packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 8.2.0-4:

Browse Source 
- migration: Skip only empty block devicesi
- iotests: adapt to output change for recently introduced 'detached hea…
- travis-ci: Rename SOFTMMU -> SYSTEM
- block: disallow block jobs when there is a BDRV_O_INACTIVE flag
- [backup] memory: bakcup hugepages: hugepages files maybe leftover
- memory: [backup] Modify the VM's physical bits value set policy.
- ui/clipboard: mark type as not available when there is no data (CVE-2023-6683)
- virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693)

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
This commit is contained in:
Jiabo Feng 2024-04-01 08:48:07 +08:00
parent 2fa9c37963
commit 1bf6609652
9 changed files with 669 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
backup-memory-bakcup-hugepages-hugepages-files-maybe.patch Normal file
View File

@ -0,0 +1,101 @@
From c28455a0bac4bbf171d1f19e162557377a85e96c Mon Sep 17 00:00:00 2001
From: Ming Yang <yangming73@huawei.com>
Date: Sat, 23 Mar 2024 16:32:46 +0800
Subject: [PATCH] [backup] memory: bakcup hugepages: hugepages files maybe
leftover
old info:
commit id:
3cb1b0ce091998532a30793e3272925da4e6f3aa
old messages:
hugepages: hugepages files maybe leftover
Before qemu uses the hugepage memory directory /dev/hugepages/libvirt/qemu/xxx,
The directory may be deleted because of the destroy virtual machine.
Cause qemu to create files directly under /dev/hugepages/libvirt/qemu/.
After the file is created, the file is not cleaned up by unlink,
and when the virtual machine is destroyed, libvirt will only clean up
/dev/hugepages/libvirt/qemu/xxx directory. After creating the hugepage file,
execute unlink to clean up the file to fix the problem.
Signed-off-by: Jinhua Cao <caojinhua1@huawei.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Ming Yang <yangming73@huawei.com>
---
include/qemu/mmap-alloc.h | 4 ++++
system/physmem.c | 9 ++++++++-
util/mmap-alloc.c | 22 ++++++++++++++++++++++
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/include/qemu/mmap-alloc.h b/include/qemu/mmap-alloc.h
index 8344daaa03..63e4edfd2f 100644
--- a/include/qemu/mmap-alloc.h
+++ b/include/qemu/mmap-alloc.h
@@ -1,6 +1,10 @@
#ifndef QEMU_MMAP_ALLOC_H
#define QEMU_MMAP_ALLOC_H
+#define HUGETLBFS_MAGIC 0x958458f6
+
+size_t qemu_fd_getfiletype(int fd);
+
typedef enum {
QEMU_FS_TYPE_UNKNOWN = 0,
QEMU_FS_TYPE_TMPFS,
diff --git a/system/physmem.c b/system/physmem.c
index a63853a7bc..f14d64819b 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -1329,7 +1329,14 @@ static int file_ram_open(const char *path,
/* @path names a file that doesn't exist, create it */
fd = open(path, O_RDWR | O_CREAT | O_EXCL, 0644);
if (fd >= 0) {
- *created = true;
+ info_report("open %s success \n", path);
+ /* if fd file type is HUGETLBFS_MAGIC, unlink it, */
+ /* in case to prevent residue after qemu killed */
+ if (qemu_fd_getfiletype(fd) == HUGETLBFS_MAGIC) {
+ unlink(path);
+ } else {
+ *created = true;
+ }
break;
}
} else if (errno == EISDIR) {
diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
index ed14f9c64d..6890ad676c 100644
--- a/util/mmap-alloc.c
+++ b/util/mmap-alloc.c
@@ -30,6 +30,28 @@
#include <linux/magic.h>
#endif
+size_t qemu_fd_getfiletype(int fd)
+{
+ struct statfs fs;
+ int ret;
+
+ if (fd != -1) {
+ do {
+ ret = fstatfs(fd, &fs);
+ } while (ret != 0 && errno == EINTR);
+
+ if (ret != 0) {
+ fprintf(stderr, "Couldn't fstatfs() fd: %s\n",
+ strerror(errno));
+ return -1;
+ }
+ return fs.f_type;
+ } else {
+ fprintf(stderr, "fd is invalid \n");
+ return -1;
+ }
+}
+
QemuFsType qemu_fd_getfs(int fd)
{
#ifdef CONFIG_LINUX
--
2.27.0

47
block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch Normal file
View File

@ -0,0 +1,47 @@
From f9aef3909d23af6a33c604f59dccfcb764090f01 Mon Sep 17 00:00:00 2001
From: WangJian <wangjian161@huawei.com>
Date: Wed, 9 Feb 2022 11:29:15 +0800
Subject: [PATCH] block: disallow block jobs when there is a BDRV_O_INACTIVE
flag
Currently, migration will put a BDRV_O_INACTIVE flag
on bs's open_flags until another resume being called. In that case,
any IO from vm or block jobs will cause a qemu crash with an assert
'assert(!(bs->open_flags & BDRV_O_INACTIVE))' failure in bdrv_co_pwritev
function. we hereby disallow block jobs by faking a blocker.
Signed-off-by: wangjian161 <wangjian161@huawei.com>
---
block.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/block.c b/block.c
index bfb0861ec6..b7cb963929 100644
--- a/block.c
+++ b/block.c
@@ -7298,6 +7298,22 @@ bool bdrv_op_is_blocked(BlockDriverState *bs, BlockOpType op, Error **errp)
bdrv_get_device_or_node_name(bs));
return true;
}
+
+ /*
+ * When migration puts a BDRV_O_INACTIVE flag on driver's open_flags,
+ * we fake a blocker that doesn't exist. From now on, block jobs
+ * will not be permitted.
+ */
+ if ((op == BLOCK_OP_TYPE_RESIZE || op == BLOCK_OP_TYPE_COMMIT_SOURCE ||
+ op == BLOCK_OP_TYPE_MIRROR_SOURCE || op == BLOCK_OP_TYPE_MIRROR_TARGET) &&
+ (bs->open_flags & BDRV_O_INACTIVE)) {
+ if (errp) {
+ error_setg(errp, "block device is in use by migration with"
+ " a driver BDRV_O_INACTIVE flag setted");
+ }
+ return true;
+ }
+
return false;
}
--
2.27.0

62
iotests-adapt-to-output-change-for-recently-introduc.patch Normal file
View File

@ -0,0 +1,62 @@
From 7212ca27f0dc957f83fe29858430ee2927e0175c Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Mon, 25 Mar 2024 21:31:32 +0800
Subject: [PATCH] =?UTF-8?q?iotests:=20adapt=20to=20output=20change=20for?=
=?UTF-8?q?=20recently=20introduced=20'detached=20hea=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 39a94d7c34ce9d222fa9c0c99a14e20a567456d7
…der' field
Failure was noticed when running the tests for the qcow2 image format.
Fixes: 0bd779e ("crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20240216101415.293769-1-f.ebner@proxmox.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Gao Jiazhen <gaojiazhen_yewu@cmss.chinamobile.com>
---
tests/qemu-iotests/198.out | 2 ++
tests/qemu-iotests/206.out | 1 +
2 files changed, 3 insertions(+)
diff --git a/tests/qemu-iotests/198.out b/tests/qemu-iotests/198.out
index 805494916f..62fb73fa3e 100644
--- a/tests/qemu-iotests/198.out
+++ b/tests/qemu-iotests/198.out
@@ -39,6 +39,7 @@ Format specific information:
compression type: COMPRESSION_TYPE
encrypt:
ivgen alg: plain64
+ detached header: false
hash alg: sha256
cipher alg: aes-256
uuid: 00000000-0000-0000-0000-000000000000
@@ -84,6 +85,7 @@ Format specific information:
compression type: COMPRESSION_TYPE
encrypt:
ivgen alg: plain64
+ detached header: false
hash alg: sha256
cipher alg: aes-256
uuid: 00000000-0000-0000-0000-000000000000
diff --git a/tests/qemu-iotests/206.out b/tests/qemu-iotests/206.out
index 7e95694777..979f00f9bf 100644
--- a/tests/qemu-iotests/206.out
+++ b/tests/qemu-iotests/206.out
@@ -114,6 +114,7 @@ Format specific information:
refcount bits: 16
encrypt:
ivgen alg: plain64
+ detached header: false
hash alg: sha1
cipher alg: aes-128
uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
--
2.27.0

126
memory-backup-Modify-the-VM-s-physical-bits-value-se.patch Normal file
View File

@ -0,0 +1,126 @@
From 65435e107fc8eee37c61a3a7d1adebd013ad466f Mon Sep 17 00:00:00 2001
From: Ming Yang <yangming73@huawei.com>
Date: Sat, 23 Mar 2024 16:18:03 +0800
Subject: [PATCH] memory: [backup] Modify the VM's physical bits value set
policy.
backup code from qemu-6.2 to qemu-8.2
old info:
commit id :
a09c3928b33b0c53831bd9eeb56f8171c26057bc
messages:
target-i386: Modify the VM's physical bits value set policy.
To resolve the problem that a VM with large memory capacity fails
to be live migrated, determine whether the VM is a large memory
capacity based on the memory size (4 TB). If yes, set the bus width
of the VM address to 46 bits. If no, set the bus width to 42 bits.
Signed-off-by: Jinhua Cao <caojinhua1@huawei.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Ming Yang <yangming73@huawei.com>
---
target/i386/cpu.c | 20 +++++++++++++++++++-
target/i386/cpu.h | 6 ++++++
target/i386/host-cpu.c | 13 +++++++------
3 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a66e5a357b..fc61a84b1e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -7666,6 +7666,24 @@ static void x86_cpu_set_pc(CPUState *cs, vaddr value)
cpu->env.eip = value;
}
+
+/* At present, we check the vm is *LARGE* or not, i.e. whether
+ * the memory size is more than 4T or not.
+ */
+const uint64_t large_vm_mem_size = 0x40000000000UL;
+void x86_cpu_adjuest_by_ram_size(ram_addr_t ram_size, X86CPU *cpu)
+{
+ /* If there is not a large vm, we set the phys_bits to 42 bits,
+ * otherwise, we increase the phys_bits to 46 bits.
+ */
+ if (ram_size < large_vm_mem_size) {
+ cpu->phys_bits = DEFAULT_VM_CPU_PHYS_BITS;
+ } else {
+ cpu->phys_bits = LARGE_VM_CPU_PHYS_BITS;
+ cpu->fill_mtrr_mask = true;
+ }
+}
+
static vaddr x86_cpu_get_pc(CPUState *cs)
{
X86CPU *cpu = X86_CPU(cs);
@@ -7868,7 +7886,7 @@ static Property x86_cpu_properties[] = {
DEFINE_PROP_UINT32("phys-bits", X86CPU, phys_bits, 0),
DEFINE_PROP_BOOL("host-phys-bits", X86CPU, host_phys_bits, false),
DEFINE_PROP_UINT8("host-phys-bits-limit", X86CPU, host_phys_bits_limit, 0),
- DEFINE_PROP_BOOL("fill-mtrr-mask", X86CPU, fill_mtrr_mask, true),
+ DEFINE_PROP_BOOL("fill-mtrr-mask", X86CPU, fill_mtrr_mask, false),
DEFINE_PROP_UINT32("level-func7", X86CPU, env.cpuid_level_func7,
UINT32_MAX),
DEFINE_PROP_UINT32("level", X86CPU, env.cpuid_level, UINT32_MAX),
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index ef987f344c..6993552cd9 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -24,6 +24,7 @@
#include "cpu-qom.h"
#include "kvm/hyperv-proto.h"
#include "exec/cpu-defs.h"
+#include "exec/cpu-common.h"
#include "qapi/qapi-types-common.h"
#include "qemu/cpu-float.h"
#include "qemu/timer.h"
@@ -2081,6 +2082,11 @@ struct X86CPUClass {
extern const VMStateDescription vmstate_x86_cpu;
#endif
+#define DEFAULT_VM_CPU_PHYS_BITS 42
+#define LARGE_VM_CPU_PHYS_BITS 46
+
+void x86_cpu_adjuest_by_ram_size(ram_addr_t ram_size, X86CPU *cpu);
+
int x86_cpu_pending_interrupt(CPUState *cs, int interrupt_request);
int x86_cpu_write_elf64_note(WriteCoreDumpFunction f, CPUState *cpu,
diff --git a/target/i386/host-cpu.c b/target/i386/host-cpu.c
index 92ecb7254b..07738bf857 100644
--- a/target/i386/host-cpu.c
+++ b/target/i386/host-cpu.c
@@ -13,6 +13,7 @@
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "sysemu/sysemu.h"
+#include "hw/boards.h"
/* Note: Only safe for use on x86(-64) hosts */
static uint32_t host_cpu_phys_bits(void)
@@ -57,14 +58,14 @@ static uint32_t host_cpu_adjust_phys_bits(X86CPU *cpu)
uint32_t phys_bits = cpu->phys_bits;
static bool warned;
- /*
- * Print a warning if the user set it to a value that's not the
- * host value.
- */
- if (phys_bits != host_phys_bits && phys_bits != 0 &&
+ /* adjust x86 cpu phys_bits according to ram_size. */
+ x86_cpu_adjuest_by_ram_size(current_machine->ram_size, cpu);
+
+ /* Print a warning if the host value less than the user set. */
+ if (phys_bits > host_phys_bits && phys_bits != 0 &&
!warned) {
warn_report("Host physical bits (%u)"
- " does not match phys-bits property (%u)",
+ " less than phys-bits property (%u)",
host_phys_bits, phys_bits);
warned = true;
}
--
2.27.0

86
migration-Skip-only-empty-block-devicesi.patch Normal file
View File

@ -0,0 +1,86 @@
From 4506b31c0fff0b7a69ec4c7e264715ed70df75a8 Mon Sep 17 00:00:00 2001
From: gaojiazhen <gaojiazhen_yewu@cmss.chinamobile.com>
Date: Mon, 25 Mar 2024 22:13:43 +0800
Subject: [PATCH] migration: Skip only empty block devicesi
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 2e128776dc56f502c2ee41750afe83938f389528
The block .save_setup() handler calls a helper routine
init_blk_migration() which builds a list of block devices to take into
account for migration. When one device is found to be empty (sectors
== 0), the loop exits and all the remaining devices are ignored. This
is a regression introduced when bdrv_iterate() was removed.
Change that by skipping only empty devices.
Cc: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Fixes: fea68bb ("block: Eliminate bdrv_iterate(), use bdrv_next()")
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Link: https://lore.kernel.org/r/20240312120431.550054-1-clg@redhat.com
[peterx: fix "Suggested-by:"]
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Gao Jiazhen <gaojiazhen_yewu@cmss.chinamobile.com>
---
migration/block.c | 5 ++++-
tests/qemu-iotests/198.out | 2 --
tests/qemu-iotests/206.out | 1 -
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/migration/block.c b/migration/block.c
index a15f9bddcb..710ef6f490 100644
--- a/migration/block.c
+++ b/migration/block.c
@@ -409,7 +409,10 @@ static int init_blk_migration(QEMUFile *f)
}
sectors = bdrv_nb_sectors(bs);
- if (sectors <= 0) {
+ if (sectors == 0) {
+ continue;
+ }
+ if (sectors < 0) {
ret = sectors;
bdrv_next_cleanup(&it);
goto out;
diff --git a/tests/qemu-iotests/198.out b/tests/qemu-iotests/198.out
index 62fb73fa3e..805494916f 100644
--- a/tests/qemu-iotests/198.out
+++ b/tests/qemu-iotests/198.out
@@ -39,7 +39,6 @@ Format specific information:
compression type: COMPRESSION_TYPE
encrypt:
ivgen alg: plain64
- detached header: false
hash alg: sha256
cipher alg: aes-256
uuid: 00000000-0000-0000-0000-000000000000
@@ -85,7 +84,6 @@ Format specific information:
compression type: COMPRESSION_TYPE
encrypt:
ivgen alg: plain64
- detached header: false
hash alg: sha256
cipher alg: aes-256
uuid: 00000000-0000-0000-0000-000000000000
diff --git a/tests/qemu-iotests/206.out b/tests/qemu-iotests/206.out
index 979f00f9bf..7e95694777 100644
--- a/tests/qemu-iotests/206.out
+++ b/tests/qemu-iotests/206.out
@@ -114,7 +114,6 @@ Format specific information:
refcount bits: 16
encrypt:
ivgen alg: plain64
- detached header: false
hash alg: sha1
cipher alg: aes-128
uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
--
2.27.0

20
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 8.2.0
Release: 3
Release: 4
Epoch: 11
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -89,6 +89,14 @@ Patch0072: target-loongarch-kvm-Enable-LSX-LASX-extension.patch
Patch0073: target-loongarch-Fix-qtest-test-hmp-error-when-KVM-o.patch
Patch0074: loongarch-Change-the-UEFI-loading-mode-to-loongarch.patch
Patch0075: disable-keyring-option.patch
Patch0076: virtio-net-correctly-copy-vnet-header-when-flushing-.patch
Patch0077: ui-clipboard-mark-type-as-not-available-when-there-i.patch
Patch0078: memory-backup-Modify-the-VM-s-physical-bits-value-se.patch
Patch0079: backup-memory-bakcup-hugepages-hugepages-files-maybe.patch
Patch0080: block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch
Patch0081: travis-ci-Rename-SOFTMMU-SYSTEM.patch
Patch0082: iotests-adapt-to-output-change-for-recently-introduc.patch
Patch0083: migration-Skip-only-empty-block-devicesi.patch
BuildRequires: flex
BuildRequires: gcc
@ -686,6 +694,16 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Mon Apr 1 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-4
- migration: Skip only empty block devicesi
- iotests: adapt to output change for recently introduced 'detached hea…
- travis-ci: Rename SOFTMMU -> SYSTEM
- block: disallow block jobs when there is a BDRV_O_INACTIVE flag
- [backup] memory: bakcup hugepages: hugepages files maybe leftover
- memory: [backup] Modify the VM's physical bits value set policy.
- ui/clipboard: mark type as not available when there is no data (CVE-2023-6683)
- virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693)
* Wed Mar 27 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-3
- disable keyring option
- loongarch: Change the UEFI loading mode to loongarch

67
travis-ci-Rename-SOFTMMU-SYSTEM.patch Normal file
View File

@ -0,0 +1,67 @@
From c03415f3b75e6a37c7eb392ef62bf92b94267b4d Mon Sep 17 00:00:00 2001
From: gaojiazhen <gaojiazhen_yewu@cmss.chinamobile.com>
Date: Mon, 25 Mar 2024 17:26:52 +0800
Subject: [PATCH] travis-ci: Rename SOFTMMU -> SYSTEM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 47833f817cc597db124c690bd14600bb5d00e824
Since we *might* have user emulation with softmmu,
rename MAIN_SOFTMMU_TARGETS as MAIN_SYSTEM_TARGETS
to express 'system emulation targets'.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240313213339.82071-3-philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Gao Jiazhen <gaojiazhen_yewu@cmss.chinamobile.com>
---
.travis.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 76859d48da..597d151b80 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -35,7 +35,7 @@ env:
- TEST_BUILD_CMD=""
- TEST_CMD="make check V=1"
# This is broadly a list of "mainline" system targets which have support across the major distros
- - MAIN_SOFTMMU_TARGETS="aarch64-softmmu,mips64-softmmu,ppc64-softmmu,riscv64-softmmu,s390x-softmmu,x86_64-softmmu"
+ - MAIN_SYSTEM_TARGETS="aarch64-softmmu,mips64-softmmu,ppc64-softmmu,riscv64-softmmu,s390x-softmmu,x86_64-softmmu"
- CCACHE_SLOPPINESS="include_file_ctime,include_file_mtime"
- CCACHE_MAXSIZE=1G
- G_MESSAGES_DEBUG=error
@@ -114,7 +114,7 @@ jobs:
env:
- TEST_CMD="make check check-tcg V=1"
- CONFIG="--disable-containers --enable-fdt=system
- --target-list=${MAIN_SOFTMMU_TARGETS} --cxx=/bin/false"
+ --target-list=${MAIN_SYSTEM_TARGETS} --cxx=/bin/false"
- UNRELIABLE=true
- name: "[ppc64] GCC check-tcg"
@@ -185,7 +185,7 @@ jobs:
env:
- TEST_CMD="make check check-tcg V=1"
- CONFIG="--disable-containers --enable-fdt=system
- --target-list=${MAIN_SOFTMMU_TARGETS},s390x-linux-user"
+ --target-list=${MAIN_SYSTEM_TARGETS},s390x-linux-user"
- UNRELIABLE=true
script:
- BUILD_RC=0 && make -j${JOBS} || BUILD_RC=$?
@@ -226,7 +226,7 @@ jobs:
- genisoimage
env:
- CONFIG="--disable-containers --enable-fdt=system --audio-drv-list=sdl
- --disable-user --target-list-exclude=${MAIN_SOFTMMU_TARGETS}"
+ --disable-user --target-list-exclude=${MAIN_SYSTEM_TARGETS}"
- name: "[s390x] GCC (user)"
arch: s390x
--
2.27.0

89
ui-clipboard-mark-type-as-not-available-when-there-i.patch Normal file
View File

@ -0,0 +1,89 @@
From 855f7f30de962f79393f0b9f8b0355b996d72de7 Mon Sep 17 00:00:00 2001
From: Fiona Ebner <f.ebner@proxmox.com>
Date: Wed, 24 Jan 2024 11:57:48 +0100
Subject: [PATCH] ui/clipboard: mark type as not available when there is no
data (CVE-2023-6683)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
message with len=0. In qemu_clipboard_set_data(), the clipboard info
will be updated setting data to NULL (because g_memdup(data, size)
returns NULL when size is 0). If the client does not set the
VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
the 'request' callback for the clipboard peer is not initialized.
Later, because data is NULL, qemu_clipboard_request() can be reached
via vdagent_chr_write() and vdagent_clipboard_recv_request() and
there, the clipboard owner's 'request' callback will be attempted to
be called, but that is a NULL pointer.
In particular, this can happen when using the KRDC (22.12.3) VNC
client.
Another scenario leading to the same issue is with two clients (say
noVNC and KRDC):
The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
initializes its cbpeer.
The KRDC client does not, but triggers a vnc_client_cut_text() (note
it's not the _ext variant)). There, a new clipboard info with it as
the 'owner' is created and via qemu_clipboard_set_data() is called,
which in turn calls qemu_clipboard_update() with that info.
In qemu_clipboard_update(), the notifier for the noVNC client will be
called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
noVNC client. The 'owner' in that clipboard info is the clipboard peer
for the KRDC client, which did not initialize the 'request' function.
That sounds correct to me, it is the owner of that clipboard info.
Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
passes), that clipboard info is passed to qemu_clipboard_request() and
the original segfault still happens.
Fix the issue by handling updates with size 0 differently. In
particular, mark in the clipboard info that the type is not available.
While at it, switch to g_memdup2(), because g_memdup() is deprecated.
Cc: qemu-stable@nongnu.org
Fixes: CVE-2023-6683
Reported-by: Markus Frank <m.frank@proxmox.com>
Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Markus Frank <m.frank@proxmox.com>
Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
---
ui/clipboard.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/ui/clipboard.c b/ui/clipboard.c
index 3d14bffaf8..b3f6fa3c9e 100644
--- a/ui/clipboard.c
+++ b/ui/clipboard.c
@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
}
g_free(info->types[type].data);
- info->types[type].data = g_memdup(data, size);
- info->types[type].size = size;
- info->types[type].available = true;
+ if (size) {
+ info->types[type].data = g_memdup2(data, size);
+ info->types[type].size = size;
+ info->types[type].available = true;
+ } else {
+ info->types[type].data = NULL;
+ info->types[type].size = 0;
+ info->types[type].available = false;
+ }
if (update) {
qemu_clipboard_update(info);
--
2.27.0

72
virtio-net-correctly-copy-vnet-header-when-flushing-.patch Normal file
View File

@ -0,0 +1,72 @@
From 912641a75955a75f37ab8695a0753b1571762717 Mon Sep 17 00:00:00 2001
From: Jason Wang <jasowang@redhat.com>
Date: Tue, 2 Jan 2024 11:29:01 +0800
Subject: [PATCH] virtio-net: correctly copy vnet header when flushing TX
(CVE-2023-6693)
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
the size of the mergeable rx buffer header. Using
virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
instead.
Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
Cc: qemu-stable@nongnu.org
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Fixes: CVE-2023-6693
Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/virtio-net.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 80c56f0cfc..73024babd4 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs,
n->mergeable_rx_bufs = mergeable_rx_bufs;
+ /*
+ * Note: when extending the vnet header, please make sure to
+ * change the vnet header copying logic in virtio_net_flush_tx()
+ * as well.
+ */
if (version_1) {
n->guest_hdr_len = hash_report ?
sizeof(struct virtio_net_hdr_v1_hash) :
@@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
ssize_t ret;
unsigned int out_num;
struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg;
- struct virtio_net_hdr_mrg_rxbuf mhdr;
+ struct virtio_net_hdr_v1_hash vhdr;
elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
if (!elem) {
@@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
}
if (n->has_vnet_hdr) {
- if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
+ if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
n->guest_hdr_len) {
virtio_error(vdev, "virtio-net header incorrect");
virtqueue_detach_element(q->tx_vq, elem, 0);
@@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
return -EINVAL;
}
if (n->needs_vnet_hdr_swap) {
- virtio_net_hdr_swap(vdev, (void *) &mhdr);
- sg2[0].iov_base = &mhdr;
+ virtio_net_hdr_swap(vdev, (void *) &vhdr);
+ sg2[0].iov_base = &vhdr;
sg2[0].iov_len = n->guest_hdr_len;
out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
out_sg, out_num,
--
2.27.0