QEMU update to version 6.2.0-83(master)

- hw/virtio/virtio-pmem: Replace impossible check by assertion - tests: Fix printf format string in acpi-utils.c - softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit" - disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14 - qga: Fix memory leak when output stream is unused - ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) - target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model - target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES - target/i386: Allow MCDT_NO if host supports - target/i386: Add support for MCDT_NO in CPUID enumeration - target/i386: Export MSR_ARCH_CAPABILITIES bits to guests - target/i386: add support for FB_CLEAR feature - target/i386: add support for FLUSH_L1D feature - crypto: remove shadowed 'ret' variable - hw/i2c/pmbus_device: Fix modifying QOM class internals from instance - hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2023-10-30 16:29:07 +08:00 · 2023-10-30 16:29:07 +08:00 · 80a22cff37
commit 80a22cff37
parent 0b0e518312
17 changed files with 883 additions and 1 deletions
--- a/crypto-remove-shadowed-ret-variable.patch
+++ b/crypto-remove-shadowed-ret-variable.patch
@ -0,0 +1,36 @@
+From b055bedb3fba592ab7e73615faf29854a18b0abc Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Tue, 10 Oct 2023 15:24:35 +0800
+Subject: [PATCH] crypto: remove shadowed 'ret' variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from 3cc9fe177f412494f084923149338c51dd232b9b
+
+Both instances of 'ret' are used to store a gnutls API return code.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Message-ID: <20230922160644.438631-2-berrange@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ crypto/tls-cipher-suites.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
+index 5e4f597464..d0df4badc0 100644
+--- a/crypto/tls-cipher-suites.c
+++ b/crypto/tls-cipher-suites.c
+@@ -52,7 +52,6 @@ GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj,
+     byte_array = g_byte_array_new();
+ 
+     for (i = 0;; i++) {
+-        int ret;
+         unsigned idx;
+         const char *name;
+         IANA_TLS_CIPHER cipher;
+-- 
+2.41.0.windows.1
+
--- a/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch
+++ b/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch
@ -0,0 +1,37 @@
+From 80fd3d8f92b8a2c3b640d1dfa436da8331b37b01 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Mon, 16 Oct 2023 09:47:25 +0800
+Subject: [PATCH] disas/riscv: Fix the typo of inverted order of pmpaddr13 and
+ pmpaddr14
+
+cheery-pick from cffa9954908830276c93b430681f66cc0e599aef
+
+Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name().
+
+Signed-off-by: Alvin Chang <alvinga@andestech.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-ID: <20230907084500.328-1-alvinga@andestech.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ disas/riscv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/disas/riscv.c b/disas/riscv.c
+index 6768ec8188..ad7b978815 100644
+--- a/disas/riscv.c
+++ b/disas/riscv.c
+@@ -1307,8 +1307,8 @@ static const char *csr_name(int csrno)
+     case 0x03ba: return "pmpaddr10";
+     case 0x03bb: return "pmpaddr11";
+     case 0x03bc: return "pmpaddr12";
+-    case 0x03bd: return "pmpaddr14";
+-    case 0x03be: return "pmpaddr13";
+    case 0x03bd: return "pmpaddr13";
+    case 0x03be: return "pmpaddr14";
+     case 0x03bf: return "pmpaddr15";
+     case 0x0780: return "mtohost";
+     case 0x0781: return "mfromhost";
+-- 
+2.41.0.windows.1
+
--- a/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch
+++ b/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch
@ -0,0 +1,47 @@
+From a1ecbf056603b4fabf8b5ab8a79f70a27fef06ee Mon Sep 17 00:00:00 2001
+From: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
+Date: Sun, 24 Sep 2023 19:39:33 +0800
+Subject: [PATCH] hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs
+ number
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When passing --smp with a number lower than XLNX_ZYNQMP_NUM_APU_CPUS,
+the expression (ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS) will result
+in a positive number as ms->smp.cpus is a unsigned int.
+This will raise the following error afterwards, as Qemu will try to
+instantiate some additional RPUs.
+  | $ qemu-system-aarch64 --smp 1 -M xlnx-zcu102
+  | **
+  | ERROR:../src/tcg/tcg.c:777:tcg_register_thread:
+  |   assertion failed: (n < tcg_max_ctxs)
+
+cheery-pick from c9ba1c9f02cfede5329f504cdda6fd3a256e0434
+
+Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
+Signed-off-by: Clément Chigot <chigot@adacore.com>
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Message-id: 20230524143714.565792-1-chigot@adacore.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/xlnx-zynqmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+index 1c52a575aa..2ffc6df70b 100644
+--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
+@@ -194,7 +194,7 @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
+                                    const char *boot_cpu, Error **errp)
+ {
+     int i;
+-    int num_rpus = MIN(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS,
+    int num_rpus = MIN((int)(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS),
+                        XLNX_ZYNQMP_NUM_RPU_CPUS);
+ 
+     if (num_rpus <= 0) {
+-- 
+2.41.0.windows.1
+
--- a/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch
+++ b/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch
@ -0,0 +1,63 @@
+From b2314562968c124503dbd08529a2bef39701aaa7 Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 6 Sep 2023 20:30:27 +0800
+Subject: [PATCH] hw/i2c/pmbus_device: Fix modifying QOM class internals from
+ instance
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from f0e4588fd4ae39d1ad46f19c76ed298f89e61d6a
+
+QOM object instance should not modify its class state (because
+all other objects instanciated from this class get affected).
+
+Instead of modifying the PMBusDeviceClass 'device_num_pages' field
+the first time a instance is initialized (in pmbus_pages_alloc),
+introduce a new pmbus_pages_num() helper which returns the page
+number from the class without modifying the class state.
+
+The code logic become slighly simplified.
+
+Inspired-by: Bernhard Beschow <shentey@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230523064408.57941-4-philmd@linaro.org>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/i2c/pmbus_device.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c
+index 24f8f522d9..f39cd532de 100644
+--- a/hw/i2c/pmbus_device.c
+++ b/hw/i2c/pmbus_device.c
+@@ -166,15 +166,18 @@ static void pmbus_quick_cmd(SMBusDevice *smd, uint8_t read)
+     }
+ }
+ 
+-static void pmbus_pages_alloc(PMBusDevice *pmdev)
+static uint8_t pmbus_pages_num(PMBusDevice *pmdev)
+ {
+    const PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
+
+     /* some PMBus devices don't use the PAGE command, so they get 1 page */
+-    PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
+-    if (k->device_num_pages == 0) {
+-        k->device_num_pages = 1;
+-    }
+-    pmdev->num_pages = k->device_num_pages;
+-    pmdev->pages = g_new0(PMBusPage, k->device_num_pages);
+    return k->device_num_pages ? : 1;
+}
+
+static void pmbus_pages_alloc(PMBusDevice *pmdev)
+{
+    pmdev->num_pages = pmbus_pages_num(pmdev);
+    pmdev->pages = g_new0(PMBusPage, pmdev->num_pages);
+ }
+ 
+ void pmbus_check_limits(PMBusDevice *pmdev)
+-- 
+2.41.0.windows.1
+
--- a/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch
+++ b/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch
@ -0,0 +1,45 @@
+From 12eed71f72cbb5d81b14f66fde254058f121979a Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Wed, 25 Oct 2023 17:44:42 +0800
+Subject: [PATCH] hw/virtio/virtio-pmem: Replace impossible check by assertion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cheery-pick from 184256d261cfc773360f14a80092ace5a716bb8f
+
+The get_memory_region() handler is used when (un)plugging the
+device, which can only occur *after* it is realized.
+
+virtio_pmem_realize() ensure the instance can not be realized
+without 'memdev'. Remove the superfluous check, replacing it
+by an assertion.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
+Message-Id: <20231017140150.44995-2-philmd@linaro.org>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ hw/virtio/virtio-pmem.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c
+index d1aeb90a31..39f3949a3b 100644
+--- a/hw/virtio/virtio-pmem.c
+++ b/hw/virtio/virtio-pmem.c
+@@ -149,10 +149,7 @@ static void virtio_pmem_fill_device_info(const VirtIOPMEM *pmem,
+ static MemoryRegion *virtio_pmem_get_memory_region(VirtIOPMEM *pmem,
+                                                    Error **errp)
+ {
+-    if (!pmem->memdev) {
+-        error_setg(errp, "'%s' property must be set", VIRTIO_PMEM_MEMDEV_PROP);
+-        return NULL;
+-    }
+    assert(pmem->memdev);
+ 
+     return &pmem->memdev->mr;
+ }
+-- 
+2.41.0.windows.1
+
--- a/qemu.spec
+++ b/qemu.spec
@ -3,7 +3,7 @@

 Name: qemu
 Version: 6.2.0
-Release: 82
+Release: 83
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -583,6 +583,22 @@ Patch0568: hw-vfio-pci-quirks-Sanitize-capability-pointer.patch
 Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch
 Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch
 Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch
+Patch0572: hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch
+Patch0573: hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch
+Patch0574: crypto-remove-shadowed-ret-variable.patch
+Patch0575: target-i386-add-support-for-FLUSH_L1D-feature.patch
+Patch0576: target-i386-add-support-for-FB_CLEAR-feature.patch
+Patch0577: target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch
+Patch0578: target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch
+Patch0579: target-i386-Allow-MCDT_NO-if-host-supports.patch
+Patch0580: target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch
+Patch0581: target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch
+Patch0582: ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
+Patch0583: qga-Fix-memory-leak-when-output-stream-is-unused.patch
+Patch0584: disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch
+Patch0585: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch
+Patch0586: tests-Fix-printf-format-string-in-acpi-utils.c.patch
+Patch0587: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch

 BuildRequires: flex
 BuildRequires: gcc
@ -1156,6 +1172,24 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-83
+- hw/virtio/virtio-pmem: Replace impossible check by assertion
+- tests: Fix printf format string in acpi-utils.c
+- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit"
+- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
+- qga: Fix memory leak when output stream is unused
+- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
+- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model
+- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
+- target/i386: Allow MCDT_NO if host supports
+- target/i386: Add support for MCDT_NO in CPUID enumeration
+- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
+- target/i386: add support for FB_CLEAR feature
+- target/i386: add support for FLUSH_L1D feature
+- crypto: remove shadowed 'ret' variable
+- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance
+- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number
+
 * Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-82
 - thread-pool: optimize scheduling of completion bottom half
 - migration/rdma: zore out head.repeat to make the error more clear
--- a/qga-Fix-memory-leak-when-output-stream-is-unused.patch
+++ b/qga-Fix-memory-leak-when-output-stream-is-unused.patch
@ -0,0 +1,56 @@
+From 877d97f7e7b88c9cb8754bece152dc27a2a0f47a Mon Sep 17 00:00:00 2001
+From: qihao <qihao_yewu@cmss.chinamobile.com>
+Date: Mon, 16 Oct 2023 10:22:03 +0800
+Subject: [PATCH] qga: Fix memory leak when output stream is unused
+
+cheery-pick from d6f67b83b81bf49b5c62e77143ed39c020e51830
+
+If capture-output is requested but one of the channels goes unused (eg.
+we attempt to capture stderr but the command never writes to stderr), we
+can leak memory.
+
+guest_exec_output_watch() is (from what I understand) unconditionally
+called for both streams if output capture is requested. The first call
+will always pass the `p->size == p->length` check b/c both values are
+0. Then GUEST_EXEC_IO_SIZE bytes will be allocated for the stream.
+
+But when we reap the exited process there's a `gei->err.length > 0`
+check to actually free the buffer. Which does not get run if the command
+doesn't write to the stream.
+
+Fix by making free() unconditional.
+
+Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
+---
+ qga/commands.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/qga/commands.c b/qga/commands.c
+index 80501e4a73..05f89725be 100644
+--- a/qga/commands.c
+++ b/qga/commands.c
+@@ -210,16 +210,16 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **errp)
+         if (gei->out.length > 0) {
+             ges->has_out_data = true;
+             ges->out_data = g_base64_encode(gei->out.data, gei->out.length);
+-            g_free(gei->out.data);
+             ges->has_out_truncated = gei->out.truncated;
+         }
+        g_free(gei->out.data);
+ 
+         if (gei->err.length > 0) {
+             ges->has_err_data = true;
+             ges->err_data = g_base64_encode(gei->err.data, gei->err.length);
+-            g_free(gei->err.data);
+             ges->has_err_truncated = gei->err.truncated;
+         }
+        g_free(gei->err.data);
+ 
+         QTAILQ_REMOVE(&guest_exec_state.processes, gei, next);
+         g_free(gei);
+-- 
+2.41.0.windows.1
+
--- a/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch
+++ b/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch
@ -0,0 +1,55 @@
+From 381500cc0b96e85165ae0314839c34976a4da1b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
+ <yong.huang@smartx.com>
+Date: Fri, 18 Nov 2022 10:08:54 +0800
+Subject: [PATCH] softmmu/dirtylimit: Add parameter check for hmp
+ "set_vcpu_dirty_limit"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+dirty_rate paraemter of hmp command "set_vcpu_dirty_limit" is invalid
+if less than 0, so add parameter check for it.
+
+Note that this patch also delete the unsolicited help message and
+clean up the code.
+
+Signed-off-by: Hyman Huang(黄勇) <yong.huang@smartx.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Message-Id: <168618975839.6361.17407633874747688653-1@git.sr.ht>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+---
+ softmmu/dirtylimit.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c
+index 8d98cb7f2c..5041c230d0 100644
+--- a/softmmu/dirtylimit.c
+++ b/softmmu/dirtylimit.c
+@@ -515,14 +515,15 @@ void hmp_set_vcpu_dirty_limit(Monitor *mon, const QDict *qdict)
+     int64_t cpu_index = qdict_get_try_int(qdict, "cpu_index", -1);
+     Error *err = NULL;
+ 
+-    qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
+-    if (err) {
+-        hmp_handle_error(mon, err);
+-        return;
+    if (dirty_rate < 0) {
+        error_setg(&err, "invalid dirty page limit %" PRId64, dirty_rate);
+        goto out;
+     }
+ 
+-    monitor_printf(mon, "[Please use 'info vcpu_dirty_limit' to query "
+-                   "dirty limit for virtual CPU]\n");
+    qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
+
+out:
+    hmp_handle_error(mon, err);
+ }
+ 
+ static struct DirtyLimitInfo *dirtylimit_query_vcpu(int cpu_index)
+-- 
+2.41.0.windows.1
+
--- a/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch
+++ b/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch
@ -0,0 +1,53 @@
+From 732cb06c9b652cf899e9f329ad74ec3dae3d18b2 Mon Sep 17 00:00:00 2001
+From: Lei Wang <lei4.wang@intel.com>
+Date: Thu, 6 Jul 2023 13:49:48 +0800
+Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES
+ into SapphireRapids CPU model
+
+commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream.
+
+SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES
+enabled, which are related to some security fixes.
+
+Add version 2 of SapphireRapids CPU model with those bits enabled also.
+
+Intel-SIG: commit 3baf7ae63505 ("target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model")
+Backport support of SapphireRapids CPU Model version 2
+
+Signed-off-by: Lei Wang <lei4.wang@intel.com>
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/cpu.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 685bfca37e..eb911b12fa 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -3675,8 +3675,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
+         .model_id = "Intel Xeon Processor (SapphireRapids)",
+         .versions = (X86CPUVersionDefinition[]) {
+             { .version = 1 },
+-            { /* end of list */ },
+-        },
+            {
+                .version = 2,
+                .props = (PropValue[]) {
+                    { "sbdr-ssdp-no", "on" },
+                    { "fbsdp-no", "on" },
+                    { "psdp-no", "on" },
+                    { /* end of list */ }
+                }
+            },
+            { /* end of list */ }
+        }
+     },
+     {
+         .name = "Denverton",
+-- 
+2.41.0.windows.1
+
--- a/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch
+++ b/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch
@ -0,0 +1,43 @@
+From cdd89390a5e8fb55515798ab4ec5ec5fd6fed32b Mon Sep 17 00:00:00 2001
+From: Tao Su <tao1.su@linux.intel.com>
+Date: Thu, 6 Jul 2023 13:49:47 +0800
+Subject: [PATCH] target/i386: Add new bit definitions of
+ MSR_IA32_ARCH_CAPABILITIES
+
+commit 6c43ec3b206956a8a3008accafe9eb2dfd885190 upstream.
+
+Currently, bit 13, 14, 15 and 24 of MSR_IA32_ARCH_CAPABILITIES are
+disclosed for fixing security issues, so add those bit definitions.
+
+Intel-SIG: commit 6c43ec3b2069 ("target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES")
+Backport new bit definitions of MSR_IA32_ARCH_CAPABILITIES
+
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
+Message-ID: <20230706054949.66556-5-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason zeng@intel.com>
+---
+ target/i386/cpu.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index edbaba0d62..37c687d4d8 100644
+--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
+@@ -966,7 +966,11 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ #define MSR_ARCH_CAP_PSCHANGE_MC_NO     (1U << 6)
+ #define MSR_ARCH_CAP_TSX_CTRL_MSR       (1U << 7)
+ #define MSR_ARCH_CAP_TAA_NO             (1U << 8)
+#define MSR_ARCH_CAP_SBDR_SSDP_NO       (1U << 13)
+#define MSR_ARCH_CAP_FBSDP_NO           (1U << 14)
+#define MSR_ARCH_CAP_PSDP_NO            (1U << 15)
+ #define MSR_ARCH_CAP_FB_CLEAR           (1U << 17)
+#define MSR_ARCH_CAP_PBRSB_NO           (1U << 24)
+ 
+ #define MSR_CORE_CAP_SPLIT_LOCK_DETECT  (1U << 5)
+ 
+-- 
+2.41.0.windows.1
+
--- a/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch
+++ b/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch
@ -0,0 +1,112 @@
+From a7329b80a2c8a50e53da17aa4eff0ef50aa21413 Mon Sep 17 00:00:00 2001
+From: Tao Su <tao1.su@linux.intel.com>
+Date: Thu, 6 Jul 2023 13:49:45 +0800
+Subject: [PATCH] target/i386: Add support for MCDT_NO in CPUID enumeration
+
+commit 9dd8b71091f47bac395f543779269c14d8d93c60 upstream.
+
+CPUID.(EAX=7,ECX=2):EDX[bit 5] enumerates MCDT_NO. Processors enumerate
+this bit as 1 do not exhibit MXCSR Configuration Dependent Timing (MCDT)
+behavior and do not need to be mitigated to avoid data-dependent behavior
+for certain instructions.
+
+Since MCDT_NO is in a new sub-leaf, add a new CPUID feature word
+FEAT_7_2_EDX. Also update cpuid_level_func7 by FEAT_7_2_EDX.
+
+Intel-SIG: commit 9dd8b71091f4 ("target/i386: Add support for MCDT_NO in CPUID enumeration")
+Backport support for MCDT_NO in CPUID enumeration
+
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Message-ID: <20230706054949.66556-3-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: resolve conflict with FEAT_7_1_EDX which not backported yet ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/cpu.c | 26 ++++++++++++++++++++++++++
+ target/i386/cpu.h |  4 ++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index b878a1bf20..685bfca37e 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1,
+ #define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM
+ #define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \
+           CPUID_7_1_EAX_FSRC)
+#define TCG_7_2_EDX_FEATURES 0
+ #define TCG_APM_FEATURES 0
+ #define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT
+ #define TCG_XSAVE_FEATURES (CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1)
+@@ -886,6 +887,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+         },
+         .tcg_features = TCG_7_1_EAX_FEATURES,
+     },
+    [FEAT_7_2_EDX] = {
+        .type = CPUID_FEATURE_WORD,
+        .feat_names = {
+            NULL, NULL, NULL, NULL,
+            NULL, "mcdt-no", NULL, NULL,
+            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, NULL,
+            NULL, NULL, NULL, NULL,
+        },
+        .cpuid = {
+            .eax = 7,
+            .needs_ecx = true, .ecx = 2,
+            .reg = R_EDX,
+        },
+        .tcg_features = TCG_7_2_EDX_FEATURES,
+    },
+     [FEAT_8000_0007_EDX] = {
+         .type = CPUID_FEATURE_WORD,
+         .feat_names = {
+@@ -5531,6 +5551,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+             *ebx = 0;
+             *ecx = 0;
+             *edx = 0;
+        } else if (count == 2) {
+            *edx = env->features[FEAT_7_2_EDX];
+            *eax = 0;
+            *ebx = 0;
+            *ecx = 0;
+         } else {
+             *eax = 0;
+             *ebx = 0;
+@@ -6361,6 +6386,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
+         x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX);
+         x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX);
+         x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX);
+        x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX);
+         x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX);
+         x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX);
+         x86_cpu_adjust_feat_level(cpu, FEAT_8000_0007_EDX);
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index d9aac5acd2..edbaba0d62 100644
+--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
+@@ -601,6 +601,7 @@ typedef enum FeatureWord {
+     FEAT_SGX_12_0_EAX,  /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */
+     FEAT_SGX_12_0_EBX,  /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */
+     FEAT_SGX_12_1_EAX,  /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */
+    FEAT_7_2_EDX,       /* CPUID[EAX=7,ECX=2].EDX */
+     FEATURE_WORDS,
+ } FeatureWord;
+ 
+@@ -889,6 +890,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ /* Fast Short REP CMPS/SCAS */
+ #define CPUID_7_1_EAX_FSRC              (1U << 12)
+ 
+/* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */
+#define CPUID_7_2_EDX_MCDT_NO           (1U << 5)
+
+ /* XFD Extend Feature Disabled */
+ #define CPUID_D_1_EAX_XFD               (1U << 4)
+ 
+-- 
+2.41.0.windows.1
+
--- a/target-i386-Allow-MCDT_NO-if-host-supports.patch
+++ b/target-i386-Allow-MCDT_NO-if-host-supports.patch
@ -0,0 +1,43 @@
+From 6beadcde4d28a1e4ad3267b7702162ecf9d4541b Mon Sep 17 00:00:00 2001
+From: Tao Su <tao1.su@linux.intel.com>
+Date: Thu, 6 Jul 2023 13:49:46 +0800
+Subject: [PATCH] target/i386: Allow MCDT_NO if host supports
+
+commit ba3709feaab44631315e02cd793cfccae4c6bd2a upstream.
+
+MCDT_NO bit indicates HW contains the security fix and doesn't need to
+be mitigated to avoid data-dependent behaviour for certain instructions.
+It needs no hypervisor support. Treat it as supported regardless of what
+KVM reports.
+
+Intel-SIG: commit ba3709feaab4 ("target/i386: Allow MCDT_NO if host supports")
+Backport allowing MCDT_NO if host supports
+
+Signed-off-by: Tao Su <tao1.su@linux.intel.com>
+Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
+Message-ID: <20230706054949.66556-4-tao1.su@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/kvm/kvm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
+index d323d08dcb..55ee75e844 100644
+--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
+@@ -424,6 +424,10 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
+         uint32_t eax;
+         host_cpuid(7, 1, &eax, &unused, &unused, &unused);
+         ret |= eax & (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC);
+    } else if (function == 7 && index == 2 && reg == R_EDX) {
+        uint32_t edx;
+        host_cpuid(7, 2, &unused, &unused, &unused, &edx);
+        ret |= edx & CPUID_7_2_EDX_MCDT_NO;
+     } else if (function == 0xd && index == 0 &&
+                (reg == R_EAX || reg == R_EDX)) {
+         /*
+-- 
+2.41.0.windows.1
+
--- a/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch
+++ b/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch
@ -0,0 +1,47 @@
+From 93551bb8747ffc9ef26fc3ced7be310d9aa805d6 Mon Sep 17 00:00:00 2001
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Date: Fri, 23 Jun 2023 13:26:25 -0700
+Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
+
+commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream.
+
+On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that
+indicates if the CPU is not affected by a vulnerability. Without these
+bits guests may try to deploy the mitigation even if the CPU is not
+affected.
+
+Export the bits to guests that indicate immunity to hardware
+vulnerabilities.
+
+Intel-SIG: commit 5bef742cc4f0 ("target/i386: Export MSR_ARCH_CAPABILITIES bits to guests")
+Backport exporting MSR_ARCH_CAPABILITIES bits to guests
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/cpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 8adc84b7f9..b878a1bf20 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -981,10 +981,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+             "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
+             "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
+             "taa-no", NULL, NULL, NULL,
+-            NULL, NULL, NULL, NULL,
+            NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no",
+             NULL, "fb-clear", NULL, NULL,
+             NULL, NULL, NULL, NULL,
+-            NULL, NULL, NULL, NULL,
+            "pbrsb-no", NULL, NULL, NULL,
+             NULL, NULL, NULL, NULL,
+         },
+         .msr = {
+-- 
+2.41.0.windows.1
+
--- a/target-i386-add-support-for-FB_CLEAR-feature.patch
+++ b/target-i386-add-support-for-FB_CLEAR-feature.patch
@ -0,0 +1,62 @@
+From fb84b9baa665ffa4596fd871537e0544d60e40fc Mon Sep 17 00:00:00 2001
+From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date: Wed, 1 Feb 2023 08:57:59 -0500
+Subject: [PATCH] target/i386: add support for FB_CLEAR feature
+
+commit 22e1094ca82d5518c1b69aff3e87c550776ae1eb upstream.
+
+As reported by the Intel's doc:
+"FB_CLEAR: The processor will overwrite fill buffer values as part of
+MD_CLEAR operations with the VERW instruction.
+On these processors, L1D_FLUSH does not overwrite fill buffer values."
+
+If this cpu feature is present in host, allow QEMU to choose whether to
+show it to the guest too.
+One disadvantage of not exposing it is that the guest will report
+a non existing vulnerability in
+/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
+because the mitigation is present only when the cpu has
+        (FLUSH_L1D and MD_CLEAR) or FB_CLEAR
+features enabled.
+
+Intel-SIG: commit 22e1094ca82d ("target/i386: add support for FB_CLEAR feature")
+Backport support for FB_CLEAR feature
+
+Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Message-Id: <20230201135759.555607-3-eesposit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/cpu.c | 2 +-
+ target/i386/cpu.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 512bec3ca3..8adc84b7f9 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -982,7 +982,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+             "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
+             "taa-no", NULL, NULL, NULL,
+             NULL, NULL, NULL, NULL,
+-            NULL, NULL, NULL, NULL,
+            NULL, "fb-clear", NULL, NULL,
+             NULL, NULL, NULL, NULL,
+             NULL, NULL, NULL, NULL,
+             NULL, NULL, NULL, NULL,
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 9e094ef934..d9aac5acd2 100644
+--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
+@@ -962,6 +962,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ #define MSR_ARCH_CAP_PSCHANGE_MC_NO     (1U << 6)
+ #define MSR_ARCH_CAP_TSX_CTRL_MSR       (1U << 7)
+ #define MSR_ARCH_CAP_TAA_NO             (1U << 8)
+#define MSR_ARCH_CAP_FB_CLEAR           (1U << 17)
+ 
+ #define MSR_CORE_CAP_SPLIT_LOCK_DETECT  (1U << 5)
+ 
+-- 
+2.41.0.windows.1
+
--- a/target-i386-add-support-for-FLUSH_L1D-feature.patch
+++ b/target-i386-add-support-for-FLUSH_L1D-feature.patch
@ -0,0 +1,61 @@
+From dd635e4b0340a426333b466a2222e5848dfda42c Mon Sep 17 00:00:00 2001
+From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Date: Wed, 1 Feb 2023 08:57:58 -0500
+Subject: [PATCH] target/i386: add support for FLUSH_L1D feature
+
+commit 0e7e3bf1a552c178924867fa7c2f30ccc8a179e0 upstream.
+
+As reported by Intel's doc:
+"L1D_FLUSH: Writeback and invalidate the L1 data cache"
+
+If this cpu feature is present in host, allow QEMU to choose whether to
+show it to the guest too.
+One disadvantage of not exposing it is that the guest will report
+a non existing vulnerability in
+/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
+because the mitigation is present only when the cpu has
+	(FLUSH_L1D and MD_CLEAR) or FB_CLEAR
+features enabled.
+
+Intel-SIG: commit 0e7e3bf1a552 ("target/i386: add support for FLUSH_L1D feature")
+Backport support for FLUSH_L1D feature
+
+Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
+Message-Id: <20230201135759.555607-2-eesposit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ jason: amend commit log ]
+Signed-off-by: Jason Zeng <jason.zeng@intel.com>
+---
+ target/i386/cpu.c | 2 +-
+ target/i386/cpu.h | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 66b5eaa14e..512bec3ca3 100644
+--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
+@@ -858,7 +858,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+             "tsx-ldtrk", NULL, NULL /* pconfig */, NULL,
+             NULL, NULL, "amx-bf16", "avx512-fp16",
+             "amx-tile", "amx-int8", "spec-ctrl", "stibp",
+-            NULL, "arch-capabilities", "core-capability", "ssbd",
+            "flush-l1d", "arch-capabilities", "core-capability", "ssbd",
+         },
+         .cpuid = {
+             .eax = 7,
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index d0c7791a1e..9e094ef934 100644
+--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
+@@ -869,6 +869,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
+ #define CPUID_7_0_EDX_SPEC_CTRL         (1U << 26)
+ /* Single Thread Indirect Branch Predictors */
+ #define CPUID_7_0_EDX_STIBP             (1U << 27)
+/* Flush L1D cache */
+#define CPUID_7_0_EDX_FLUSH_L1D         (1U << 28)
+ /* Arch Capabilities */
+ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)
+ /* Core Capability */
+-- 
+2.41.0.windows.1
+
--- a/tests-Fix-printf-format-string-in-acpi-utils.c.patch
+++ b/tests-Fix-printf-format-string-in-acpi-utils.c.patch
@ -0,0 +1,30 @@
+From 847becf4850bc244b140644cb577e17e5ba5e732 Mon Sep 17 00:00:00 2001
+From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+Date: Thu, 26 Oct 2023 19:52:59 -0700
+Subject: [PATCH] tests: Fix printf format string in acpi-utils.c
+
+Inside of acpi_fetch_table() arguments are
+printed via fprintf but '%d' is used to print @flags (of type
+uint). Use '%u' instead.
+
+Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
+---
+ tests/qtest/acpi-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/qtest/acpi-utils.c b/tests/qtest/acpi-utils.c
+index 766c48e3a6..c6f5169b80 100644
+--- a/tests/qtest/acpi-utils.c
+++ b/tests/qtest/acpi-utils.c
+@@ -103,7 +103,7 @@ void acpi_fetch_table(QTestState *qts, uint8_t **aml, uint32_t *aml_len,
+             char *fname = NULL;
+             GError *error = NULL;
+ 
+-            fprintf(stderr, "Invalid '%.4s'(%d)\n", *aml, *aml_len);
+            fprintf(stderr, "Invalid '%.4s'(%u)\n", *aml, *aml_len);
+             fd = g_file_open_tmp("malformed-XXXXXX.dat", &fname, &error);
+             g_assert_no_error(error);
+             fprintf(stderr, "Dumping invalid table into '%s'\n", fname);
+-- 
+2.41.0.windows.1
+
--- a/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
+++ b/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
@ -0,0 +1,58 @@
+From 2858029a5dbdd3fab73b1884e296daa3f3f0b1a1 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 4 Jul 2023 10:41:22 +0200
+Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
+ (CVE-2023-3255)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A wrong exit condition may lead to an infinite loop when inflating a
+valid zlib buffer containing some extra bytes in the `inflate_buffer`
+function. The bug only occurs post-authentication. Return the buffer
+immediately if the end of the compressed data has been reached
+(Z_STREAM_END).
+
+Fixes: CVE-2023-3255
+Fixes: 0bf41cab ("ui/vnc: clipboard support")
+Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
+---
+ ui/vnc-clipboard.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index 67284b556c..c84599cfdb 100644
+--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
+@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
+         ret = inflate(&stream, Z_FINISH);
+         switch (ret) {
+         case Z_OK:
+-        case Z_STREAM_END:
+             break;
+        case Z_STREAM_END:
+            *size = stream.total_out;
+            inflateEnd(&stream);
+            return out;
+         case Z_BUF_ERROR:
+             out_len <<= 1;
+             if (out_len > (1 << 20)) {
+@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
+         }
+     }
+ 
+-    *size = stream.total_out;
+-    inflateEnd(&stream);
+-
+-    return out;
+-
+ err_end:
+     inflateEnd(&stream);
+ err:
+-- 
+2.41.0.windows.1
+