From 80a22cff3762f945e9d4ce5165eb9d83eaa8a436 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Mon, 30 Oct 2023 16:29:07 +0800 Subject: [PATCH] QEMU update to version 6.2.0-83(master) - hw/virtio/virtio-pmem: Replace impossible check by assertion - tests: Fix printf format string in acpi-utils.c - softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit" - disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14 - qga: Fix memory leak when output stream is unused - ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) - target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model - target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES - target/i386: Allow MCDT_NO if host supports - target/i386: Add support for MCDT_NO in CPUID enumeration - target/i386: Export MSR_ARCH_CAPABILITIES bits to guests - target/i386: add support for FB_CLEAR feature - target/i386: add support for FLUSH_L1D feature - crypto: remove shadowed 'ret' variable - hw/i2c/pmbus_device: Fix modifying QOM class internals from instance - hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number Signed-off-by: Jiabo Feng --- crypto-remove-shadowed-ret-variable.patch | 36 ++++++ ...the-typo-of-inverted-order-of-pmpadd.patch | 37 ++++++ ...mp-fix-unsigned-error-when-checking-.patch | 47 ++++++++ ...ice-Fix-modifying-QOM-class-internal.patch | 63 ++++++++++ ...-pmem-Replace-impossible-check-by-as.patch | 45 +++++++ qemu.spec | 36 +++++- ...ry-leak-when-output-stream-is-unused.patch | 56 +++++++++ ...it-Add-parameter-check-for-hmp-set_v.patch | 55 +++++++++ ...few-security-fix-bits-in-ARCH_CAPABI.patch | 53 +++++++++ ...new-bit-definitions-of-MSR_IA32_ARCH.patch | 43 +++++++ ...support-for-MCDT_NO-in-CPUID-enumera.patch | 112 ++++++++++++++++++ ...-i386-Allow-MCDT_NO-if-host-supports.patch | 43 +++++++ ...rt-MSR_ARCH_CAPABILITIES-bits-to-gue.patch | 47 ++++++++ ...386-add-support-for-FB_CLEAR-feature.patch | 62 ++++++++++ ...86-add-support-for-FLUSH_L1D-feature.patch | 61 ++++++++++ ...printf-format-string-in-acpi-utils.c.patch | 30 +++++ ...-fix-infinite-loop-in-inflate_buffer.patch | 58 +++++++++ 17 files changed, 883 insertions(+), 1 deletion(-) create mode 100644 crypto-remove-shadowed-ret-variable.patch create mode 100644 disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch create mode 100644 hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch create mode 100644 hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch create mode 100644 hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch create mode 100644 qga-Fix-memory-leak-when-output-stream-is-unused.patch create mode 100644 softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch create mode 100644 target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch create mode 100644 target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch create mode 100644 target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch create mode 100644 target-i386-Allow-MCDT_NO-if-host-supports.patch create mode 100644 target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch create mode 100644 target-i386-add-support-for-FB_CLEAR-feature.patch create mode 100644 target-i386-add-support-for-FLUSH_L1D-feature.patch create mode 100644 tests-Fix-printf-format-string-in-acpi-utils.c.patch create mode 100644 ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch diff --git a/crypto-remove-shadowed-ret-variable.patch b/crypto-remove-shadowed-ret-variable.patch new file mode 100644 index 0000000..ee0bf6d --- /dev/null +++ b/crypto-remove-shadowed-ret-variable.patch @@ -0,0 +1,36 @@ +From b055bedb3fba592ab7e73615faf29854a18b0abc Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 10 Oct 2023 15:24:35 +0800 +Subject: [PATCH] crypto: remove shadowed 'ret' variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 3cc9fe177f412494f084923149338c51dd232b9b + +Both instances of 'ret' are used to store a gnutls API return code. + +Signed-off-by: Daniel P. Berrangé +Message-ID: <20230922160644.438631-2-berrange@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Markus Armbruster +Signed-off-by: qihao_yewu +--- + crypto/tls-cipher-suites.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c +index 5e4f597464..d0df4badc0 100644 +--- a/crypto/tls-cipher-suites.c ++++ b/crypto/tls-cipher-suites.c +@@ -52,7 +52,6 @@ GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj, + byte_array = g_byte_array_new(); + + for (i = 0;; i++) { +- int ret; + unsigned idx; + const char *name; + IANA_TLS_CIPHER cipher; +-- +2.41.0.windows.1 + diff --git a/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch b/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch new file mode 100644 index 0000000..3185723 --- /dev/null +++ b/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch @@ -0,0 +1,37 @@ +From 80fd3d8f92b8a2c3b640d1dfa436da8331b37b01 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 16 Oct 2023 09:47:25 +0800 +Subject: [PATCH] disas/riscv: Fix the typo of inverted order of pmpaddr13 and + pmpaddr14 + +cheery-pick from cffa9954908830276c93b430681f66cc0e599aef + +Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name(). + +Signed-off-by: Alvin Chang +Reviewed-by: Alistair Francis +Message-ID: <20230907084500.328-1-alvinga@andestech.com> +Signed-off-by: Alistair Francis +Signed-off-by: qihao_yewu +--- + disas/riscv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/disas/riscv.c b/disas/riscv.c +index 6768ec8188..ad7b978815 100644 +--- a/disas/riscv.c ++++ b/disas/riscv.c +@@ -1307,8 +1307,8 @@ static const char *csr_name(int csrno) + case 0x03ba: return "pmpaddr10"; + case 0x03bb: return "pmpaddr11"; + case 0x03bc: return "pmpaddr12"; +- case 0x03bd: return "pmpaddr14"; +- case 0x03be: return "pmpaddr13"; ++ case 0x03bd: return "pmpaddr13"; ++ case 0x03be: return "pmpaddr14"; + case 0x03bf: return "pmpaddr15"; + case 0x0780: return "mtohost"; + case 0x0781: return "mfromhost"; +-- +2.41.0.windows.1 + diff --git a/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch b/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch new file mode 100644 index 0000000..0968345 --- /dev/null +++ b/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch @@ -0,0 +1,47 @@ +From a1ecbf056603b4fabf8b5ab8a79f70a27fef06ee Mon Sep 17 00:00:00 2001 +From: jipengfei_yewu +Date: Sun, 24 Sep 2023 19:39:33 +0800 +Subject: [PATCH] hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs + number +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When passing --smp with a number lower than XLNX_ZYNQMP_NUM_APU_CPUS, +the expression (ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS) will result +in a positive number as ms->smp.cpus is a unsigned int. +This will raise the following error afterwards, as Qemu will try to +instantiate some additional RPUs. + | $ qemu-system-aarch64 --smp 1 -M xlnx-zcu102 + | ** + | ERROR:../src/tcg/tcg.c:777:tcg_register_thread: + | assertion failed: (n < tcg_max_ctxs) + +cheery-pick from c9ba1c9f02cfede5329f504cdda6fd3a256e0434 + +Signed-off-by: jipengfei_yewu +Signed-off-by: Clément Chigot +Reviewed-by: Francisco Iglesias +Tested-by: Francisco Iglesias +Message-id: 20230524143714.565792-1-chigot@adacore.com +Signed-off-by: Peter Maydell +--- + hw/arm/xlnx-zynqmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c +index 1c52a575aa..2ffc6df70b 100644 +--- a/hw/arm/xlnx-zynqmp.c ++++ b/hw/arm/xlnx-zynqmp.c +@@ -194,7 +194,7 @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s, + const char *boot_cpu, Error **errp) + { + int i; +- int num_rpus = MIN(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS, ++ int num_rpus = MIN((int)(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS), + XLNX_ZYNQMP_NUM_RPU_CPUS); + + if (num_rpus <= 0) { +-- +2.41.0.windows.1 + diff --git a/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch b/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch new file mode 100644 index 0000000..9b528ba --- /dev/null +++ b/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch @@ -0,0 +1,63 @@ +From b2314562968c124503dbd08529a2bef39701aaa7 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 6 Sep 2023 20:30:27 +0800 +Subject: [PATCH] hw/i2c/pmbus_device: Fix modifying QOM class internals from + instance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from f0e4588fd4ae39d1ad46f19c76ed298f89e61d6a + +QOM object instance should not modify its class state (because +all other objects instanciated from this class get affected). + +Instead of modifying the PMBusDeviceClass 'device_num_pages' field +the first time a instance is initialized (in pmbus_pages_alloc), +introduce a new pmbus_pages_num() helper which returns the page +number from the class without modifying the class state. + +The code logic become slighly simplified. + +Inspired-by: Bernhard Beschow +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Message-Id: <20230523064408.57941-4-philmd@linaro.org> +Signed-off-by: qihao_yewu +--- + hw/i2c/pmbus_device.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c +index 24f8f522d9..f39cd532de 100644 +--- a/hw/i2c/pmbus_device.c ++++ b/hw/i2c/pmbus_device.c +@@ -166,15 +166,18 @@ static void pmbus_quick_cmd(SMBusDevice *smd, uint8_t read) + } + } + +-static void pmbus_pages_alloc(PMBusDevice *pmdev) ++static uint8_t pmbus_pages_num(PMBusDevice *pmdev) + { ++ const PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev); ++ + /* some PMBus devices don't use the PAGE command, so they get 1 page */ +- PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev); +- if (k->device_num_pages == 0) { +- k->device_num_pages = 1; +- } +- pmdev->num_pages = k->device_num_pages; +- pmdev->pages = g_new0(PMBusPage, k->device_num_pages); ++ return k->device_num_pages ? : 1; ++} ++ ++static void pmbus_pages_alloc(PMBusDevice *pmdev) ++{ ++ pmdev->num_pages = pmbus_pages_num(pmdev); ++ pmdev->pages = g_new0(PMBusPage, pmdev->num_pages); + } + + void pmbus_check_limits(PMBusDevice *pmdev) +-- +2.41.0.windows.1 + diff --git a/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch b/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch new file mode 100644 index 0000000..4721ee7 --- /dev/null +++ b/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch @@ -0,0 +1,45 @@ +From 12eed71f72cbb5d81b14f66fde254058f121979a Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 25 Oct 2023 17:44:42 +0800 +Subject: [PATCH] hw/virtio/virtio-pmem: Replace impossible check by assertion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 184256d261cfc773360f14a80092ace5a716bb8f + +The get_memory_region() handler is used when (un)plugging the +device, which can only occur *after* it is realized. + +virtio_pmem_realize() ensure the instance can not be realized +without 'memdev'. Remove the superfluous check, replacing it +by an assertion. + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Manos Pitsidianakis +Message-Id: <20231017140150.44995-2-philmd@linaro.org> +Signed-off-by: qihao_yewu +--- + hw/virtio/virtio-pmem.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c +index d1aeb90a31..39f3949a3b 100644 +--- a/hw/virtio/virtio-pmem.c ++++ b/hw/virtio/virtio-pmem.c +@@ -149,10 +149,7 @@ static void virtio_pmem_fill_device_info(const VirtIOPMEM *pmem, + static MemoryRegion *virtio_pmem_get_memory_region(VirtIOPMEM *pmem, + Error **errp) + { +- if (!pmem->memdev) { +- error_setg(errp, "'%s' property must be set", VIRTIO_PMEM_MEMDEV_PROP); +- return NULL; +- } ++ assert(pmem->memdev); + + return &pmem->memdev->mr; + } +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index cfe6913..7e42c71 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 82 +Release: 83 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -583,6 +583,22 @@ Patch0568: hw-vfio-pci-quirks-Sanitize-capability-pointer.patch Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch +Patch0572: hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch +Patch0573: hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch +Patch0574: crypto-remove-shadowed-ret-variable.patch +Patch0575: target-i386-add-support-for-FLUSH_L1D-feature.patch +Patch0576: target-i386-add-support-for-FB_CLEAR-feature.patch +Patch0577: target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch +Patch0578: target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch +Patch0579: target-i386-Allow-MCDT_NO-if-host-supports.patch +Patch0580: target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch +Patch0581: target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch +Patch0582: ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch +Patch0583: qga-Fix-memory-leak-when-output-stream-is-unused.patch +Patch0584: disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch +Patch0585: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch +Patch0586: tests-Fix-printf-format-string-in-acpi-utils.c.patch +Patch0587: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch BuildRequires: flex BuildRequires: gcc @@ -1156,6 +1172,24 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Oct 30 2023 - 10:6.2.0-83 +- hw/virtio/virtio-pmem: Replace impossible check by assertion +- tests: Fix printf format string in acpi-utils.c +- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit" +- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14 +- qga: Fix memory leak when output stream is unused +- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) +- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model +- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES +- target/i386: Allow MCDT_NO if host supports +- target/i386: Add support for MCDT_NO in CPUID enumeration +- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests +- target/i386: add support for FB_CLEAR feature +- target/i386: add support for FLUSH_L1D feature +- crypto: remove shadowed 'ret' variable +- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance +- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number + * Mon Oct 30 2023 - 10:6.2.0-82 - thread-pool: optimize scheduling of completion bottom half - migration/rdma: zore out head.repeat to make the error more clear diff --git a/qga-Fix-memory-leak-when-output-stream-is-unused.patch b/qga-Fix-memory-leak-when-output-stream-is-unused.patch new file mode 100644 index 0000000..b05a65c --- /dev/null +++ b/qga-Fix-memory-leak-when-output-stream-is-unused.patch @@ -0,0 +1,56 @@ +From 877d97f7e7b88c9cb8754bece152dc27a2a0f47a Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 16 Oct 2023 10:22:03 +0800 +Subject: [PATCH] qga: Fix memory leak when output stream is unused + +cheery-pick from d6f67b83b81bf49b5c62e77143ed39c020e51830 + +If capture-output is requested but one of the channels goes unused (eg. +we attempt to capture stderr but the command never writes to stderr), we +can leak memory. + +guest_exec_output_watch() is (from what I understand) unconditionally +called for both streams if output capture is requested. The first call +will always pass the `p->size == p->length` check b/c both values are +0. Then GUEST_EXEC_IO_SIZE bytes will be allocated for the stream. + +But when we reap the exited process there's a `gei->err.length > 0` +check to actually free the buffer. Which does not get run if the command +doesn't write to the stream. + +Fix by making free() unconditional. + +Reviewed-by: Konstantin Kostiuk +Signed-off-by: Daniel Xu +Signed-off-by: Konstantin Kostiuk +Signed-off-by: qihao_yewu +--- + qga/commands.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/qga/commands.c b/qga/commands.c +index 80501e4a73..05f89725be 100644 +--- a/qga/commands.c ++++ b/qga/commands.c +@@ -210,16 +210,16 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **errp) + if (gei->out.length > 0) { + ges->has_out_data = true; + ges->out_data = g_base64_encode(gei->out.data, gei->out.length); +- g_free(gei->out.data); + ges->has_out_truncated = gei->out.truncated; + } ++ g_free(gei->out.data); + + if (gei->err.length > 0) { + ges->has_err_data = true; + ges->err_data = g_base64_encode(gei->err.data, gei->err.length); +- g_free(gei->err.data); + ges->has_err_truncated = gei->err.truncated; + } ++ g_free(gei->err.data); + + QTAILQ_REMOVE(&guest_exec_state.processes, gei, next); + g_free(gei); +-- +2.41.0.windows.1 + diff --git a/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch b/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch new file mode 100644 index 0000000..4fd759b --- /dev/null +++ b/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch @@ -0,0 +1,55 @@ +From 381500cc0b96e85165ae0314839c34976a4da1b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?= + +Date: Fri, 18 Nov 2022 10:08:54 +0800 +Subject: [PATCH] softmmu/dirtylimit: Add parameter check for hmp + "set_vcpu_dirty_limit" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +dirty_rate paraemter of hmp command "set_vcpu_dirty_limit" is invalid +if less than 0, so add parameter check for it. + +Note that this patch also delete the unsolicited help message and +clean up the code. + +Signed-off-by: Hyman Huang(黄勇) +Reviewed-by: Markus Armbruster +Reviewed-by: Peter Xu +Reviewed-by: Juan Quintela +Message-Id: <168618975839.6361.17407633874747688653-1@git.sr.ht> +Signed-off-by: Juan Quintela +--- + softmmu/dirtylimit.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c +index 8d98cb7f2c..5041c230d0 100644 +--- a/softmmu/dirtylimit.c ++++ b/softmmu/dirtylimit.c +@@ -515,14 +515,15 @@ void hmp_set_vcpu_dirty_limit(Monitor *mon, const QDict *qdict) + int64_t cpu_index = qdict_get_try_int(qdict, "cpu_index", -1); + Error *err = NULL; + +- qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err); +- if (err) { +- hmp_handle_error(mon, err); +- return; ++ if (dirty_rate < 0) { ++ error_setg(&err, "invalid dirty page limit %" PRId64, dirty_rate); ++ goto out; + } + +- monitor_printf(mon, "[Please use 'info vcpu_dirty_limit' to query " +- "dirty limit for virtual CPU]\n"); ++ qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err); ++ ++out: ++ hmp_handle_error(mon, err); + } + + static struct DirtyLimitInfo *dirtylimit_query_vcpu(int cpu_index) +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch b/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch new file mode 100644 index 0000000..0db8839 --- /dev/null +++ b/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch @@ -0,0 +1,53 @@ +From 732cb06c9b652cf899e9f329ad74ec3dae3d18b2 Mon Sep 17 00:00:00 2001 +From: Lei Wang +Date: Thu, 6 Jul 2023 13:49:48 +0800 +Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES + into SapphireRapids CPU model + +commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream. + +SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES +enabled, which are related to some security fixes. + +Add version 2 of SapphireRapids CPU model with those bits enabled also. + +Intel-SIG: commit 3baf7ae63505 ("target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model") +Backport support of SapphireRapids CPU Model version 2 + +Signed-off-by: Lei Wang +Signed-off-by: Tao Su +Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 685bfca37e..eb911b12fa 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3675,8 +3675,17 @@ static const X86CPUDefinition builtin_x86_defs[] = { + .model_id = "Intel Xeon Processor (SapphireRapids)", + .versions = (X86CPUVersionDefinition[]) { + { .version = 1 }, +- { /* end of list */ }, +- }, ++ { ++ .version = 2, ++ .props = (PropValue[]) { ++ { "sbdr-ssdp-no", "on" }, ++ { "fbsdp-no", "on" }, ++ { "psdp-no", "on" }, ++ { /* end of list */ } ++ } ++ }, ++ { /* end of list */ } ++ } + }, + { + .name = "Denverton", +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch b/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch new file mode 100644 index 0000000..b0b8116 --- /dev/null +++ b/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch @@ -0,0 +1,43 @@ +From cdd89390a5e8fb55515798ab4ec5ec5fd6fed32b Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:47 +0800 +Subject: [PATCH] target/i386: Add new bit definitions of + MSR_IA32_ARCH_CAPABILITIES + +commit 6c43ec3b206956a8a3008accafe9eb2dfd885190 upstream. + +Currently, bit 13, 14, 15 and 24 of MSR_IA32_ARCH_CAPABILITIES are +disclosed for fixing security issues, so add those bit definitions. + +Intel-SIG: commit 6c43ec3b2069 ("target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES") +Backport new bit definitions of MSR_IA32_ARCH_CAPABILITIES + +Signed-off-by: Tao Su +Reviewed-by: Igor Mammedov +Message-ID: <20230706054949.66556-5-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index edbaba0d62..37c687d4d8 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -966,7 +966,11 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6) + #define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7) + #define MSR_ARCH_CAP_TAA_NO (1U << 8) ++#define MSR_ARCH_CAP_SBDR_SSDP_NO (1U << 13) ++#define MSR_ARCH_CAP_FBSDP_NO (1U << 14) ++#define MSR_ARCH_CAP_PSDP_NO (1U << 15) + #define MSR_ARCH_CAP_FB_CLEAR (1U << 17) ++#define MSR_ARCH_CAP_PBRSB_NO (1U << 24) + + #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) + +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch b/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch new file mode 100644 index 0000000..0dbfc10 --- /dev/null +++ b/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch @@ -0,0 +1,112 @@ +From a7329b80a2c8a50e53da17aa4eff0ef50aa21413 Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:45 +0800 +Subject: [PATCH] target/i386: Add support for MCDT_NO in CPUID enumeration + +commit 9dd8b71091f47bac395f543779269c14d8d93c60 upstream. + +CPUID.(EAX=7,ECX=2):EDX[bit 5] enumerates MCDT_NO. Processors enumerate +this bit as 1 do not exhibit MXCSR Configuration Dependent Timing (MCDT) +behavior and do not need to be mitigated to avoid data-dependent behavior +for certain instructions. + +Since MCDT_NO is in a new sub-leaf, add a new CPUID feature word +FEAT_7_2_EDX. Also update cpuid_level_func7 by FEAT_7_2_EDX. + +Intel-SIG: commit 9dd8b71091f4 ("target/i386: Add support for MCDT_NO in CPUID enumeration") +Backport support for MCDT_NO in CPUID enumeration + +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-3-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: resolve conflict with FEAT_7_1_EDX which not backported yet ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 26 ++++++++++++++++++++++++++ + target/i386/cpu.h | 4 ++++ + 2 files changed, 30 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index b878a1bf20..685bfca37e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, + #define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM + #define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \ + CPUID_7_1_EAX_FSRC) ++#define TCG_7_2_EDX_FEATURES 0 + #define TCG_APM_FEATURES 0 + #define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT + #define TCG_XSAVE_FEATURES (CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1) +@@ -886,6 +887,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + }, + .tcg_features = TCG_7_1_EAX_FEATURES, + }, ++ [FEAT_7_2_EDX] = { ++ .type = CPUID_FEATURE_WORD, ++ .feat_names = { ++ NULL, NULL, NULL, NULL, ++ NULL, "mcdt-no", NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ }, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 2, ++ .reg = R_EDX, ++ }, ++ .tcg_features = TCG_7_2_EDX_FEATURES, ++ }, + [FEAT_8000_0007_EDX] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { +@@ -5531,6 +5551,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + *ebx = 0; + *ecx = 0; + *edx = 0; ++ } else if (count == 2) { ++ *edx = env->features[FEAT_7_2_EDX]; ++ *eax = 0; ++ *ebx = 0; ++ *ecx = 0; + } else { + *eax = 0; + *ebx = 0; +@@ -6361,6 +6386,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp) + x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX); ++ x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0007_EDX); +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index d9aac5acd2..edbaba0d62 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -601,6 +601,7 @@ typedef enum FeatureWord { + FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */ + FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */ + FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */ ++ FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */ + FEATURE_WORDS, + } FeatureWord; + +@@ -889,6 +890,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + /* Fast Short REP CMPS/SCAS */ + #define CPUID_7_1_EAX_FSRC (1U << 12) + ++/* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ ++#define CPUID_7_2_EDX_MCDT_NO (1U << 5) ++ + /* XFD Extend Feature Disabled */ + #define CPUID_D_1_EAX_XFD (1U << 4) + +-- +2.41.0.windows.1 + diff --git a/target-i386-Allow-MCDT_NO-if-host-supports.patch b/target-i386-Allow-MCDT_NO-if-host-supports.patch new file mode 100644 index 0000000..a95c27e --- /dev/null +++ b/target-i386-Allow-MCDT_NO-if-host-supports.patch @@ -0,0 +1,43 @@ +From 6beadcde4d28a1e4ad3267b7702162ecf9d4541b Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:46 +0800 +Subject: [PATCH] target/i386: Allow MCDT_NO if host supports + +commit ba3709feaab44631315e02cd793cfccae4c6bd2a upstream. + +MCDT_NO bit indicates HW contains the security fix and doesn't need to +be mitigated to avoid data-dependent behaviour for certain instructions. +It needs no hypervisor support. Treat it as supported regardless of what +KVM reports. + +Intel-SIG: commit ba3709feaab4 ("target/i386: Allow MCDT_NO if host supports") +Backport allowing MCDT_NO if host supports + +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-4-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/kvm/kvm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index d323d08dcb..55ee75e844 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -424,6 +424,10 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + uint32_t eax; + host_cpuid(7, 1, &eax, &unused, &unused, &unused); + ret |= eax & (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC); ++ } else if (function == 7 && index == 2 && reg == R_EDX) { ++ uint32_t edx; ++ host_cpuid(7, 2, &unused, &unused, &unused, &edx); ++ ret |= edx & CPUID_7_2_EDX_MCDT_NO; + } else if (function == 0xd && index == 0 && + (reg == R_EAX || reg == R_EDX)) { + /* +-- +2.41.0.windows.1 + diff --git a/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch b/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch new file mode 100644 index 0000000..ac4e016 --- /dev/null +++ b/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch @@ -0,0 +1,47 @@ +From 93551bb8747ffc9ef26fc3ced7be310d9aa805d6 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Fri, 23 Jun 2023 13:26:25 -0700 +Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests + +commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream. + +On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that +indicates if the CPU is not affected by a vulnerability. Without these +bits guests may try to deploy the mitigation even if the CPU is not +affected. + +Export the bits to guests that indicate immunity to hardware +vulnerabilities. + +Intel-SIG: commit 5bef742cc4f0 ("target/i386: Export MSR_ARCH_CAPABILITIES bits to guests") +Backport exporting MSR_ARCH_CAPABILITIES bits to guests + +Signed-off-by: Pawan Gupta +Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 8adc84b7f9..b878a1bf20 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -981,10 +981,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", + "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl", + "taa-no", NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no", + NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ "pbrsb-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .msr = { +-- +2.41.0.windows.1 + diff --git a/target-i386-add-support-for-FB_CLEAR-feature.patch b/target-i386-add-support-for-FB_CLEAR-feature.patch new file mode 100644 index 0000000..6218643 --- /dev/null +++ b/target-i386-add-support-for-FB_CLEAR-feature.patch @@ -0,0 +1,62 @@ +From fb84b9baa665ffa4596fd871537e0544d60e40fc Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Wed, 1 Feb 2023 08:57:59 -0500 +Subject: [PATCH] target/i386: add support for FB_CLEAR feature + +commit 22e1094ca82d5518c1b69aff3e87c550776ae1eb upstream. + +As reported by the Intel's doc: +"FB_CLEAR: The processor will overwrite fill buffer values as part of +MD_CLEAR operations with the VERW instruction. +On these processors, L1D_FLUSH does not overwrite fill buffer values." + +If this cpu feature is present in host, allow QEMU to choose whether to +show it to the guest too. +One disadvantage of not exposing it is that the guest will report +a non existing vulnerability in +/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +because the mitigation is present only when the cpu has + (FLUSH_L1D and MD_CLEAR) or FB_CLEAR +features enabled. + +Intel-SIG: commit 22e1094ca82d ("target/i386: add support for FB_CLEAR feature") +Backport support for FB_CLEAR feature + +Signed-off-by: Emanuele Giuseppe Esposito +Message-Id: <20230201135759.555607-3-eesposit@redhat.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 512bec3ca3..8adc84b7f9 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -982,7 +982,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl", + "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 9e094ef934..d9aac5acd2 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -962,6 +962,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6) + #define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7) + #define MSR_ARCH_CAP_TAA_NO (1U << 8) ++#define MSR_ARCH_CAP_FB_CLEAR (1U << 17) + + #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) + +-- +2.41.0.windows.1 + diff --git a/target-i386-add-support-for-FLUSH_L1D-feature.patch b/target-i386-add-support-for-FLUSH_L1D-feature.patch new file mode 100644 index 0000000..1853829 --- /dev/null +++ b/target-i386-add-support-for-FLUSH_L1D-feature.patch @@ -0,0 +1,61 @@ +From dd635e4b0340a426333b466a2222e5848dfda42c Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Wed, 1 Feb 2023 08:57:58 -0500 +Subject: [PATCH] target/i386: add support for FLUSH_L1D feature + +commit 0e7e3bf1a552c178924867fa7c2f30ccc8a179e0 upstream. + +As reported by Intel's doc: +"L1D_FLUSH: Writeback and invalidate the L1 data cache" + +If this cpu feature is present in host, allow QEMU to choose whether to +show it to the guest too. +One disadvantage of not exposing it is that the guest will report +a non existing vulnerability in +/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +because the mitigation is present only when the cpu has + (FLUSH_L1D and MD_CLEAR) or FB_CLEAR +features enabled. + +Intel-SIG: commit 0e7e3bf1a552 ("target/i386: add support for FLUSH_L1D feature") +Backport support for FLUSH_L1D feature + +Signed-off-by: Emanuele Giuseppe Esposito +Message-Id: <20230201135759.555607-2-eesposit@redhat.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 66b5eaa14e..512bec3ca3 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -858,7 +858,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "tsx-ldtrk", NULL, NULL /* pconfig */, NULL, + NULL, NULL, "amx-bf16", "avx512-fp16", + "amx-tile", "amx-int8", "spec-ctrl", "stibp", +- NULL, "arch-capabilities", "core-capability", "ssbd", ++ "flush-l1d", "arch-capabilities", "core-capability", "ssbd", + }, + .cpuid = { + .eax = 7, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index d0c7791a1e..9e094ef934 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -869,6 +869,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) + /* Single Thread Indirect Branch Predictors */ + #define CPUID_7_0_EDX_STIBP (1U << 27) ++/* Flush L1D cache */ ++#define CPUID_7_0_EDX_FLUSH_L1D (1U << 28) + /* Arch Capabilities */ + #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) + /* Core Capability */ +-- +2.41.0.windows.1 + diff --git a/tests-Fix-printf-format-string-in-acpi-utils.c.patch b/tests-Fix-printf-format-string-in-acpi-utils.c.patch new file mode 100644 index 0000000..063584b --- /dev/null +++ b/tests-Fix-printf-format-string-in-acpi-utils.c.patch @@ -0,0 +1,30 @@ +From 847becf4850bc244b140644cb577e17e5ba5e732 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Thu, 26 Oct 2023 19:52:59 -0700 +Subject: [PATCH] tests: Fix printf format string in acpi-utils.c + +Inside of acpi_fetch_table() arguments are +printed via fprintf but '%d' is used to print @flags (of type +uint). Use '%u' instead. + +Signed-off-by: zhujun2 +--- + tests/qtest/acpi-utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/acpi-utils.c b/tests/qtest/acpi-utils.c +index 766c48e3a6..c6f5169b80 100644 +--- a/tests/qtest/acpi-utils.c ++++ b/tests/qtest/acpi-utils.c +@@ -103,7 +103,7 @@ void acpi_fetch_table(QTestState *qts, uint8_t **aml, uint32_t *aml_len, + char *fname = NULL; + GError *error = NULL; + +- fprintf(stderr, "Invalid '%.4s'(%d)\n", *aml, *aml_len); ++ fprintf(stderr, "Invalid '%.4s'(%u)\n", *aml, *aml_len); + fd = g_file_open_tmp("malformed-XXXXXX.dat", &fname, &error); + g_assert_no_error(error); + fprintf(stderr, "Dumping invalid table into '%s'\n", fname); +-- +2.41.0.windows.1 + diff --git a/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch b/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch new file mode 100644 index 0000000..ceb609c --- /dev/null +++ b/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch @@ -0,0 +1,58 @@ +From 2858029a5dbdd3fab73b1884e296daa3f3f0b1a1 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Tested-by: Marc-André Lureau +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 67284b556c..c84599cfdb 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.41.0.windows.1 +