don Koch <dkoch@verizon.com> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Don Koch <dkoch@verizon.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: validate num_sg when mappingMichael S. Tsirkin
CVE-2013-4535 CVE-2013-4536 Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. To fix, validate num_sg. Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: Amit Shah <amit.shah@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: avoid buffer overrun on incoming migrationMichael Roth
CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data originating from the source. Fix this by failing migration if the value from the wire exceeds VIRTIO_PCI_QUEUE_MAX. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05vmstate: fix buffer overflow in target-arm/machine.cMichael S. Tsirkin
CVE-2013-4531 cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow. VMSTATE_INT32_LE was supposed to protect against this but doesn't because it doesn't validate that input is non-negative. Fix this macro to valide the value appropriately. The only other user of VMSTATE_INT32_LE doesn't ever use negative numbers so it doesn't care. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05pl022: fix buffer overun on invalid state loadMichael S. Tsirkin
CVE-2013-4530 pl022.c did not bounds check tx_fifo_head and rx_fifo_head after loading them from file and before they are used to dereference array. Reported-by: Michael S. Tsirkin <mst@redhat.com Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05hw/pci/pcie_aer.c: fix buffer overruns on invalid state loadMichael S. Tsirkin
4) CVE-2013-4529 hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is too large There are two issues in this file: 1. log_max from remote can be larger than on local then buffer will overrun with data coming from state file. 2. log_num can be larger then we get data corruption again with an overflow but not adversary controlled. Fix both issues. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Reported-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05hpet: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4527 hw/timer/hpet.c buffer overrun hpet is a VARRAY with a uint8 size but static array of 32 To fix, make sure num_timers is valid using VMSTATE_VALID hook. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05ahci: fix buffer overrun on invalid state loadMichael S. Tsirkin
CVE-2013-4526 Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports. This can cause the code to overflow. There's no reason to migrate ports - it never changes. So just make sure it matches. Reported-by: Anthony Liguori <anthony@codemonkey.ws> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05virtio: out-of-bounds buffer write on invalid state loadMichael S. Tsirkin
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in virtio_load@hw/virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05PortioList: Store PortioList in device stateKirill Batuzov
PortioList is an abstraction used for construction of MemoryRegionPortioList from MemoryRegionPortio. It can be used later to unmap created memory regions. It also requires proper cleanup because some of the memory inside is allocated dynamically. By moving PortioList ot device state we make it possible to cleanup later and avoid leaking memory. This change spans several target platforms. The following testcases cover all changed lines: qemu-system-ppc -M prep qemu-system-i386 -vga qxl qemu-system-i386 -M isapc -soundhw adlib -device ib700,id=watchdog0,bus=isa.0 Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add EHCI qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add ioh3420 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add intel-hda qtestsAndreas Färber
Test both the ich6 and the ich9 version (cf. q35 config) and all the codecs. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add es1370 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>
2014-05-05tests: Add ac97 qtestAndreas Färber
Signed-off-by: Andreas Färber <afaerber@suse.de>