| Age | Commit message (Collapse) | Author |
|---|
|
* remotes/bonzini/configure:
libcacard: remove libcacard-specific CFLAGS and LIBS from global vars
build: simplify and fix fix-obj-vars
build: convert some obj-specific CFLAGS to use new foo.o-cflags syntax
build: add support for per-object -cflags and -libs to all rules
Makefile: use $(INSTALL_LIB) for modules not $(INSTALL_PROG)
Makefile.target: use $(INSTALL_PROG) for installing, not $(INSTALL)
Makefile: strip tools and modules too
build: simplify Makefile.target around unnest-vars invocations
build: simplify Makefile.target a bit, use just one rule for softmmu
build: Fix per-object variables for Makefile.target
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
There was some modulo logic to ensure that Microblaze always booted into
physical RAM regardless of the elf entry. Removed it, as QEMU should fail
gracefully when given a bad elf, rather than attempt to run it.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
|
|
The TCSR register has only 11 valid bits. This is now used by the
linux kernel to auto-detect endianness, and causes Linux 3.15-rc1
and later to hang when run under qemu-microblaze. Mask valid bits
before writing the register to solve the problem.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
|
|
The MER register only has two valid bits. This is now used by
the linux kernel to auto-detect endianness, and causes Linux 3.15-rc1
and later to hang when run under qemu-microblaze. Mask valid bits before
writing the register to solve the problem.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
[Edgar: Untabified]
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
|
|
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
|
|
Currently all what's needed for single file libcacard/vcard_emul_nss.c
(libnss cflags) and hw/usb/ccid-card-emulated.c (libcacard includes)
together with the libs is added to global QEMU_CFLAGS and libs_softmmu.
Use the cflags only where really used (for two mentioned files), and
libs only where needed.
While at it, rename variables to better reflect reality: libcacard_*
is really nss_*.
This needs a bit more tweaking: $(NSS_LIBS) should not contain $glib_libs
(ditto for _cflags). But in order to fix it, some more preparations
should be made first. So add a FIXME comment.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Among the callers, only assigned_initfn() should set the monitor's stored
error. Other callers may run in contexts where the monitor's stored error
makes no sense. For example:
assigned_dev_pci_write_config()
assigned_dev_update_msix()
assign_intx()
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Also, change the return type to "void"; the function is static (with a
sole caller) and the negative errno values are not distinguished from each
other.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
The return type is also changed from "int" to "void", because it was used
in a success vs. failure sense only (the caller didn't distinguish error
codes from each other, and even assigned_dev_register_msix_mmio() masked
mmap()'s errno values with a common -EFAULT).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
assigned_initfn()
get_real_device()
read()
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Propagate any errors while adding PCI capabilities to
assigned_device_pci_cap_init(). We'll continue the propagation upwards
when assigned_device_pci_cap_init() becomes a leaf itself (when none of
its callees will report errors internally any longer when detecting and
returning them).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
... and rebase pci_add_capability() to it.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Rename check_irqchip_in_kernel() to verify_irqchip_in_kernel(), so that
the name reflects our expectation better. Rather than returning a bool,
make it do nothing or set an Error.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
get_real_id() has two thin wrappers (and no other callers),
get_real_vendor_id() and get_real_device_id(); it's easiest to convert
them in one fell swoop.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
This allows us to report the entire error with one error_report() call,
easing future error propagation.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
Propagate any errors in monitor fd handling up to get_real_device(), and
report them there. We'll continue the propagation upwards when
get_real_device() becomes a leaf itself (when none of its callees will
report errors internally any longer when detecting and returning an
error).
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
eviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
|
|
into staging
trivial patches for 2014-05-07
# gpg: Signature made Wed 07 May 2014 18:01:15 BST using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg: aka "Michael Tokarev <mjt@corpit.ru>"
# gpg: aka "Michael Tokarev <mjt@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB
* remotes/mjt/tags/trivial-patches-2014-05-07: (21 commits)
libcacard: remove unnecessary EOL from debug prints
docs/memory.txt: Fix document on MMIO operations
readline: Sort completions before printing them.
readline: use g_strndup instead of open-coding it
qmp: report path ambiguity error
libcacard: replace pstrcpy() with memcpy()
glib: move g_poll() replacement into glib-compat.h
do not call g_thread_init() for glib >= 2.31
hw/9pfs: Add include file for exported symbol
xen: remove unused global, xen_xcg
hw: Add missing 'static' attributes
qemu-timer: Add missing 'static' attribute
ui: Add missing 'static' attribute
monitor: Add missing 'static' attribute
hw/s390x: Add missing 'static' attribute
hw/mips: Add missing 'static' and 'const' attributes
hw/9pfs: Add missing 'static' attributes
arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()
tests/tcg: Fix compilation of test_path
qga: Fix typo (plural) in comment
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
* remotes/sstabellini/xen-140507-2:
xen_disk: add discard support
pass an inclusive address range to xc_domain_pin_memory_cacheattr
xen: factor out common functions
xen: move Xen HVM files under hw/i386/xen
xen: move Xen PV machine files to hw/xenpv
qemu-xen: free all the pirqs for msi/msix when driver unload
exec: Limit translation limiting in address_space_translate to xen
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jim Meyering <meyering@redhat.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
This fixes warnings from the static code analysis (smatch).
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
This fixes a warning from the static code analysis (smatch).
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Implement discard support for xen_disk. It makes use of the existing
discard code in qemu.
The discard support is enabled unconditionally. The tool stack may
provide a property "discard-enable" in the backend node to optionally
disable discard support. This is helpful in case the backing file was
intentionally created non-sparse to avoid fragmentation.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
pc,net,MAINTAINERS,build updates
MAINTAINERS updated with link to the security process documentation
apic version modified to make more guests happy
On top of that, bugfixes all over the place
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Wed 07 May 2014 17:15:29 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
* remotes/mst/tags/for_upstream:
configure: make source tree build more robust
MAINTAINERS: addresses for responsible disclosure
pm_smbus: correctly report unclaimed cycles
smbus: return -1 if nothing found at the given address
smbus: allow returning an error from reads
apic: use emulated lapic version 0x14 on pc machines >= 2.1
pc: add compat_props placeholder for 2.0 machine type
i8259: don't abort when trying to use level sensitive irqs
acpi: fix tables for no-hpet configuration
acpi-build: properly decrement objects' reference counters
acpi/pcihp.c: Rewrite acpi_pcihp_get_bsel using object_property_get_int
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
Without this patch, i2cdetect will report all addresses as present.
With it, only 0x50..0x57 are present.
Before:
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30: 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40: 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50: 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60: 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70: 70 71 72 73 74 75 76 77
After:
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: 50 51 52 53 54 55 56 57 -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Pirqs are not freed when driver unload, then new pirqs are allocated when
driver reload. This could exhaust pirqs if do it in a loop.
This patch fixes the bug by freeing pirqs when ENABLE bit is cleared in
msi/msix control reg.
There is also other way of fixing it such as reuse pirqs between driver reload,
but this way is better.
Xen-devel: http://marc.info/?l=xen-devel&m=136800120304275&w=2
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Add "version" property to local apic, and have it default to
0x14 for pc machines starting at 2.1. For compatibility with
previous releases, pc machines up to 2.0 will have their local
apic version set to 0x11.
Signed-off-by: Gabriel L. Somlo <somlo@cmu.edu>
Acked-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Add the "boilerplate" necessary for subsequent patches to
simply drop in compat_props for pc machines 2.0 and older.
This patch contains no functional changes.
Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Acked-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
This is a guest-triggerable error, as seen when using Xenix 2.3.4.
Replace hw_error by LOG_UNIMPL, so that guests can continue.
With this patch, I can install and use Xenix 2.3.4a without any problem.
I can also start installation of Xenix 2.3.4q, but it fails due to not
finding an hard disk.
Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Some improvements for s390.
Two patches deal with address translation, one fixes a problem in the
channel subsystem code.
# gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found
* remotes/cohuck/tags/s390x-20140507:
s390x/css: Don't save orb in subchannel.
s390x/helper: Added format control bit to MMU translation
s390x/helper: Fixed real-to-absolute address translation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
into staging
migration/next for 20140505
# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
* remotes/juanquintela/tags/migration/20140505: (36 commits)
migration: expose xbzrle cache miss rate
migration: expose the bitmap_sync_count to the end
migration: Add counts of updating the dirty bitmap
XBZRLE: Fix one XBZRLE corruption issues
migration: remove duplicate code
Coverity: Fix failure path for qemu_accept in migration
Init the XBZRLE.lock in ram_mig_init
Provide init function for ram migration
Count used RAMBlock pages for migration_dirty_pages
Make qemu_peek_buffer loop until it gets it's data
Disallow outward migration while awaiting incoming migration
virtio: validate config_len on load
virtio-net: out-of-bounds buffer write on load
openpic: avoid buffer overrun on incoming migration
ssi-sd: fix buffer overrun on invalid state load
savevm: Ignore minimum_version_id_old if there is no load_state_old
usb: sanity check setup_index+setup_len in post_load
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
virtio-scsi: fix buffer overrun on invalid state load
zaurus: fix buffer overrun on invalid state load
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
into staging
QOM/QTest infrastructure fixes and device conversions
* -device / device_add assertion fix
* QEMUMachine conversion to MachineClass
* Device error handling improvements
* QTest cleanups and test cases for some more PCI devices
* PortIO memory leak fixes
# gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg: aka "Andreas Färber <afaerber@suse.com>"
* remotes/afaerber/tags/qom-devices-for-peter:
PortioList: Store PortioList in device state
tests: Add EHCI qtest
tests: Add ioh3420 qtest
tests: Add intel-hda qtests
tests: Add es1370 qtest
tests: Add ac97 qtest
qtest: Be paranoid about accept() addrlen argument
qtest: Add error reporting to socket_accept()
qtest: Assure that init_socket()'s listen() does not fail
MAINTAINERS: Document QOM
arm: Clean up fragile use of error_is_set() in realize() methods
qom: Clean up fragile use of error_is_set() in set() methods
hw: Consistently name Error ** objects errp, and not err
hw: Consistently name Error * objects err, and not errp
machine: Remove QEMUMachine indirection from MachineClass
machine: Replace QEMUMachine by MachineClass in accelerator configuration
vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs
machine: Copy QEMUMachine's fields to MachineClass
machine: Remove obsoleted field from QEMUMachine
qdev: Fix crash by validating the object type
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled. If no tables follow hpet, this could lead to a malformed
rsdt.
Fix it up.
To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.
Reported-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
|
|
Object returned by object_property_get_qobject needs its reference counter to
be decremented when it is not needed by caller anymore.
Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
acpi_pcihp_get_bsel implements functionality of object_property_get_int for
specific property named ACPI_PCIHP_PROP_BSEL, but fails to decrement object's
reference counter properly. Rewriting it using generic object_property_get_int
serves two purposes: reducing code duplication and fixing memory leak.
Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Current css code saves the operation request block (orb) in the
subchannel structure for later consumption by the start function
handler. This might make sense for asynchronous execution of the
start function (which qemu doesn't support), but not in our case;
it would even be wrong since orb contains a reference to a local
variable in the base ssch handler.
Let's just pass the orb through the start function call chain for
ssch; for rsch, we can pass NULL as the backend function does not
use any information passed via the orb there.
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
|
|
ohci live migration.
mtp bugfixes.
# gpg: Signature made Mon 05 May 2014 12:08:48 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
* remotes/kraxel/tags/pull-usb-6:
usb: mtp: reply INCOMPLETE_TRANSFER on read errors
usb: mtp: fix possible buffer overflow
usb: mtp: drop data-out hexdump
usb: mtp: avoid empty description string
usb: mtp: fix error path memory leak
usb: mtp: fix serial (must be exact 32 chars)
usb: mtp: fix version (is decimal not bcd)
usb: mtp: fix usb_mtp_add_u64
usb: mtp: replace debug printfs with trace points
usb-ohci: Add vmstate descriptor
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
