Commit Graph

56 Commits

Author SHA1 Message Date
zengchi f8400015f4 Fix CVE-2023-2861 2024-03-18 16:52:07 +08:00
Christian Schoenebeck 52200a311a 9pfs: prevent opening special files (CVE-2023-2861)
The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.

or

  - Using 9p 'proxy' fs driver (which is running its helper daemon as
    root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
Signed-off-by: zeng_chi <zengchi@kylinos.cn>
2024-03-18 16:43:45 +08:00
zengchi 5995fdfaf4 Fix CVE-2023-5088 2024-02-04 17:23:25 +08:00
Fiona Ebner 2da1a4d8d7 hw/ide: reset: cancel async DMA operation before resetting state
If there is a pending DMA operation during ide_bus_reset(), the fact
that the IDEState is already reset before the operation is canceled
can be problematic. In particular, ide_dma_cb() might be called and
then use the reset IDEState which contains the signature after the
reset. When used to construct the IO operation this leads to
ide_get_sector() returning 0 and nsector being 1. This is particularly
bad, because a write command will thus destroy the first sector which
often contains a partition table or similar.

Traces showing the unsolicited write happening with IDEState
0x5595af6949d0 being used after reset:

> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300
> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
> ide_reset IDEstate 0x5595af6949d0
> ide_reset IDEstate 0x5595af694da8
> ide_bus_reset_aio aio_cancel
> dma_aio_cancel dbs=0x7f64600089a0
> dma_blk_cb dbs=0x7f64600089a0 ret=0
> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
> ahci_populate_sglist ahci(0x5595af6923f0)[0]
> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512
> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
> dma_blk_cb dbs=0x7f6420802010 ret=0

> (gdb) p *qiov
> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0,
>       iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000",
>       size = 512}}}
> (gdb) bt
> #0  blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0,
>     cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010)
>     at ../block/block-backend.c:1682
> #1  0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>)
>     at ../softmmu/dma-helpers.c:179
> #2  0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
>     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
>     io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>,
>     io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
>     cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0,
>     dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
> #3  0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
>     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
>     cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0)
>     at ../softmmu/dma-helpers.c:280
> #4  0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>)
>     at ../hw/ide/core.c:953
> #5  0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
>     at ../softmmu/dma-helpers.c:107
> #6  dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
> #7  0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
>     at ../block/block-backend.c:1527
> #8  blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
> #9  blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594
> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>,
>     i1=<optimized out>) at ../util/coroutine-ucontext.c:177

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: simon.rowe@nutanix.com
Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: zeng_chi <zengchi@kylinos.cn>
2024-02-04 17:13:45 +08:00
Philippe Mathieu-Daudé 807d64bec4 hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-6-philmd@linaro.org>
Signed-off-by: lixuhuan <lixuhuan@bupt.edu.cn>
2024-01-06 09:33:11 +08:00
Philippe Mathieu-Daudé 7fd795d30d hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.

Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.

This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().

Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-5-philmd@linaro.org>
Signed-off-by: lixuhuan <lixuhuan@bupt.edu.cn>
2024-01-06 09:32:35 +08:00
Philippe Mathieu-Daudé c54921d069 hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.

For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-4-philmd@linaro.org>
Signed-off-by: lixuhuan <lixuhuan@bupt.edu.cn>
2024-01-06 09:31:47 +08:00
Philippe Mathieu-Daudé bdf75761e2 hw/display/qxl: Document qxl_phys2virt()
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-3-philmd@linaro.org>
Signed-off-by: lixuhuan <lixuhuan@bupt.edu.cn>
2024-01-06 09:30:55 +08:00
Philippe Mathieu-Daudé 2fdefc0d73 hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler
Only 3 command types are logged: no need to call qxl_phys2virt()
for the other types. Using different cases will help to pass
different structure sizes to qxl_phys2virt() in a pair of commits.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-2-philmd@linaro.org>
Signed-off-by: lixuhuan <lixuhuan@bupt.edu.cn>
2024-01-06 09:29:09 +08:00
zengchi d75707bb53 fix detect-zeroes= with BDRV_REQ_REGISTERED_BUF
Signed-off-by: zengchi <zengchi@kylinos.cn>
2023-11-27 18:05:53 +08:00
Stefan Hajnoczi a0b37625f6 block: fix detect-zeroes= with BDRV_REQ_REGISTERED_BUF
When a write request is converted into a write zeroes request by the
detect-zeroes= feature, it is no longer associated with an I/O buffer.
The BDRV_REQ_REGISTERED_BUF flag doesn't make sense without an I/O
buffer and must be cleared because bdrv_co_do_pwrite_zeroes() fails with
-EINVAL when it's set.

Fiona Ebner <f.ebner@proxmox.com> bisected and diagnosed this QEMU 7.2
regression where writes containing zeroes to a blockdev with
discard=unmap,detect-zeroes=unmap fail.

Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1404
Fixes: e8b6535533 ("block: add BDRV_REQ_REGISTERED_BUF request flag")
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 3c5867156e)
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: zeng_chi <zengchi@kylinos.cn>
Message-Id: <20230207203719.242926-2-stefanha@redhat.com>
2023-11-27 17:58:28 +08:00
Cong Liu 6376a48e17 upstream nvem fixing
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2023-10-30 10:51:17 +08:00
Klaus Jensen 51434084f7 hw/nvme: fix missing cq eventidx update
Prior to reading the shadow doorbell cq head, we have to update the
eventidx. Otherwise, we risk that the driver will skip an mmio doorbell
write. This happens on riscv64, as reported by Guenter.

Adding the missing update to the cq eventidx fixes the issue.

Fixes: 3f7fe8de3d ("hw/nvme: Implement shadow doorbell buffer support")
Cc: qemu-stable@nongnu.org
Cc: qemu-riscv@nongnu.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit fa5db2aa16)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-30 09:28:53 +08:00
Klaus Jensen f778a30f46 hw/nvme: fix missing endian conversions for doorbell buffers
The eventidx and doorbell value are not handling endianness correctly.
Fix this.

Fixes: 3f7fe8de3d ("hw/nvme: Implement shadow doorbell buffer support")
Cc: qemu-stable@nongnu.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit 2fda0726e5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Conflicts: hw/nvme/ctrl.c
2023-10-30 09:26:02 +08:00
zeng_chi 960365e551 Fix CVE-2023-0330 2023-09-25 14:44:36 +08:00
Thomas Huth 46eeafe26b hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)
We cannot use the generic reentrancy guard in the LSI code, so
we have to manually prevent endless reentrancy here. The problematic
lsi_execute_script() function has already a way to detect whether
too many instructions have been executed - we just have to slightly
change the logic here that it also takes into account if the function
has been called too often in a reentrant way.

The code in fuzz-lsi53c895a-test.c has been taken from an earlier
patch by Mauro Matteo Cascella.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: zeng_chi <zengchi@kylinos.cn>
2023-09-25 14:25:01 +08:00
Cong Liu daf86a3142 debian: update version to ok6
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2023-07-26 09:04:22 +00:00
Laszlo Ersek 90a6079d2a acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block
The modern ACPI CPU hotplug interface was introduced in the following
series (aa1dd39ca307..679dd1a957df), released in v2.7.0:

  1  abd49bc2ed docs: update ACPI CPU hotplug spec with new protocol
  2  16bcab97eb pc: piix4/ich9: add 'cpu-hotplug-legacy' property
  3  5e1b5d9388 acpi: cpuhp: add CPU devices AML with _STA method
  4  ac35f13ba8 pc: acpi: introduce AcpiDeviceIfClass.madt_cpu hook
  5  d2238cb678 acpi: cpuhp: implement hot-add parts of CPU hotplug
                  interface
  6  8872c25a26 acpi: cpuhp: implement hot-remove parts of CPU hotplug
                  interface
  7  76623d00ae acpi: cpuhp: add cpu._OST handling
  8  679dd1a957 pc: use new CPU hotplug interface since 2.7 machine type

Before patch#1, "docs/specs/acpi_cpu_hotplug.txt" only specified 1-byte
accesses for the hotplug register block.  Patch#1 preserved the same
restriction for the legacy register block, but:

- it specified DWORD accesses for some of the modern registers,

- in particular, the switch from the legacy block to the modern block
  would require a DWORD write to the *legacy* block.

The latter functionality was then implemented in cpu_status_write()
[hw/acpi/cpu_hotplug.c], in patch#8.

Unfortunately, all DWORD accesses depended on a dormant bug: the one
introduced in earlier commit a014ed07bd ("memory: accept mismatching
sizes in memory_region_access_valid", 2013-05-29); first released in
v1.6.0.  Due to commit a014ed07bd, the DWORD accesses to the *legacy*
CPU hotplug register block would work in spite of the above series *not*
relaxing "valid.max_access_size = 1" in "hw/acpi/cpu_hotplug.c":

> static const MemoryRegionOps AcpiCpuHotplug_ops = {
>     .read = cpu_status_read,
>     .write = cpu_status_write,
>     .endianness = DEVICE_LITTLE_ENDIAN,
>     .valid = {
>         .min_access_size = 1,
>         .max_access_size = 1,
>     },
> };

Later, in commits e6d0c3ce68 ("acpi: cpuhp: introduce 'Command data 2'
field", 2020-01-22) and ae340aa3d2 ("acpi: cpuhp: spec: add typical
usecases", 2020-01-22), first released in v5.0.0, the modern CPU hotplug
interface (including the documentation) was extended with another DWORD
*read* access, namely to the "Command data 2" register, which would be
important for the guest to confirm whether it managed to switch the
register block from legacy to modern.

This functionality too silently depended on the bug from commit
a014ed07bd.

In commit 5d971f9e67 ('memory: Revert "memory: accept mismatching sizes
in memory_region_access_valid"', 2020-06-26), first released in v5.1.0,
the bug from commit a014ed07bd was fixed (the commit was reverted).
That swiftly exposed the bug in "AcpiCpuHotplug_ops", still present from
the v2.7.0 series quoted at the top -- namely the fact that
"valid.max_access_size = 1" didn't match what the guest was supposed to
do, according to the spec ("docs/specs/acpi_cpu_hotplug.txt").

The symptom is that the "modern interface negotiation protocol"
described in commit ae340aa3d256:

> +      Use following steps to detect and enable modern CPU hotplug interface:
> +        1. Store 0x0 to the 'CPU selector' register,
> +           attempting to switch to modern mode
> +        2. Store 0x0 to the 'CPU selector' register,
> +           to ensure valid selector value
> +        3. Store 0x0 to the 'Command field' register,
> +        4. Read the 'Command data 2' register.
> +           If read value is 0x0, the modern interface is enabled.
> +           Otherwise legacy or no CPU hotplug interface available

falls apart for the guest: steps 1 and 2 are lost, because they are DWORD
writes; so no switching happens.  Step 3 (a single-byte write) is not
lost, but it has no effect; see the condition in cpu_status_write() in
patch#8.  And step 4 *misleads* the guest into thinking that the switch
worked: the DWORD read is lost again -- it returns zero to the guest
without ever reaching the device model, so the guest never learns the
switch didn't work.

This means that guest behavior centered on the "Command data 2" register
worked *only* in the v5.0.0 release; it got effectively regressed in
v5.1.0.

To make things *even more* complicated, the breakage was (and remains, as
of today) visible with TCG acceleration only.  Commit 5d971f9e67 makes
no difference with KVM acceleration -- the DWORD accesses still work,
despite "valid.max_access_size = 1".

As commit 5d971f9e67 suggests, fix the problem by raising
"valid.max_access_size" to 4 -- the spec now clearly instructs the guest
to perform DWORD accesses to the legacy register block too, for enabling
(and verifying!) the modern block.  In order to keep compatibility for the
device model implementation though, set "impl.max_access_size = 1", so
that wide accesses be split before they reach the legacy read/write
handlers, like they always have been on KVM, and like they were on TCG
before 5d971f9e67 (v5.1.0).

Tested with:

- OVMF IA32 + qemu-system-i386, CPU hotplug/hot-unplug with SMM,
  intermixed with ACPI S3 suspend/resume, using KVM accel
  (regression-test);

- OVMF IA32X64 + qemu-system-x86_64, CPU hotplug/hot-unplug with SMM,
  intermixed with ACPI S3 suspend/resume, using KVM accel
  (regression-test);

- OVMF IA32 + qemu-system-i386, SMM enabled, using TCG accel; verified the
  register block switch and the present/possible CPU counting through the
  modern hotplug interface, during OVMF boot (bugfix test);

- I do not have any testcase (guest payload) for regression-testing CPU
  hotplug through the *legacy* CPU hotplug register block.

Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Ani Sinha <ani@anisinha.ca>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: qemu-stable@nongnu.org
Ref: "IO port write width clamping differs between TCG and KVM"
Link: http://mid.mail-archive.com/aaedee84-d3ed-a4f9-21e7-d221a28d1683@redhat.com
Link: https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230105161804.82486-1-lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit dab30fbef3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2023-07-26 09:04:22 +00:00
Paolo Bonzini 61b08c466b meson: accept relative symlinks in "meson introspect --installed" data
When installing shared libraries, as is the case for libvfio-user.so,
Meson will include relative symbolic links in the output of
"meson introspect --installed":

  {
    "libvfio-user.so": "/usr/local/lib64/libvfio-user.so",
    ...
  }

In the case of scripts/symlink-install-tree.py, this will
be a symbolic link to a symbolic link but, in any case, there is
no issue in creating it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f32eb0021a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2023-07-26 09:04:22 +00:00
谢明 13736f704f
!5 virtio: add a new vcpu watchdog
Merge pull request !5 from Sebastian2020/openkylin/yangtze
2023-07-26 08:54:30 +00:00
zhanghao1 c1048c1db2 A new virtio pci device named virtio-vcpu-stall-watchdog-pci
has been added.

Each vcpu creates a corresponding timer task. The watchdog
is driven by a timer according to a certain period. Each time
the timer expires, the counter is decremented. When the counter
is "0", the watchdog considers the vcpu to be stalling and resets
the VM. To avoid watchdog expiration, the guest kernel driver
needs to periodically send a pet event to update the counter.

Signed-off-by: zhanghao1 <zhanghao1@kylinos.cn>
2023-07-17 14:47:54 +08:00
Chenyi Qiang 3e5b9240a0 virtio-mem: Fix the iterator variable in a vmem->rdl_list loop
It should be the variable rdl2 to revert the already-notified listeners.

Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Message-Id: <20221228090312.17276-1-chenyi.qiang@intel.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: David Hildenbrand <david@redhat.com>
(cherry picked from commit 29f1b328e3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-06-30 15:03:53 +08:00
Chenyi Qiang 277a972b13 virtio-mem: Fix the bitmap index of the section offset
vmem->bitmap indexes the memory region of the virtio-mem backend at a
granularity of block_size. To calculate the index of target section offset,
the block_size should be divided instead of the bitmap_size.

Fixes: 2044969f0b ("virtio-mem: Implement RamDiscardManager interface")
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Message-Id: <20221216062231.11181-1-chenyi.qiang@intel.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: David Hildenbrand <david@redhat.com>
(cherry picked from commit b11cf32e07)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-06-30 15:03:35 +08:00
Jason Wang 74ab70084c vhost: fix vq dirty bitmap syncing when vIOMMU is enabled
When vIOMMU is enabled, the vq->used_phys is actually the IOVA not
GPA. So we need to translate it to GPA before the syncing otherwise we
may hit the following crash since IOVA could be out of the scope of
the GPA log size. This could be noted when using virtio-IOMMU with
vhost using 1G memory.

Fixes: c471ad0e9b ("vhost_net: device IOTLB support")
Cc: qemu-stable@nongnu.org
Tested-by: Lei Yang <leiyang@redhat.com>
Reported-by: Yalan Zhang <yalzhang@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20221216033552.77087-1-jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 345cc1cbcb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-06-30 14:59:49 +08:00
Feng Jiang fb4e55d9ad debian: update version to ok5build6
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
2022-11-25 09:30:45 +08:00
Feng Jiang d9ad3a800e virtio-gpu: Add support for virgl video acceleration
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
2022-11-17 15:32:24 +08:00
Cong Liu 2c337b5ee9 update changelog
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-16 22:29:51 +08:00
Cong Liu 5f2058ed5e disable pmem 2022-11-16 22:29:14 +08:00
Cong Liu 8ef62c1f93 regenerated debian/control
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-14 15:12:59 +08:00
Cong Liu dcf9cc7140 disable dwz for more architectures
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-14 15:03:37 +08:00
Cong Liu 199b8136c3 disable qboot because of building failed in openkylin
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-14 15:03:36 +08:00
Michael Tokarev 2c9081e655 disable dwz on certain architectures (FTBFS on bullseye, #968670)
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-14 15:03:36 +08:00
Michael Tokarev fa33532a21 Revert "temporary workaround for gcc-12 bug #1019011: use gcc-11-alpha-linux-gnu instead of gcc-alpha-linux-gnu"
This reverts commit 435ceea71d95c959c28041e9c5c3a8377592db72.
On bullseye there's no gcc-11, and gcc-10 compiles everything
just fine.

Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-14 15:03:36 +08:00
Cong Liu c4bbdf9b5e disable uring for openkylin
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:25 +08:00
Cong Liu a05ed105af changed debian/source/format to native
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:25 +08:00
Yuval Shaia 7ba83d0ae4 [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Bug-Debian: https://bugs.debian.org/1014589

Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.

Fixes: CVE-2022-1050

Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

Gbp-Pq: Name hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:24 +08:00
Zheyu Ma f1df0e425a net: tulip: Restrict DMA engine to memories
Commit-Id: 36a894aeb6
Bug-Debian: https://bugs.debian.org/1018055

The DMA engine is started by I/O access and then itself accesses the
I/O registers, triggering a reentrancy bug.

The following log can reveal it:
==5637==ERROR: AddressSanitizer: stack-overflow
    #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673
    #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13
    #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
    #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
    #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c
    #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
    #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12
    #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18
    #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
    #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
    #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12
    #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1
    #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1
    #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9
    #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9
    #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13

Fix this bug by restricting the DMA engine to memories regions.

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

Gbp-Pq: Name tulip-restrict-DMA-engine-to-memories-CVE-2022-2962.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:24 +08:00
Christian Ehrhardt f91bd02a0c roms as dependencies won't be available in packaged qemu
Forwarded: no
Last-Update: 2022-01-05

Due to the removal of blobs the packaging will not have the roms
dependency set and would fail at configure stage with:
  ../../tests/qtest/meson.build:272:2: ERROR: Unknown variable "roms".
Switch it back to the former empty intializer.

Gbp-Pq: Name ignore-roms-dependency-in-qtest.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:24 +08:00
Philippe Mathieu-Daudé d7e11d224e hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
To: qemu-devel@nongnu.org
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
Bug-Debian: https://bugs.debian.org/992726

When building QEMU with DEBUG_ATI defined then running with
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
we get:

  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
  (gdb) bt
  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492

Commit 584acf34cb ("ati-vga: Fix reverse bit blts") introduced
the local dst_x and dst_y which adjust the (x, y) coordinates
depending on the direction in the SRCCOPY ROP3 operation, but
forgot to address the same issue for the PATCOPY, BLACKNESS and
WHITENESS operations, which also call pixman_fill().

Fix that now by using the adjusted coordinates in the pixman_fill
call, and update the related debug printf().

Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
Fixes: 584acf34cb ("ati-vga: Fix reverse bit blts")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Gbp-Pq: Name ati_2d-fix-buffer-overflow-in-ati_2d_blt-CVE-2021-3638.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:24 +08:00
Debian QEMU Team 918f2ed30f slof-spelling-seperator
Gbp-Pq: Name slof-spelling-seperator.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:24 +08:00
Debian QEMU Team 20e5e128b2 openbios-spelling-endianess
Gbp-Pq: Name openbios-spelling-endianess.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Michael Tokarev a5c3f34a28 a few spelling fixes for the visible strings in binaries
Gbp-Pq: Name spelling.diff
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Aurelien Jarno a0be2b6ff0 Makefile: fix build with binutils 2.38
From version 2.38, binutils default to ISA spec version 20191213. This
means that the csr read/write (csrr*/csrw*) instructions and fence.i
instruction has separated from the `I` extension, become two standalone
extensions: Zicsr and Zifencei. As the kernel uses those instruction,
this causes the following build failure:

 CC        lib/sbi/sbi_tlb.o
<<BUILDDIR>>/lib/sbi/sbi_tlb.c: Assembler messages:
<<BUILDDIR>>/lib/sbi/sbi_tlb.c:190: Error: unrecognized opcode `fence.i'
make: *** [Makefile:431: <<BUILDDIR>>/build/lib/sbi/sbi_tlb.o] Error 1

The fix is to specify those extensions explicitly in -march. However as
older binutils version do not support this, we first need to detect
that.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Alexandre Ghiti <alexandre.ghiti@canonical.com>
Reviewed-by: Anup Patel <anup@brainfault.org>

Gbp-Pq: Name opensbi-fix-build-with-binutils-2.38.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Vagrant Cascadian 42d80b274a slof/Makefile.gen: Ensure ld is called with the C locale.
The output of "ld -V" changes based on the environment's locale.

Gbp-Pq: Name slof-ensure-ld-is-called-with-C-locale.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Vagrant Cascadian f2e325e944 roms/SLOF/Makefile.gen: Remove user and host from release version.
This version string ends up in the slof.bin, leading to
reproducibility issues.

Gbp-Pq: Name slof-remove-user-and-host-from-release-version.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Vagrant Cascadian ddf891909a roms/seabios-hppa: Use consistent date and remove hostname.
Two issues break reproducibility; the time and hostname get embedded
in the resulting seabios binary.

Simply drop the hostname from the embedded version string, as it
shouldn't be needed in Debian package builds.

Use the SOURCE_DATE_EPOCH environment variable to set the build date
rather than the current time:

  https://reproducible-builds.org/docs/source-date-epoch/

Gbp-Pq: Name seabios-hppa-use-consistent-date-and-remove-hostname.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:23 +08:00
Vagrant Cascadian 967217afcc roms/openbios: Use SOURCE_DATE_EPOCH in Makefile.
Embedding the build time breaks reproducibility. Instead, use the date
specified by the SOURCE_DATE_EPOCH environment variable:

  https://reproducible-builds.org/docs/source-date-epoch/

This patch relies on features of GNU date, and will need further
changes for portability to other systems.

Gbp-Pq: Name openbios-use-source_date_epoch-in-makefile.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:22 +08:00
Michael Tokarev d950231899 openbios: do not error-out array-bounds warning
gcc-12.2 produces an apparently wrong warning for this file:

roms/openbios/arch/ppc/qemu/init.c:400:10: error: \
 array subscript 0 is outside array bounds of ‘uint32_t[0]’ {aka ‘unsigned int[]’} \
 [-Werror=array-bounds]
  400 |     *dsi = 0x48002002;
      |     =====^===========

Turn this particular -Werror back into warning. Gcc is apparently wrong here.

index e40385a70b..2e214aa079 100644

Gbp-Pq: Name openbios-array-bounds-gcc12.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:22 +08:00
Debian QEMU Team 4b3985ec1c openbios-array-bounds
Gbp-Pq: Name openbios-array-bounds.diff
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:22 +08:00
Debian QEMU Team a06187536c openbios-address-of-packet-member
Gbp-Pq: Name openbios-address-of-packet-member.patch
Signed-off-by: Cong Liu <liucong2@kylinos.cn>
2022-11-09 22:24:22 +08:00