diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
14 files changed, 1799 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch new file mode 100644 index 0000000000..659e6be45d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 0f1f2d4596aee037d3ccbcf10592466daa54107f Mon Sep 17 00:00:00 2001 | ||
2 | From: Laurent Vivier <laurent@vivier.eu> | ||
3 | Date: Tue, 12 Nov 2019 15:25:56 +0100 | ||
4 | Subject: [PATCH] linux-user: remove host stime() syscall | ||
5 | |||
6 | stime() has been withdrawn from glibc | ||
7 | (12cbde1dae6f "Use clock_settime to implement stime; withdraw stime.") | ||
8 | |||
9 | Implement the target stime() syscall using host | ||
10 | clock_settime(CLOCK_REALTIME, ...) as it is done internally in glibc. | ||
11 | |||
12 | Tested qemu-ppc/x86_64 with: | ||
13 | |||
14 | #include <time.h> | ||
15 | #include <stdio.h> | ||
16 | |||
17 | int main(void) | ||
18 | { | ||
19 | time_t t; | ||
20 | int ret; | ||
21 | |||
22 | /* date -u -d"2019-11-12T15:11:00" "+%s" */ | ||
23 | t = 1573571460; | ||
24 | ret = stime(&t); | ||
25 | printf("ret %d\n", ret); | ||
26 | return 0; | ||
27 | } | ||
28 | |||
29 | # date; ./stime; date | ||
30 | Tue Nov 12 14:18:32 UTC 2019 | ||
31 | ret 0 | ||
32 | Tue Nov 12 15:11:00 UTC 2019 | ||
33 | |||
34 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0f1f2d4596aee037d3ccbcf10592466daa54107f] | ||
35 | Buglink: https://bugs.launchpad.net/qemu/+bug/1852115 | ||
36 | Reported-by: Cole Robinson <crobinso@redhat.com> | ||
37 | Signed-off-by: Laurent Vivier <laurent@vivier.eu> | ||
38 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
39 | Message-Id: <20191112142556.6335-1-laurent@vivier.eu> | ||
40 | --- | ||
41 | linux-user/syscall.c | 8 +++++--- | ||
42 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
43 | |||
44 | --- a/linux-user/syscall.c | ||
45 | +++ b/linux-user/syscall.c | ||
46 | @@ -7651,10 +7651,12 @@ static abi_long do_syscall1(void *cpu_en | ||
47 | #ifdef TARGET_NR_stime /* not on alpha */ | ||
48 | case TARGET_NR_stime: | ||
49 | { | ||
50 | - time_t host_time; | ||
51 | - if (get_user_sal(host_time, arg1)) | ||
52 | + struct timespec ts; | ||
53 | + ts.tv_nsec = 0; | ||
54 | + if (get_user_sal(ts.tv_sec, arg1)) { | ||
55 | return -TARGET_EFAULT; | ||
56 | - return get_errno(stime(&host_time)); | ||
57 | + } | ||
58 | + return get_errno(clock_settime(CLOCK_REALTIME, &ts)); | ||
59 | } | ||
60 | #endif | ||
61 | #ifdef TARGET_NR_alarm /* not on alpha */ | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch new file mode 100644 index 0000000000..183d100398 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch | |||
@@ -0,0 +1,1018 @@ | |||
1 | From 6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Li Qiang <liq3ea@163.com> | ||
3 | Date: Sat, 31 Aug 2019 08:39:22 -0700 | ||
4 | Subject: [PATCH] vnc: fix memory leak when vnc disconnect | ||
5 | |||
6 | Currently when qemu receives a vnc connect, it creates a 'VncState' to | ||
7 | represent this connection. In 'vnc_worker_thread_loop' it creates a | ||
8 | local 'VncState'. The connection 'VcnState' and local 'VncState' exchange | ||
9 | data in 'vnc_async_encoding_start' and 'vnc_async_encoding_end'. | ||
10 | In 'zrle_compress_data' it calls 'deflateInit2' to allocate the libz library | ||
11 | opaque data. The 'VncState' used in 'zrle_compress_data' is the local | ||
12 | 'VncState'. In 'vnc_zrle_clear' it calls 'deflateEnd' to free the libz | ||
13 | library opaque data. The 'VncState' used in 'vnc_zrle_clear' is the connection | ||
14 | 'VncState'. In currently implementation there will be a memory leak when the | ||
15 | vnc disconnect. Following is the asan output backtrack: | ||
16 | |||
17 | Direct leak of 29760 byte(s) in 5 object(s) allocated from: | ||
18 | 0 0xffffa67ef3c3 in __interceptor_calloc (/lib64/libasan.so.4+0xd33c3) | ||
19 | 1 0xffffa65071cb in g_malloc0 (/lib64/libglib-2.0.so.0+0x571cb) | ||
20 | 2 0xffffa5e968f7 in deflateInit2_ (/lib64/libz.so.1+0x78f7) | ||
21 | 3 0xaaaacec58613 in zrle_compress_data ui/vnc-enc-zrle.c:87 | ||
22 | 4 0xaaaacec58613 in zrle_send_framebuffer_update ui/vnc-enc-zrle.c:344 | ||
23 | 5 0xaaaacec34e77 in vnc_send_framebuffer_update ui/vnc.c:919 | ||
24 | 6 0xaaaacec5e023 in vnc_worker_thread_loop ui/vnc-jobs.c:271 | ||
25 | 7 0xaaaacec5e5e7 in vnc_worker_thread ui/vnc-jobs.c:340 | ||
26 | 8 0xaaaacee4d3c3 in qemu_thread_start util/qemu-thread-posix.c:502 | ||
27 | 9 0xffffa544e8bb in start_thread (/lib64/libpthread.so.0+0x78bb) | ||
28 | 10 0xffffa53965cb in thread_start (/lib64/libc.so.6+0xd55cb) | ||
29 | |||
30 | This is because the opaque allocated in 'deflateInit2' is not freed in | ||
31 | 'deflateEnd'. The reason is that the 'deflateEnd' calls 'deflateStateCheck' | ||
32 | and in the latter will check whether 's->strm != strm'(libz's data structure). | ||
33 | This check will be true so in 'deflateEnd' it just return 'Z_STREAM_ERROR' and | ||
34 | not free the data allocated in 'deflateInit2'. | ||
35 | |||
36 | The reason this happens is that the 'VncState' contains the whole 'VncZrle', | ||
37 | so when calling 'deflateInit2', the 's->strm' will be the local address. | ||
38 | So 's->strm != strm' will be true. | ||
39 | |||
40 | To fix this issue, we need to make 'zrle' of 'VncState' to be a pointer. | ||
41 | Then the connection 'VncState' and local 'VncState' exchange mechanism will | ||
42 | work as expection. The 'tight' of 'VncState' has the same issue, let's also turn | ||
43 | it to a pointer. | ||
44 | |||
45 | Reported-by: Ying Fang <fangying1@huawei.com> | ||
46 | Signed-off-by: Li Qiang <liq3ea@163.com> | ||
47 | Message-id: 20190831153922.121308-1-liq3ea@163.com | ||
48 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
49 | |||
50 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0] | ||
51 | CVE: CVE-2019-20382 | ||
52 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
53 | |||
54 | --- | ||
55 | ui/vnc-enc-tight.c | 219 +++++++++++++++++++++++++------------------------- | ||
56 | ui/vnc-enc-zlib.c | 11 +-- | ||
57 | ui/vnc-enc-zrle.c | 68 ++++++++-------- | ||
58 | ui/vnc-enc-zrle.inc.c | 2 +- | ||
59 | ui/vnc.c | 28 ++++--- | ||
60 | ui/vnc.h | 4 +- | ||
61 | 6 files changed, 170 insertions(+), 162 deletions(-) | ||
62 | |||
63 | diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c | ||
64 | index 9084c22..1e08518 100644 | ||
65 | --- a/ui/vnc-enc-tight.c | ||
66 | +++ b/ui/vnc-enc-tight.c | ||
67 | @@ -116,7 +116,7 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, | ||
68 | |||
69 | static bool tight_can_send_png_rect(VncState *vs, int w, int h) | ||
70 | { | ||
71 | - if (vs->tight.type != VNC_ENCODING_TIGHT_PNG) { | ||
72 | + if (vs->tight->type != VNC_ENCODING_TIGHT_PNG) { | ||
73 | return false; | ||
74 | } | ||
75 | |||
76 | @@ -144,7 +144,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h) | ||
77 | int pixels = 0; | ||
78 | int pix, left[3]; | ||
79 | unsigned int errors; | ||
80 | - unsigned char *buf = vs->tight.tight.buffer; | ||
81 | + unsigned char *buf = vs->tight->tight.buffer; | ||
82 | |||
83 | /* | ||
84 | * If client is big-endian, color samples begin from the second | ||
85 | @@ -215,7 +215,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h) | ||
86 | int pixels = 0; \ | ||
87 | int sample, sum, left[3]; \ | ||
88 | unsigned int errors; \ | ||
89 | - unsigned char *buf = vs->tight.tight.buffer; \ | ||
90 | + unsigned char *buf = vs->tight->tight.buffer; \ | ||
91 | \ | ||
92 | endian = 0; /* FIXME */ \ | ||
93 | \ | ||
94 | @@ -296,8 +296,8 @@ static int | ||
95 | tight_detect_smooth_image(VncState *vs, int w, int h) | ||
96 | { | ||
97 | unsigned int errors; | ||
98 | - int compression = vs->tight.compression; | ||
99 | - int quality = vs->tight.quality; | ||
100 | + int compression = vs->tight->compression; | ||
101 | + int quality = vs->tight->quality; | ||
102 | |||
103 | if (!vs->vd->lossy) { | ||
104 | return 0; | ||
105 | @@ -309,7 +309,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h) | ||
106 | return 0; | ||
107 | } | ||
108 | |||
109 | - if (vs->tight.quality != (uint8_t)-1) { | ||
110 | + if (vs->tight->quality != (uint8_t)-1) { | ||
111 | if (w * h < VNC_TIGHT_JPEG_MIN_RECT_SIZE) { | ||
112 | return 0; | ||
113 | } | ||
114 | @@ -320,9 +320,9 @@ tight_detect_smooth_image(VncState *vs, int w, int h) | ||
115 | } | ||
116 | |||
117 | if (vs->client_pf.bytes_per_pixel == 4) { | ||
118 | - if (vs->tight.pixel24) { | ||
119 | + if (vs->tight->pixel24) { | ||
120 | errors = tight_detect_smooth_image24(vs, w, h); | ||
121 | - if (vs->tight.quality != (uint8_t)-1) { | ||
122 | + if (vs->tight->quality != (uint8_t)-1) { | ||
123 | return (errors < tight_conf[quality].jpeg_threshold24); | ||
124 | } | ||
125 | return (errors < tight_conf[compression].gradient_threshold24); | ||
126 | @@ -352,7 +352,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h) | ||
127 | uint##bpp##_t c0, c1, ci; \ | ||
128 | int i, n0, n1; \ | ||
129 | \ | ||
130 | - data = (uint##bpp##_t *)vs->tight.tight.buffer; \ | ||
131 | + data = (uint##bpp##_t *)vs->tight->tight.buffer; \ | ||
132 | \ | ||
133 | c0 = data[0]; \ | ||
134 | i = 1; \ | ||
135 | @@ -423,9 +423,9 @@ static int tight_fill_palette(VncState *vs, int x, int y, | ||
136 | { | ||
137 | int max; | ||
138 | |||
139 | - max = count / tight_conf[vs->tight.compression].idx_max_colors_divisor; | ||
140 | + max = count / tight_conf[vs->tight->compression].idx_max_colors_divisor; | ||
141 | if (max < 2 && | ||
142 | - count >= tight_conf[vs->tight.compression].mono_min_rect_size) { | ||
143 | + count >= tight_conf[vs->tight->compression].mono_min_rect_size) { | ||
144 | max = 2; | ||
145 | } | ||
146 | if (max >= 256) { | ||
147 | @@ -558,7 +558,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) | ||
148 | int x, y, c; | ||
149 | |||
150 | buf32 = (uint32_t *)buf; | ||
151 | - memset(vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); | ||
152 | + memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); | ||
153 | |||
154 | if (1 /* FIXME */) { | ||
155 | shift[0] = vs->client_pf.rshift; | ||
156 | @@ -575,7 +575,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) | ||
157 | upper[c] = 0; | ||
158 | here[c] = 0; | ||
159 | } | ||
160 | - prev = (int *)vs->tight.gradient.buffer; | ||
161 | + prev = (int *)vs->tight->gradient.buffer; | ||
162 | for (x = 0; x < w; x++) { | ||
163 | pix32 = *buf32++; | ||
164 | for (c = 0; c < 3; c++) { | ||
165 | @@ -615,7 +615,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) | ||
166 | int prediction; \ | ||
167 | int x, y, c; \ | ||
168 | \ | ||
169 | - memset (vs->tight.gradient.buffer, 0, w * 3 * sizeof(int)); \ | ||
170 | + memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int)); \ | ||
171 | \ | ||
172 | endian = 0; /* FIXME */ \ | ||
173 | \ | ||
174 | @@ -631,7 +631,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h) | ||
175 | upper[c] = 0; \ | ||
176 | here[c] = 0; \ | ||
177 | } \ | ||
178 | - prev = (int *)vs->tight.gradient.buffer; \ | ||
179 | + prev = (int *)vs->tight->gradient.buffer; \ | ||
180 | for (x = 0; x < w; x++) { \ | ||
181 | pix = *buf; \ | ||
182 | if (endian) { \ | ||
183 | @@ -785,7 +785,7 @@ static void extend_solid_area(VncState *vs, int x, int y, int w, int h, | ||
184 | static int tight_init_stream(VncState *vs, int stream_id, | ||
185 | int level, int strategy) | ||
186 | { | ||
187 | - z_streamp zstream = &vs->tight.stream[stream_id]; | ||
188 | + z_streamp zstream = &vs->tight->stream[stream_id]; | ||
189 | |||
190 | if (zstream->opaque == NULL) { | ||
191 | int err; | ||
192 | @@ -803,15 +803,15 @@ static int tight_init_stream(VncState *vs, int stream_id, | ||
193 | return -1; | ||
194 | } | ||
195 | |||
196 | - vs->tight.levels[stream_id] = level; | ||
197 | + vs->tight->levels[stream_id] = level; | ||
198 | zstream->opaque = vs; | ||
199 | } | ||
200 | |||
201 | - if (vs->tight.levels[stream_id] != level) { | ||
202 | + if (vs->tight->levels[stream_id] != level) { | ||
203 | if (deflateParams(zstream, level, strategy) != Z_OK) { | ||
204 | return -1; | ||
205 | } | ||
206 | - vs->tight.levels[stream_id] = level; | ||
207 | + vs->tight->levels[stream_id] = level; | ||
208 | } | ||
209 | return 0; | ||
210 | } | ||
211 | @@ -839,11 +839,11 @@ static void tight_send_compact_size(VncState *vs, size_t len) | ||
212 | static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, | ||
213 | int level, int strategy) | ||
214 | { | ||
215 | - z_streamp zstream = &vs->tight.stream[stream_id]; | ||
216 | + z_streamp zstream = &vs->tight->stream[stream_id]; | ||
217 | int previous_out; | ||
218 | |||
219 | if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) { | ||
220 | - vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset); | ||
221 | + vnc_write(vs, vs->tight->tight.buffer, vs->tight->tight.offset); | ||
222 | return bytes; | ||
223 | } | ||
224 | |||
225 | @@ -852,13 +852,13 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, | ||
226 | } | ||
227 | |||
228 | /* reserve memory in output buffer */ | ||
229 | - buffer_reserve(&vs->tight.zlib, bytes + 64); | ||
230 | + buffer_reserve(&vs->tight->zlib, bytes + 64); | ||
231 | |||
232 | /* set pointers */ | ||
233 | - zstream->next_in = vs->tight.tight.buffer; | ||
234 | - zstream->avail_in = vs->tight.tight.offset; | ||
235 | - zstream->next_out = vs->tight.zlib.buffer + vs->tight.zlib.offset; | ||
236 | - zstream->avail_out = vs->tight.zlib.capacity - vs->tight.zlib.offset; | ||
237 | + zstream->next_in = vs->tight->tight.buffer; | ||
238 | + zstream->avail_in = vs->tight->tight.offset; | ||
239 | + zstream->next_out = vs->tight->zlib.buffer + vs->tight->zlib.offset; | ||
240 | + zstream->avail_out = vs->tight->zlib.capacity - vs->tight->zlib.offset; | ||
241 | previous_out = zstream->avail_out; | ||
242 | zstream->data_type = Z_BINARY; | ||
243 | |||
244 | @@ -868,14 +868,14 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes, | ||
245 | return -1; | ||
246 | } | ||
247 | |||
248 | - vs->tight.zlib.offset = vs->tight.zlib.capacity - zstream->avail_out; | ||
249 | + vs->tight->zlib.offset = vs->tight->zlib.capacity - zstream->avail_out; | ||
250 | /* ...how much data has actually been produced by deflate() */ | ||
251 | bytes = previous_out - zstream->avail_out; | ||
252 | |||
253 | tight_send_compact_size(vs, bytes); | ||
254 | - vnc_write(vs, vs->tight.zlib.buffer, bytes); | ||
255 | + vnc_write(vs, vs->tight->zlib.buffer, bytes); | ||
256 | |||
257 | - buffer_reset(&vs->tight.zlib); | ||
258 | + buffer_reset(&vs->tight->zlib); | ||
259 | |||
260 | return bytes; | ||
261 | } | ||
262 | @@ -927,16 +927,17 @@ static int send_full_color_rect(VncState *vs, int x, int y, int w, int h) | ||
263 | |||
264 | vnc_write_u8(vs, stream << 4); /* no flushing, no filter */ | ||
265 | |||
266 | - if (vs->tight.pixel24) { | ||
267 | - tight_pack24(vs, vs->tight.tight.buffer, w * h, &vs->tight.tight.offset); | ||
268 | + if (vs->tight->pixel24) { | ||
269 | + tight_pack24(vs, vs->tight->tight.buffer, w * h, | ||
270 | + &vs->tight->tight.offset); | ||
271 | bytes = 3; | ||
272 | } else { | ||
273 | bytes = vs->client_pf.bytes_per_pixel; | ||
274 | } | ||
275 | |||
276 | bytes = tight_compress_data(vs, stream, w * h * bytes, | ||
277 | - tight_conf[vs->tight.compression].raw_zlib_level, | ||
278 | - Z_DEFAULT_STRATEGY); | ||
279 | + tight_conf[vs->tight->compression].raw_zlib_level, | ||
280 | + Z_DEFAULT_STRATEGY); | ||
281 | |||
282 | return (bytes >= 0); | ||
283 | } | ||
284 | @@ -947,14 +948,14 @@ static int send_solid_rect(VncState *vs) | ||
285 | |||
286 | vnc_write_u8(vs, VNC_TIGHT_FILL << 4); /* no flushing, no filter */ | ||
287 | |||
288 | - if (vs->tight.pixel24) { | ||
289 | - tight_pack24(vs, vs->tight.tight.buffer, 1, &vs->tight.tight.offset); | ||
290 | + if (vs->tight->pixel24) { | ||
291 | + tight_pack24(vs, vs->tight->tight.buffer, 1, &vs->tight->tight.offset); | ||
292 | bytes = 3; | ||
293 | } else { | ||
294 | bytes = vs->client_pf.bytes_per_pixel; | ||
295 | } | ||
296 | |||
297 | - vnc_write(vs, vs->tight.tight.buffer, bytes); | ||
298 | + vnc_write(vs, vs->tight->tight.buffer, bytes); | ||
299 | return 1; | ||
300 | } | ||
301 | |||
302 | @@ -963,7 +964,7 @@ static int send_mono_rect(VncState *vs, int x, int y, | ||
303 | { | ||
304 | ssize_t bytes; | ||
305 | int stream = 1; | ||
306 | - int level = tight_conf[vs->tight.compression].mono_zlib_level; | ||
307 | + int level = tight_conf[vs->tight->compression].mono_zlib_level; | ||
308 | |||
309 | #ifdef CONFIG_VNC_PNG | ||
310 | if (tight_can_send_png_rect(vs, w, h)) { | ||
311 | @@ -991,26 +992,26 @@ static int send_mono_rect(VncState *vs, int x, int y, | ||
312 | uint32_t buf[2] = {bg, fg}; | ||
313 | size_t ret = sizeof (buf); | ||
314 | |||
315 | - if (vs->tight.pixel24) { | ||
316 | + if (vs->tight->pixel24) { | ||
317 | tight_pack24(vs, (unsigned char*)buf, 2, &ret); | ||
318 | } | ||
319 | vnc_write(vs, buf, ret); | ||
320 | |||
321 | - tight_encode_mono_rect32(vs->tight.tight.buffer, w, h, bg, fg); | ||
322 | + tight_encode_mono_rect32(vs->tight->tight.buffer, w, h, bg, fg); | ||
323 | break; | ||
324 | } | ||
325 | case 2: | ||
326 | vnc_write(vs, &bg, 2); | ||
327 | vnc_write(vs, &fg, 2); | ||
328 | - tight_encode_mono_rect16(vs->tight.tight.buffer, w, h, bg, fg); | ||
329 | + tight_encode_mono_rect16(vs->tight->tight.buffer, w, h, bg, fg); | ||
330 | break; | ||
331 | default: | ||
332 | vnc_write_u8(vs, bg); | ||
333 | vnc_write_u8(vs, fg); | ||
334 | - tight_encode_mono_rect8(vs->tight.tight.buffer, w, h, bg, fg); | ||
335 | + tight_encode_mono_rect8(vs->tight->tight.buffer, w, h, bg, fg); | ||
336 | break; | ||
337 | } | ||
338 | - vs->tight.tight.offset = bytes; | ||
339 | + vs->tight->tight.offset = bytes; | ||
340 | |||
341 | bytes = tight_compress_data(vs, stream, bytes, level, Z_DEFAULT_STRATEGY); | ||
342 | return (bytes >= 0); | ||
343 | @@ -1040,7 +1041,7 @@ static void write_palette(int idx, uint32_t color, void *opaque) | ||
344 | static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h) | ||
345 | { | ||
346 | int stream = 3; | ||
347 | - int level = tight_conf[vs->tight.compression].gradient_zlib_level; | ||
348 | + int level = tight_conf[vs->tight->compression].gradient_zlib_level; | ||
349 | ssize_t bytes; | ||
350 | |||
351 | if (vs->client_pf.bytes_per_pixel == 1) { | ||
352 | @@ -1050,23 +1051,23 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h) | ||
353 | vnc_write_u8(vs, (stream | VNC_TIGHT_EXPLICIT_FILTER) << 4); | ||
354 | vnc_write_u8(vs, VNC_TIGHT_FILTER_GRADIENT); | ||
355 | |||
356 | - buffer_reserve(&vs->tight.gradient, w * 3 * sizeof (int)); | ||
357 | + buffer_reserve(&vs->tight->gradient, w * 3 * sizeof(int)); | ||
358 | |||
359 | - if (vs->tight.pixel24) { | ||
360 | - tight_filter_gradient24(vs, vs->tight.tight.buffer, w, h); | ||
361 | + if (vs->tight->pixel24) { | ||
362 | + tight_filter_gradient24(vs, vs->tight->tight.buffer, w, h); | ||
363 | bytes = 3; | ||
364 | } else if (vs->client_pf.bytes_per_pixel == 4) { | ||
365 | - tight_filter_gradient32(vs, (uint32_t *)vs->tight.tight.buffer, w, h); | ||
366 | + tight_filter_gradient32(vs, (uint32_t *)vs->tight->tight.buffer, w, h); | ||
367 | bytes = 4; | ||
368 | } else { | ||
369 | - tight_filter_gradient16(vs, (uint16_t *)vs->tight.tight.buffer, w, h); | ||
370 | + tight_filter_gradient16(vs, (uint16_t *)vs->tight->tight.buffer, w, h); | ||
371 | bytes = 2; | ||
372 | } | ||
373 | |||
374 | - buffer_reset(&vs->tight.gradient); | ||
375 | + buffer_reset(&vs->tight->gradient); | ||
376 | |||
377 | bytes = w * h * bytes; | ||
378 | - vs->tight.tight.offset = bytes; | ||
379 | + vs->tight->tight.offset = bytes; | ||
380 | |||
381 | bytes = tight_compress_data(vs, stream, bytes, | ||
382 | level, Z_FILTERED); | ||
383 | @@ -1077,7 +1078,7 @@ static int send_palette_rect(VncState *vs, int x, int y, | ||
384 | int w, int h, VncPalette *palette) | ||
385 | { | ||
386 | int stream = 2; | ||
387 | - int level = tight_conf[vs->tight.compression].idx_zlib_level; | ||
388 | + int level = tight_conf[vs->tight->compression].idx_zlib_level; | ||
389 | int colors; | ||
390 | ssize_t bytes; | ||
391 | |||
392 | @@ -1104,12 +1105,12 @@ static int send_palette_rect(VncState *vs, int x, int y, | ||
393 | palette_iter(palette, write_palette, &priv); | ||
394 | vnc_write(vs, header, sizeof(header)); | ||
395 | |||
396 | - if (vs->tight.pixel24) { | ||
397 | + if (vs->tight->pixel24) { | ||
398 | tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset); | ||
399 | vs->output.offset = old_offset + offset; | ||
400 | } | ||
401 | |||
402 | - tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette); | ||
403 | + tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, palette); | ||
404 | break; | ||
405 | } | ||
406 | case 2: | ||
407 | @@ -1119,7 +1120,7 @@ static int send_palette_rect(VncState *vs, int x, int y, | ||
408 | |||
409 | palette_iter(palette, write_palette, &priv); | ||
410 | vnc_write(vs, header, sizeof(header)); | ||
411 | - tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette); | ||
412 | + tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette); | ||
413 | break; | ||
414 | } | ||
415 | default: | ||
416 | @@ -1127,7 +1128,7 @@ static int send_palette_rect(VncState *vs, int x, int y, | ||
417 | break; | ||
418 | } | ||
419 | bytes = w * h; | ||
420 | - vs->tight.tight.offset = bytes; | ||
421 | + vs->tight->tight.offset = bytes; | ||
422 | |||
423 | bytes = tight_compress_data(vs, stream, bytes, | ||
424 | level, Z_DEFAULT_STRATEGY); | ||
425 | @@ -1146,7 +1147,7 @@ static int send_palette_rect(VncState *vs, int x, int y, | ||
426 | static void jpeg_init_destination(j_compress_ptr cinfo) | ||
427 | { | ||
428 | VncState *vs = cinfo->client_data; | ||
429 | - Buffer *buffer = &vs->tight.jpeg; | ||
430 | + Buffer *buffer = &vs->tight->jpeg; | ||
431 | |||
432 | cinfo->dest->next_output_byte = (JOCTET *)buffer->buffer + buffer->offset; | ||
433 | cinfo->dest->free_in_buffer = (size_t)(buffer->capacity - buffer->offset); | ||
434 | @@ -1156,7 +1157,7 @@ static void jpeg_init_destination(j_compress_ptr cinfo) | ||
435 | static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo) | ||
436 | { | ||
437 | VncState *vs = cinfo->client_data; | ||
438 | - Buffer *buffer = &vs->tight.jpeg; | ||
439 | + Buffer *buffer = &vs->tight->jpeg; | ||
440 | |||
441 | buffer->offset = buffer->capacity; | ||
442 | buffer_reserve(buffer, 2048); | ||
443 | @@ -1168,7 +1169,7 @@ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo) | ||
444 | static void jpeg_term_destination(j_compress_ptr cinfo) | ||
445 | { | ||
446 | VncState *vs = cinfo->client_data; | ||
447 | - Buffer *buffer = &vs->tight.jpeg; | ||
448 | + Buffer *buffer = &vs->tight->jpeg; | ||
449 | |||
450 | buffer->offset = buffer->capacity - cinfo->dest->free_in_buffer; | ||
451 | } | ||
452 | @@ -1187,7 +1188,7 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality) | ||
453 | return send_full_color_rect(vs, x, y, w, h); | ||
454 | } | ||
455 | |||
456 | - buffer_reserve(&vs->tight.jpeg, 2048); | ||
457 | + buffer_reserve(&vs->tight->jpeg, 2048); | ||
458 | |||
459 | cinfo.err = jpeg_std_error(&jerr); | ||
460 | jpeg_create_compress(&cinfo); | ||
461 | @@ -1222,9 +1223,9 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality) | ||
462 | |||
463 | vnc_write_u8(vs, VNC_TIGHT_JPEG << 4); | ||
464 | |||
465 | - tight_send_compact_size(vs, vs->tight.jpeg.offset); | ||
466 | - vnc_write(vs, vs->tight.jpeg.buffer, vs->tight.jpeg.offset); | ||
467 | - buffer_reset(&vs->tight.jpeg); | ||
468 | + tight_send_compact_size(vs, vs->tight->jpeg.offset); | ||
469 | + vnc_write(vs, vs->tight->jpeg.buffer, vs->tight->jpeg.offset); | ||
470 | + buffer_reset(&vs->tight->jpeg); | ||
471 | |||
472 | return 1; | ||
473 | } | ||
474 | @@ -1240,7 +1241,7 @@ static void write_png_palette(int idx, uint32_t pix, void *opaque) | ||
475 | VncState *vs = priv->vs; | ||
476 | png_colorp color = &priv->png_palette[idx]; | ||
477 | |||
478 | - if (vs->tight.pixel24) | ||
479 | + if (vs->tight->pixel24) | ||
480 | { | ||
481 | color->red = (pix >> vs->client_pf.rshift) & vs->client_pf.rmax; | ||
482 | color->green = (pix >> vs->client_pf.gshift) & vs->client_pf.gmax; | ||
483 | @@ -1267,10 +1268,10 @@ static void png_write_data(png_structp png_ptr, png_bytep data, | ||
484 | { | ||
485 | VncState *vs = png_get_io_ptr(png_ptr); | ||
486 | |||
487 | - buffer_reserve(&vs->tight.png, vs->tight.png.offset + length); | ||
488 | - memcpy(vs->tight.png.buffer + vs->tight.png.offset, data, length); | ||
489 | + buffer_reserve(&vs->tight->png, vs->tight->png.offset + length); | ||
490 | + memcpy(vs->tight->png.buffer + vs->tight->png.offset, data, length); | ||
491 | |||
492 | - vs->tight.png.offset += length; | ||
493 | + vs->tight->png.offset += length; | ||
494 | } | ||
495 | |||
496 | static void png_flush_data(png_structp png_ptr) | ||
497 | @@ -1295,8 +1296,8 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, | ||
498 | png_infop info_ptr; | ||
499 | png_colorp png_palette = NULL; | ||
500 | pixman_image_t *linebuf; | ||
501 | - int level = tight_png_conf[vs->tight.compression].png_zlib_level; | ||
502 | - int filters = tight_png_conf[vs->tight.compression].png_filters; | ||
503 | + int level = tight_png_conf[vs->tight->compression].png_zlib_level; | ||
504 | + int filters = tight_png_conf[vs->tight->compression].png_filters; | ||
505 | uint8_t *buf; | ||
506 | int dy; | ||
507 | |||
508 | @@ -1340,21 +1341,23 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, | ||
509 | png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette)); | ||
510 | |||
511 | if (vs->client_pf.bytes_per_pixel == 4) { | ||
512 | - tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette); | ||
513 | + tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, | ||
514 | + palette); | ||
515 | } else { | ||
516 | - tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette); | ||
517 | + tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, | ||
518 | + palette); | ||
519 | } | ||
520 | } | ||
521 | |||
522 | png_write_info(png_ptr, info_ptr); | ||
523 | |||
524 | - buffer_reserve(&vs->tight.png, 2048); | ||
525 | + buffer_reserve(&vs->tight->png, 2048); | ||
526 | linebuf = qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, w); | ||
527 | buf = (uint8_t *)pixman_image_get_data(linebuf); | ||
528 | for (dy = 0; dy < h; dy++) | ||
529 | { | ||
530 | if (color_type == PNG_COLOR_TYPE_PALETTE) { | ||
531 | - memcpy(buf, vs->tight.tight.buffer + (dy * w), w); | ||
532 | + memcpy(buf, vs->tight->tight.buffer + (dy * w), w); | ||
533 | } else { | ||
534 | qemu_pixman_linebuf_fill(linebuf, vs->vd->server, w, x, y + dy); | ||
535 | } | ||
536 | @@ -1372,27 +1375,27 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h, | ||
537 | |||
538 | vnc_write_u8(vs, VNC_TIGHT_PNG << 4); | ||
539 | |||
540 | - tight_send_compact_size(vs, vs->tight.png.offset); | ||
541 | - vnc_write(vs, vs->tight.png.buffer, vs->tight.png.offset); | ||
542 | - buffer_reset(&vs->tight.png); | ||
543 | + tight_send_compact_size(vs, vs->tight->png.offset); | ||
544 | + vnc_write(vs, vs->tight->png.buffer, vs->tight->png.offset); | ||
545 | + buffer_reset(&vs->tight->png); | ||
546 | return 1; | ||
547 | } | ||
548 | #endif /* CONFIG_VNC_PNG */ | ||
549 | |||
550 | static void vnc_tight_start(VncState *vs) | ||
551 | { | ||
552 | - buffer_reset(&vs->tight.tight); | ||
553 | + buffer_reset(&vs->tight->tight); | ||
554 | |||
555 | // make the output buffer be the zlib buffer, so we can compress it later | ||
556 | - vs->tight.tmp = vs->output; | ||
557 | - vs->output = vs->tight.tight; | ||
558 | + vs->tight->tmp = vs->output; | ||
559 | + vs->output = vs->tight->tight; | ||
560 | } | ||
561 | |||
562 | static void vnc_tight_stop(VncState *vs) | ||
563 | { | ||
564 | // switch back to normal output/zlib buffers | ||
565 | - vs->tight.tight = vs->output; | ||
566 | - vs->output = vs->tight.tmp; | ||
567 | + vs->tight->tight = vs->output; | ||
568 | + vs->output = vs->tight->tmp; | ||
569 | } | ||
570 | |||
571 | static int send_sub_rect_nojpeg(VncState *vs, int x, int y, int w, int h, | ||
572 | @@ -1426,9 +1429,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, | ||
573 | int ret; | ||
574 | |||
575 | if (colors == 0) { | ||
576 | - if (force || (tight_jpeg_conf[vs->tight.quality].jpeg_full && | ||
577 | + if (force || (tight_jpeg_conf[vs->tight->quality].jpeg_full && | ||
578 | tight_detect_smooth_image(vs, w, h))) { | ||
579 | - int quality = tight_conf[vs->tight.quality].jpeg_quality; | ||
580 | + int quality = tight_conf[vs->tight->quality].jpeg_quality; | ||
581 | |||
582 | ret = send_jpeg_rect(vs, x, y, w, h, quality); | ||
583 | } else { | ||
584 | @@ -1440,9 +1443,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h, | ||
585 | ret = send_mono_rect(vs, x, y, w, h, bg, fg); | ||
586 | } else if (colors <= 256) { | ||
587 | if (force || (colors > 96 && | ||
588 | - tight_jpeg_conf[vs->tight.quality].jpeg_idx && | ||
589 | + tight_jpeg_conf[vs->tight->quality].jpeg_idx && | ||
590 | tight_detect_smooth_image(vs, w, h))) { | ||
591 | - int quality = tight_conf[vs->tight.quality].jpeg_quality; | ||
592 | + int quality = tight_conf[vs->tight->quality].jpeg_quality; | ||
593 | |||
594 | ret = send_jpeg_rect(vs, x, y, w, h, quality); | ||
595 | } else { | ||
596 | @@ -1480,20 +1483,20 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) | ||
597 | qemu_thread_atexit_add(&vnc_tight_cleanup_notifier); | ||
598 | } | ||
599 | |||
600 | - vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type); | ||
601 | + vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type); | ||
602 | |||
603 | vnc_tight_start(vs); | ||
604 | vnc_raw_send_framebuffer_update(vs, x, y, w, h); | ||
605 | vnc_tight_stop(vs); | ||
606 | |||
607 | #ifdef CONFIG_VNC_JPEG | ||
608 | - if (!vs->vd->non_adaptive && vs->tight.quality != (uint8_t)-1) { | ||
609 | + if (!vs->vd->non_adaptive && vs->tight->quality != (uint8_t)-1) { | ||
610 | double freq = vnc_update_freq(vs, x, y, w, h); | ||
611 | |||
612 | - if (freq < tight_jpeg_conf[vs->tight.quality].jpeg_freq_min) { | ||
613 | + if (freq < tight_jpeg_conf[vs->tight->quality].jpeg_freq_min) { | ||
614 | allow_jpeg = false; | ||
615 | } | ||
616 | - if (freq >= tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) { | ||
617 | + if (freq >= tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) { | ||
618 | force_jpeg = true; | ||
619 | vnc_sent_lossy_rect(vs, x, y, w, h); | ||
620 | } | ||
621 | @@ -1503,7 +1506,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) | ||
622 | colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette); | ||
623 | |||
624 | #ifdef CONFIG_VNC_JPEG | ||
625 | - if (allow_jpeg && vs->tight.quality != (uint8_t)-1) { | ||
626 | + if (allow_jpeg && vs->tight->quality != (uint8_t)-1) { | ||
627 | ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, | ||
628 | color_count_palette, force_jpeg); | ||
629 | } else { | ||
630 | @@ -1520,7 +1523,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h) | ||
631 | |||
632 | static int send_sub_rect_solid(VncState *vs, int x, int y, int w, int h) | ||
633 | { | ||
634 | - vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type); | ||
635 | + vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type); | ||
636 | |||
637 | vnc_tight_start(vs); | ||
638 | vnc_raw_send_framebuffer_update(vs, x, y, w, h); | ||
639 | @@ -1538,8 +1541,8 @@ static int send_rect_simple(VncState *vs, int x, int y, int w, int h, | ||
640 | int rw, rh; | ||
641 | int n = 0; | ||
642 | |||
643 | - max_size = tight_conf[vs->tight.compression].max_rect_size; | ||
644 | - max_width = tight_conf[vs->tight.compression].max_rect_width; | ||
645 | + max_size = tight_conf[vs->tight->compression].max_rect_size; | ||
646 | + max_width = tight_conf[vs->tight->compression].max_rect_width; | ||
647 | |||
648 | if (split && (w > max_width || w * h > max_size)) { | ||
649 | max_sub_width = (w > max_width) ? max_width : w; | ||
650 | @@ -1648,16 +1651,16 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, | ||
651 | |||
652 | if (vs->client_pf.bytes_per_pixel == 4 && vs->client_pf.rmax == 0xFF && | ||
653 | vs->client_pf.bmax == 0xFF && vs->client_pf.gmax == 0xFF) { | ||
654 | - vs->tight.pixel24 = true; | ||
655 | + vs->tight->pixel24 = true; | ||
656 | } else { | ||
657 | - vs->tight.pixel24 = false; | ||
658 | + vs->tight->pixel24 = false; | ||
659 | } | ||
660 | |||
661 | #ifdef CONFIG_VNC_JPEG | ||
662 | - if (vs->tight.quality != (uint8_t)-1) { | ||
663 | + if (vs->tight->quality != (uint8_t)-1) { | ||
664 | double freq = vnc_update_freq(vs, x, y, w, h); | ||
665 | |||
666 | - if (freq > tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) { | ||
667 | + if (freq > tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) { | ||
668 | return send_rect_simple(vs, x, y, w, h, false); | ||
669 | } | ||
670 | } | ||
671 | @@ -1669,8 +1672,8 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, | ||
672 | |||
673 | /* Calculate maximum number of rows in one non-solid rectangle. */ | ||
674 | |||
675 | - max_rows = tight_conf[vs->tight.compression].max_rect_size; | ||
676 | - max_rows /= MIN(tight_conf[vs->tight.compression].max_rect_width, w); | ||
677 | + max_rows = tight_conf[vs->tight->compression].max_rect_size; | ||
678 | + max_rows /= MIN(tight_conf[vs->tight->compression].max_rect_width, w); | ||
679 | |||
680 | return find_large_solid_color_rect(vs, x, y, w, h, max_rows); | ||
681 | } | ||
682 | @@ -1678,33 +1681,33 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, | ||
683 | int vnc_tight_send_framebuffer_update(VncState *vs, int x, int y, | ||
684 | int w, int h) | ||
685 | { | ||
686 | - vs->tight.type = VNC_ENCODING_TIGHT; | ||
687 | + vs->tight->type = VNC_ENCODING_TIGHT; | ||
688 | return tight_send_framebuffer_update(vs, x, y, w, h); | ||
689 | } | ||
690 | |||
691 | int vnc_tight_png_send_framebuffer_update(VncState *vs, int x, int y, | ||
692 | int w, int h) | ||
693 | { | ||
694 | - vs->tight.type = VNC_ENCODING_TIGHT_PNG; | ||
695 | + vs->tight->type = VNC_ENCODING_TIGHT_PNG; | ||
696 | return tight_send_framebuffer_update(vs, x, y, w, h); | ||
697 | } | ||
698 | |||
699 | void vnc_tight_clear(VncState *vs) | ||
700 | { | ||
701 | int i; | ||
702 | - for (i=0; i<ARRAY_SIZE(vs->tight.stream); i++) { | ||
703 | - if (vs->tight.stream[i].opaque) { | ||
704 | - deflateEnd(&vs->tight.stream[i]); | ||
705 | + for (i = 0; i < ARRAY_SIZE(vs->tight->stream); i++) { | ||
706 | + if (vs->tight->stream[i].opaque) { | ||
707 | + deflateEnd(&vs->tight->stream[i]); | ||
708 | } | ||
709 | } | ||
710 | |||
711 | - buffer_free(&vs->tight.tight); | ||
712 | - buffer_free(&vs->tight.zlib); | ||
713 | - buffer_free(&vs->tight.gradient); | ||
714 | + buffer_free(&vs->tight->tight); | ||
715 | + buffer_free(&vs->tight->zlib); | ||
716 | + buffer_free(&vs->tight->gradient); | ||
717 | #ifdef CONFIG_VNC_JPEG | ||
718 | - buffer_free(&vs->tight.jpeg); | ||
719 | + buffer_free(&vs->tight->jpeg); | ||
720 | #endif | ||
721 | #ifdef CONFIG_VNC_PNG | ||
722 | - buffer_free(&vs->tight.png); | ||
723 | + buffer_free(&vs->tight->png); | ||
724 | #endif | ||
725 | } | ||
726 | diff --git a/ui/vnc-enc-zlib.c b/ui/vnc-enc-zlib.c | ||
727 | index 33e9df2..900ae5b 100644 | ||
728 | --- a/ui/vnc-enc-zlib.c | ||
729 | +++ b/ui/vnc-enc-zlib.c | ||
730 | @@ -76,7 +76,8 @@ static int vnc_zlib_stop(VncState *vs) | ||
731 | zstream->zalloc = vnc_zlib_zalloc; | ||
732 | zstream->zfree = vnc_zlib_zfree; | ||
733 | |||
734 | - err = deflateInit2(zstream, vs->tight.compression, Z_DEFLATED, MAX_WBITS, | ||
735 | + err = deflateInit2(zstream, vs->tight->compression, Z_DEFLATED, | ||
736 | + MAX_WBITS, | ||
737 | MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY); | ||
738 | |||
739 | if (err != Z_OK) { | ||
740 | @@ -84,16 +85,16 @@ static int vnc_zlib_stop(VncState *vs) | ||
741 | return -1; | ||
742 | } | ||
743 | |||
744 | - vs->zlib.level = vs->tight.compression; | ||
745 | + vs->zlib.level = vs->tight->compression; | ||
746 | zstream->opaque = vs; | ||
747 | } | ||
748 | |||
749 | - if (vs->tight.compression != vs->zlib.level) { | ||
750 | - if (deflateParams(zstream, vs->tight.compression, | ||
751 | + if (vs->tight->compression != vs->zlib.level) { | ||
752 | + if (deflateParams(zstream, vs->tight->compression, | ||
753 | Z_DEFAULT_STRATEGY) != Z_OK) { | ||
754 | return -1; | ||
755 | } | ||
756 | - vs->zlib.level = vs->tight.compression; | ||
757 | + vs->zlib.level = vs->tight->compression; | ||
758 | } | ||
759 | |||
760 | // reserve memory in output buffer | ||
761 | diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c | ||
762 | index 7493a84..17fd28a 100644 | ||
763 | --- a/ui/vnc-enc-zrle.c | ||
764 | +++ b/ui/vnc-enc-zrle.c | ||
765 | @@ -37,18 +37,18 @@ static const int bits_per_packed_pixel[] = { | ||
766 | |||
767 | static void vnc_zrle_start(VncState *vs) | ||
768 | { | ||
769 | - buffer_reset(&vs->zrle.zrle); | ||
770 | + buffer_reset(&vs->zrle->zrle); | ||
771 | |||
772 | /* make the output buffer be the zlib buffer, so we can compress it later */ | ||
773 | - vs->zrle.tmp = vs->output; | ||
774 | - vs->output = vs->zrle.zrle; | ||
775 | + vs->zrle->tmp = vs->output; | ||
776 | + vs->output = vs->zrle->zrle; | ||
777 | } | ||
778 | |||
779 | static void vnc_zrle_stop(VncState *vs) | ||
780 | { | ||
781 | /* switch back to normal output/zlib buffers */ | ||
782 | - vs->zrle.zrle = vs->output; | ||
783 | - vs->output = vs->zrle.tmp; | ||
784 | + vs->zrle->zrle = vs->output; | ||
785 | + vs->output = vs->zrle->tmp; | ||
786 | } | ||
787 | |||
788 | static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h, | ||
789 | @@ -56,24 +56,24 @@ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h, | ||
790 | { | ||
791 | Buffer tmp; | ||
792 | |||
793 | - buffer_reset(&vs->zrle.fb); | ||
794 | - buffer_reserve(&vs->zrle.fb, w * h * bpp + bpp); | ||
795 | + buffer_reset(&vs->zrle->fb); | ||
796 | + buffer_reserve(&vs->zrle->fb, w * h * bpp + bpp); | ||
797 | |||
798 | tmp = vs->output; | ||
799 | - vs->output = vs->zrle.fb; | ||
800 | + vs->output = vs->zrle->fb; | ||
801 | |||
802 | vnc_raw_send_framebuffer_update(vs, x, y, w, h); | ||
803 | |||
804 | - vs->zrle.fb = vs->output; | ||
805 | + vs->zrle->fb = vs->output; | ||
806 | vs->output = tmp; | ||
807 | - return vs->zrle.fb.buffer; | ||
808 | + return vs->zrle->fb.buffer; | ||
809 | } | ||
810 | |||
811 | static int zrle_compress_data(VncState *vs, int level) | ||
812 | { | ||
813 | - z_streamp zstream = &vs->zrle.stream; | ||
814 | + z_streamp zstream = &vs->zrle->stream; | ||
815 | |||
816 | - buffer_reset(&vs->zrle.zlib); | ||
817 | + buffer_reset(&vs->zrle->zlib); | ||
818 | |||
819 | if (zstream->opaque != vs) { | ||
820 | int err; | ||
821 | @@ -93,13 +93,13 @@ static int zrle_compress_data(VncState *vs, int level) | ||
822 | } | ||
823 | |||
824 | /* reserve memory in output buffer */ | ||
825 | - buffer_reserve(&vs->zrle.zlib, vs->zrle.zrle.offset + 64); | ||
826 | + buffer_reserve(&vs->zrle->zlib, vs->zrle->zrle.offset + 64); | ||
827 | |||
828 | /* set pointers */ | ||
829 | - zstream->next_in = vs->zrle.zrle.buffer; | ||
830 | - zstream->avail_in = vs->zrle.zrle.offset; | ||
831 | - zstream->next_out = vs->zrle.zlib.buffer + vs->zrle.zlib.offset; | ||
832 | - zstream->avail_out = vs->zrle.zlib.capacity - vs->zrle.zlib.offset; | ||
833 | + zstream->next_in = vs->zrle->zrle.buffer; | ||
834 | + zstream->avail_in = vs->zrle->zrle.offset; | ||
835 | + zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset; | ||
836 | + zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset; | ||
837 | zstream->data_type = Z_BINARY; | ||
838 | |||
839 | /* start encoding */ | ||
840 | @@ -108,8 +108,8 @@ static int zrle_compress_data(VncState *vs, int level) | ||
841 | return -1; | ||
842 | } | ||
843 | |||
844 | - vs->zrle.zlib.offset = vs->zrle.zlib.capacity - zstream->avail_out; | ||
845 | - return vs->zrle.zlib.offset; | ||
846 | + vs->zrle->zlib.offset = vs->zrle->zlib.capacity - zstream->avail_out; | ||
847 | + return vs->zrle->zlib.offset; | ||
848 | } | ||
849 | |||
850 | /* Try to work out whether to use RLE and/or a palette. We do this by | ||
851 | @@ -259,14 +259,14 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y, | ||
852 | size_t bytes; | ||
853 | int zywrle_level; | ||
854 | |||
855 | - if (vs->zrle.type == VNC_ENCODING_ZYWRLE) { | ||
856 | - if (!vs->vd->lossy || vs->tight.quality == (uint8_t)-1 | ||
857 | - || vs->tight.quality == 9) { | ||
858 | + if (vs->zrle->type == VNC_ENCODING_ZYWRLE) { | ||
859 | + if (!vs->vd->lossy || vs->tight->quality == (uint8_t)-1 | ||
860 | + || vs->tight->quality == 9) { | ||
861 | zywrle_level = 0; | ||
862 | - vs->zrle.type = VNC_ENCODING_ZRLE; | ||
863 | - } else if (vs->tight.quality < 3) { | ||
864 | + vs->zrle->type = VNC_ENCODING_ZRLE; | ||
865 | + } else if (vs->tight->quality < 3) { | ||
866 | zywrle_level = 3; | ||
867 | - } else if (vs->tight.quality < 6) { | ||
868 | + } else if (vs->tight->quality < 6) { | ||
869 | zywrle_level = 2; | ||
870 | } else { | ||
871 | zywrle_level = 1; | ||
872 | @@ -337,30 +337,30 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y, | ||
873 | |||
874 | vnc_zrle_stop(vs); | ||
875 | bytes = zrle_compress_data(vs, Z_DEFAULT_COMPRESSION); | ||
876 | - vnc_framebuffer_update(vs, x, y, w, h, vs->zrle.type); | ||
877 | + vnc_framebuffer_update(vs, x, y, w, h, vs->zrle->type); | ||
878 | vnc_write_u32(vs, bytes); | ||
879 | - vnc_write(vs, vs->zrle.zlib.buffer, vs->zrle.zlib.offset); | ||
880 | + vnc_write(vs, vs->zrle->zlib.buffer, vs->zrle->zlib.offset); | ||
881 | return 1; | ||
882 | } | ||
883 | |||
884 | int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) | ||
885 | { | ||
886 | - vs->zrle.type = VNC_ENCODING_ZRLE; | ||
887 | + vs->zrle->type = VNC_ENCODING_ZRLE; | ||
888 | return zrle_send_framebuffer_update(vs, x, y, w, h); | ||
889 | } | ||
890 | |||
891 | int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) | ||
892 | { | ||
893 | - vs->zrle.type = VNC_ENCODING_ZYWRLE; | ||
894 | + vs->zrle->type = VNC_ENCODING_ZYWRLE; | ||
895 | return zrle_send_framebuffer_update(vs, x, y, w, h); | ||
896 | } | ||
897 | |||
898 | void vnc_zrle_clear(VncState *vs) | ||
899 | { | ||
900 | - if (vs->zrle.stream.opaque) { | ||
901 | - deflateEnd(&vs->zrle.stream); | ||
902 | + if (vs->zrle->stream.opaque) { | ||
903 | + deflateEnd(&vs->zrle->stream); | ||
904 | } | ||
905 | - buffer_free(&vs->zrle.zrle); | ||
906 | - buffer_free(&vs->zrle.fb); | ||
907 | - buffer_free(&vs->zrle.zlib); | ||
908 | + buffer_free(&vs->zrle->zrle); | ||
909 | + buffer_free(&vs->zrle->fb); | ||
910 | + buffer_free(&vs->zrle->zlib); | ||
911 | } | ||
912 | diff --git a/ui/vnc-enc-zrle.inc.c b/ui/vnc-enc-zrle.inc.c | ||
913 | index abf6b86..c107d8a 100644 | ||
914 | --- a/ui/vnc-enc-zrle.inc.c | ||
915 | +++ b/ui/vnc-enc-zrle.inc.c | ||
916 | @@ -96,7 +96,7 @@ static void ZRLE_ENCODE(VncState *vs, int x, int y, int w, int h, | ||
917 | static void ZRLE_ENCODE_TILE(VncState *vs, ZRLE_PIXEL *data, int w, int h, | ||
918 | int zywrle_level) | ||
919 | { | ||
920 | - VncPalette *palette = &vs->zrle.palette; | ||
921 | + VncPalette *palette = &vs->zrle->palette; | ||
922 | |||
923 | int runs = 0; | ||
924 | int single_pixels = 0; | ||
925 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
926 | index bc43c4c..87b8045 100644 | ||
927 | --- a/ui/vnc.c | ||
928 | +++ b/ui/vnc.c | ||
929 | @@ -1307,6 +1307,8 @@ void vnc_disconnect_finish(VncState *vs) | ||
930 | object_unref(OBJECT(vs->sioc)); | ||
931 | vs->sioc = NULL; | ||
932 | vs->magic = 0; | ||
933 | + g_free(vs->zrle); | ||
934 | + g_free(vs->tight); | ||
935 | g_free(vs); | ||
936 | } | ||
937 | |||
938 | @@ -2058,8 +2060,8 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) | ||
939 | |||
940 | vs->features = 0; | ||
941 | vs->vnc_encoding = 0; | ||
942 | - vs->tight.compression = 9; | ||
943 | - vs->tight.quality = -1; /* Lossless by default */ | ||
944 | + vs->tight->compression = 9; | ||
945 | + vs->tight->quality = -1; /* Lossless by default */ | ||
946 | vs->absolute = -1; | ||
947 | |||
948 | /* | ||
949 | @@ -2127,11 +2129,11 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) | ||
950 | vs->features |= VNC_FEATURE_LED_STATE_MASK; | ||
951 | break; | ||
952 | case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9: | ||
953 | - vs->tight.compression = (enc & 0x0F); | ||
954 | + vs->tight->compression = (enc & 0x0F); | ||
955 | break; | ||
956 | case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9: | ||
957 | if (vs->vd->lossy) { | ||
958 | - vs->tight.quality = (enc & 0x0F); | ||
959 | + vs->tight->quality = (enc & 0x0F); | ||
960 | } | ||
961 | break; | ||
962 | default: | ||
963 | @@ -3034,6 +3036,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc, | ||
964 | int i; | ||
965 | |||
966 | trace_vnc_client_connect(vs, sioc); | ||
967 | + vs->zrle = g_new0(VncZrle, 1); | ||
968 | + vs->tight = g_new0(VncTight, 1); | ||
969 | vs->magic = VNC_MAGIC; | ||
970 | vs->sioc = sioc; | ||
971 | object_ref(OBJECT(vs->sioc)); | ||
972 | @@ -3045,19 +3049,19 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc, | ||
973 | buffer_init(&vs->output, "vnc-output/%p", sioc); | ||
974 | buffer_init(&vs->jobs_buffer, "vnc-jobs_buffer/%p", sioc); | ||
975 | |||
976 | - buffer_init(&vs->tight.tight, "vnc-tight/%p", sioc); | ||
977 | - buffer_init(&vs->tight.zlib, "vnc-tight-zlib/%p", sioc); | ||
978 | - buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc); | ||
979 | + buffer_init(&vs->tight->tight, "vnc-tight/%p", sioc); | ||
980 | + buffer_init(&vs->tight->zlib, "vnc-tight-zlib/%p", sioc); | ||
981 | + buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc); | ||
982 | #ifdef CONFIG_VNC_JPEG | ||
983 | - buffer_init(&vs->tight.jpeg, "vnc-tight-jpeg/%p", sioc); | ||
984 | + buffer_init(&vs->tight->jpeg, "vnc-tight-jpeg/%p", sioc); | ||
985 | #endif | ||
986 | #ifdef CONFIG_VNC_PNG | ||
987 | - buffer_init(&vs->tight.png, "vnc-tight-png/%p", sioc); | ||
988 | + buffer_init(&vs->tight->png, "vnc-tight-png/%p", sioc); | ||
989 | #endif | ||
990 | buffer_init(&vs->zlib.zlib, "vnc-zlib/%p", sioc); | ||
991 | - buffer_init(&vs->zrle.zrle, "vnc-zrle/%p", sioc); | ||
992 | - buffer_init(&vs->zrle.fb, "vnc-zrle-fb/%p", sioc); | ||
993 | - buffer_init(&vs->zrle.zlib, "vnc-zrle-zlib/%p", sioc); | ||
994 | + buffer_init(&vs->zrle->zrle, "vnc-zrle/%p", sioc); | ||
995 | + buffer_init(&vs->zrle->fb, "vnc-zrle-fb/%p", sioc); | ||
996 | + buffer_init(&vs->zrle->zlib, "vnc-zrle-zlib/%p", sioc); | ||
997 | |||
998 | if (skipauth) { | ||
999 | vs->auth = VNC_AUTH_NONE; | ||
1000 | diff --git a/ui/vnc.h b/ui/vnc.h | ||
1001 | index 8643860..fea79c2 100644 | ||
1002 | --- a/ui/vnc.h | ||
1003 | +++ b/ui/vnc.h | ||
1004 | @@ -338,10 +338,10 @@ struct VncState | ||
1005 | /* Encoding specific, if you add something here, don't forget to | ||
1006 | * update vnc_async_encoding_start() | ||
1007 | */ | ||
1008 | - VncTight tight; | ||
1009 | + VncTight *tight; | ||
1010 | VncZlib zlib; | ||
1011 | VncHextile hextile; | ||
1012 | - VncZrle zrle; | ||
1013 | + VncZrle *zrle; | ||
1014 | VncZywrle zywrle; | ||
1015 | |||
1016 | Notifier mouse_mode_notifier; | ||
1017 | -- | ||
1018 | 1.8.3.1 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 0000000000..21a3ceb30d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Dehors <vincent.dehors@smile.fr> | ||
3 | Date: Thu, 23 Jan 2020 15:22:38 +0000 | ||
4 | Subject: [PATCH] target/arm: Fix PAuth sbox functions | ||
5 | |||
6 | In the PAC computation, sbox was applied over wrong bits. | ||
7 | As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. | ||
8 | |||
9 | Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was | ||
10 | used to verify one computation of the pauth_computepac() function which | ||
11 | uses sbox2. | ||
12 | |||
13 | Launchpad: https://bugs.launchpad.net/bugs/1859713 | ||
14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
15 | Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr> | ||
16 | Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr> | ||
17 | Message-id: 20200116230809.19078-2-richard.henderson@linaro.org | ||
18 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
20 | |||
21 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] | ||
22 | CVE: CVE-2020-10702 | ||
23 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | target/arm/pauth_helper.c | 4 ++-- | ||
26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c | ||
29 | index d3194f2..0a5f41e 100644 | ||
30 | --- a/target/arm/pauth_helper.c | ||
31 | +++ b/target/arm/pauth_helper.c | ||
32 | @@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) | ||
33 | uint64_t o = 0; | ||
34 | int b; | ||
35 | |||
36 | - for (b = 0; b < 64; b += 16) { | ||
37 | + for (b = 0; b < 64; b += 4) { | ||
38 | o |= (uint64_t)sub[(i >> b) & 0xf] << b; | ||
39 | } | ||
40 | return o; | ||
41 | @@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) | ||
42 | uint64_t o = 0; | ||
43 | int b; | ||
44 | |||
45 | - for (b = 0; b < 64; b += 16) { | ||
46 | + for (b = 0; b < 64; b += 4) { | ||
47 | o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; | ||
48 | } | ||
49 | return o; | ||
50 | -- | ||
51 | 1.8.3.1 | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch new file mode 100644 index 0000000000..306aef061b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ralf Haferkamp <rhafer@suse.com> | ||
3 | Date: Fri, 3 Jul 2020 14:51:16 +0200 | ||
4 | Subject: [PATCH] Drop bogus IPv6 messages | ||
5 | |||
6 | Drop IPv6 message shorter than what's mentioned in the payload | ||
7 | length header (+ the size of the IPv6 header). They're invalid an could | ||
8 | lead to data leakage in icmp6_send_echoreply(). | ||
9 | |||
10 | CVE: CVE-2020-10756 | ||
11 | Upstream-Status: Backport | ||
12 | https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 | ||
13 | |||
14 | [SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context] | ||
15 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> | ||
16 | --- | ||
17 | slirp/src/ip6_input.c | 7 +++++++ | ||
18 | 1 file changed, 7 insertions(+) | ||
19 | |||
20 | diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c | ||
21 | index d9d2b7e9..0f2b1785 100644 | ||
22 | --- a/slirp/src/ip6_input.c | ||
23 | +++ b/slirp/src/ip6_input.c | ||
24 | @@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) | ||
25 | goto bad; | ||
26 | } | ||
27 | |||
28 | + // Check if the message size is big enough to hold what's | ||
29 | + // set in the payload length header. If not this is an invalid | ||
30 | + // packet | ||
31 | + if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { | ||
32 | + goto bad; | ||
33 | + } | ||
34 | + | ||
35 | /* check ip_ttl for a correct ICMP reply */ | ||
36 | if (ip6->ip_hl == 0) { | ||
37 | icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); | ||
38 | -- | ||
39 | 2.17.1 | ||
40 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch new file mode 100644 index 0000000000..ca7ffed934 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 | ||
2 | From: BALATON Zoltan <balaton@eik.bme.hu> | ||
3 | Date: Mon, 6 Apr 2020 22:34:26 +0200 | ||
4 | Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash | ||
5 | |||
6 | In some corner cases (that never happen during normal operation but a | ||
7 | malicious guest could program wrong values) pixman functions were | ||
8 | called with parameters that result in a crash. Fix this and add more | ||
9 | checks to disallow such cases. | ||
10 | |||
11 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
12 | Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
13 | Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu | ||
14 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7] | ||
17 | CVE: CVE-2020-11869 | ||
18 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- | ||
21 | 1 file changed, 26 insertions(+), 11 deletions(-) | ||
22 | |||
23 | diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c | ||
24 | index 42e8231..23a8ae0 100644 | ||
25 | --- a/hw/display/ati_2d.c | ||
26 | +++ b/hw/display/ati_2d.c | ||
27 | @@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) | ||
28 | s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), | ||
29 | surface_bits_per_pixel(ds), | ||
30 | (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); | ||
31 | - int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
32 | - s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); | ||
33 | - int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
34 | - s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); | ||
35 | + unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
36 | + s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); | ||
37 | + unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
38 | + s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); | ||
39 | int bpp = ati_bpp_from_datatype(s); | ||
40 | + if (!bpp) { | ||
41 | + qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); | ||
42 | + return; | ||
43 | + } | ||
44 | int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; | ||
45 | + if (!dst_stride) { | ||
46 | + qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); | ||
47 | + return; | ||
48 | + } | ||
49 | uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? | ||
50 | s->regs.dst_offset : s->regs.default_offset); | ||
51 | |||
52 | @@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) | ||
53 | switch (s->regs.dp_mix & GMC_ROP3_MASK) { | ||
54 | case ROP3_SRCCOPY: | ||
55 | { | ||
56 | - int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
57 | - s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); | ||
58 | - int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
59 | - s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); | ||
60 | + unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
61 | + s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); | ||
62 | + unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
63 | + s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); | ||
64 | int src_stride = DEFAULT_CNTL ? | ||
65 | s->regs.src_pitch : s->regs.default_pitch; | ||
66 | + if (!src_stride) { | ||
67 | + qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); | ||
68 | + return; | ||
69 | + } | ||
70 | uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? | ||
71 | s->regs.src_offset : s->regs.default_offset); | ||
72 | |||
73 | @@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) | ||
74 | dst_y * surface_stride(ds), | ||
75 | s->regs.dst_height * surface_stride(ds)); | ||
76 | } | ||
77 | - s->regs.dst_x += s->regs.dst_width; | ||
78 | - s->regs.dst_y += s->regs.dst_height; | ||
79 | + s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? | ||
80 | + dst_x + s->regs.dst_width : dst_x); | ||
81 | + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
82 | + dst_y + s->regs.dst_height : dst_y); | ||
83 | break; | ||
84 | } | ||
85 | case ROP3_PATCOPY: | ||
86 | @@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) | ||
87 | dst_y * surface_stride(ds), | ||
88 | s->regs.dst_height * surface_stride(ds)); | ||
89 | } | ||
90 | - s->regs.dst_y += s->regs.dst_height; | ||
91 | + s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? | ||
92 | + dst_y + s->regs.dst_height : dst_y); | ||
93 | break; | ||
94 | } | ||
95 | default: | ||
96 | -- | ||
97 | 1.8.3.1 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch new file mode 100644 index 0000000000..9014ba0f13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13765.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From e423455c4f23a1a828901c78fe6d03b7dde79319 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Huth <thuth@redhat.com> | ||
3 | Date: Wed, 25 Sep 2019 14:16:43 +0200 | ||
4 | Subject: [PATCH] hw/core/loader: Fix possible crash in rom_copy() | ||
5 | |||
6 | Both, "rom->addr" and "addr" are derived from the binary image | ||
7 | that can be loaded with the "-kernel" paramer. The code in | ||
8 | rom_copy() then calculates: | ||
9 | |||
10 | d = dest + (rom->addr - addr); | ||
11 | |||
12 | and uses "d" as destination in a memcpy() some lines later. Now with | ||
13 | bad kernel images, it is possible that rom->addr is smaller than addr, | ||
14 | thus "rom->addr - addr" gets negative and the memcpy() then tries to | ||
15 | copy contents from the image to a bad memory location. This could | ||
16 | maybe be used to inject code from a kernel image into the QEMU binary, | ||
17 | so we better fix it with an additional sanity check here. | ||
18 | |||
19 | Cc: qemu-stable@nongnu.org | ||
20 | Reported-by: Guangming Liu | ||
21 | Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 | ||
22 | Message-Id: <20190925130331.27825-1-thuth@redhat.com> | ||
23 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
24 | Signed-off-by: Thomas Huth <thuth@redhat.com> | ||
25 | |||
26 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=e423455c4f23a1a828901c78fe6d03b7dde79319] | ||
27 | CVE: CVE-2020-13765 | ||
28 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | hw/core/loader.c | 2 +- | ||
31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/hw/core/loader.c b/hw/core/loader.c | ||
34 | index 0d60219..5099f27 100644 | ||
35 | --- a/hw/core/loader.c | ||
36 | +++ b/hw/core/loader.c | ||
37 | @@ -1281,7 +1281,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) | ||
38 | if (rom->addr + rom->romsize < addr) { | ||
39 | continue; | ||
40 | } | ||
41 | - if (rom->addr > end) { | ||
42 | + if (rom->addr > end || rom->addr < addr) { | ||
43 | break; | ||
44 | } | ||
45 | |||
46 | -- | ||
47 | 1.8.3.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch new file mode 100644 index 0000000000..a109ac08d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Tue, 25 Aug 2020 07:36:36 +0200 | ||
4 | Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) | ||
5 | |||
6 | Store calculated setup_len in a local variable, verify it, and only | ||
7 | write it to the struct (USBDevice->setup_len) in case it passed the | ||
8 | sanity checks. | ||
9 | |||
10 | This prevents other code (do_token_{in,out} functions specifically) | ||
11 | from working with invalid USBDevice->setup_len values and overrunning | ||
12 | the USBDevice->setup_buf[] buffer. | ||
13 | |||
14 | Fixes: CVE-2020-14364 | ||
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
16 | Tested-by: Gonglei <arei.gonglei@huawei.com> | ||
17 | Reviewed-by: Li Qiang <liq3ea@gmail.com> | ||
18 | Message-id: 20200825053636.29648-1-kraxel@redhat.com | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2020-14364 | ||
22 | [https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb] | ||
23 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
24 | --- | ||
25 | hw/usb/core.c | 16 ++++++++++------ | ||
26 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
27 | |||
28 | diff --git a/hw/usb/core.c b/hw/usb/core.c | ||
29 | index 5abd128..5234dcc 100644 | ||
30 | --- a/hw/usb/core.c | ||
31 | +++ b/hw/usb/core.c | ||
32 | @@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) | ||
33 | static void do_token_setup(USBDevice *s, USBPacket *p) | ||
34 | { | ||
35 | int request, value, index; | ||
36 | + unsigned int setup_len; | ||
37 | |||
38 | if (p->iov.size != 8) { | ||
39 | p->status = USB_RET_STALL; | ||
40 | @@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) | ||
41 | usb_packet_copy(p, s->setup_buf, p->iov.size); | ||
42 | s->setup_index = 0; | ||
43 | p->actual_length = 0; | ||
44 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
45 | - if (s->setup_len > sizeof(s->data_buf)) { | ||
46 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
47 | + if (setup_len > sizeof(s->data_buf)) { | ||
48 | fprintf(stderr, | ||
49 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", | ||
50 | - s->setup_len, sizeof(s->data_buf)); | ||
51 | + setup_len, sizeof(s->data_buf)); | ||
52 | p->status = USB_RET_STALL; | ||
53 | return; | ||
54 | } | ||
55 | + s->setup_len = setup_len; | ||
56 | |||
57 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; | ||
58 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; | ||
59 | @@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) | ||
60 | static void do_parameter(USBDevice *s, USBPacket *p) | ||
61 | { | ||
62 | int i, request, value, index; | ||
63 | + unsigned int setup_len; | ||
64 | |||
65 | for (i = 0; i < 8; i++) { | ||
66 | s->setup_buf[i] = p->parameter >> (i*8); | ||
67 | } | ||
68 | |||
69 | s->setup_state = SETUP_STATE_PARAM; | ||
70 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
71 | s->setup_index = 0; | ||
72 | |||
73 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; | ||
74 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; | ||
75 | index = (s->setup_buf[5] << 8) | s->setup_buf[4]; | ||
76 | |||
77 | - if (s->setup_len > sizeof(s->data_buf)) { | ||
78 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; | ||
79 | + if (setup_len > sizeof(s->data_buf)) { | ||
80 | fprintf(stderr, | ||
81 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", | ||
82 | - s->setup_len, sizeof(s->data_buf)); | ||
83 | + setup_len, sizeof(s->data_buf)); | ||
84 | p->status = USB_RET_STALL; | ||
85 | return; | ||
86 | } | ||
87 | + s->setup_len = setup_len; | ||
88 | |||
89 | if (p->pid == USB_TOKEN_OUT) { | ||
90 | usb_packet_copy(p, s->data_buf, s->setup_len); | ||
91 | -- | ||
92 | 2.17.1 | ||
93 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | CVE: CVE-2020-15863 | ||
16 | Upstream-Status: Backport | ||
17 | [https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
20 | --- | ||
21 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
22 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
25 | index f49df95..f496f7e 100644 | ||
26 | --- a/hw/net/xgmac.c | ||
27 | +++ b/hw/net/xgmac.c | ||
28 | @@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
29 | } | ||
30 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
31 | |||
32 | + /* | ||
33 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
34 | + * should probably be reported back to the guest somehow | ||
35 | + * rather than simply silently stopping processing, but we | ||
36 | + * don't know what the hardware does in this situation. | ||
37 | + * This will only happen for buggy guests anyway. | ||
38 | + */ | ||
39 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
40 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
41 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
42 | __func__, bd.buffer1_size & 0xfff); | ||
43 | + break; | ||
44 | } | ||
45 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
46 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
47 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
48 | __func__, bd.buffer2_size & 0xfff); | ||
49 | + break; | ||
50 | } | ||
51 | - if (len >= sizeof(frame)) { | ||
52 | + if (frame_size + len >= sizeof(frame)) { | ||
53 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
54 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
55 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
56 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
57 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
58 | + break; | ||
59 | } | ||
60 | |||
61 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
62 | -- | ||
63 | 1.9.1 | ||
64 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch new file mode 100644 index 0000000000..8ce01e26ad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Sat, 1 Aug 2020 18:42:38 +0200 | ||
4 | Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in | ||
5 | net_tx_pkt_add_raw_fragment() | ||
6 | |||
7 | An assertion failure issue was found in the code that processes network | ||
8 | packets | ||
9 | while adding data fragments into the packet context. It could be abused | ||
10 | by a | ||
11 | malicious guest to abort the QEMU process on the host. This patch | ||
12 | replaces the | ||
13 | affected assert() with a conditional statement, returning false if the | ||
14 | current | ||
15 | data fragment exceeds max_raw_frags. | ||
16 | |||
17 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
18 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
19 | Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> | ||
20 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | CVE: CVE-2020-16092 | ||
25 | [https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8] | ||
26 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
27 | --- | ||
28 | hw/net/net_tx_pkt.c | 5 ++++- | ||
29 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c | ||
32 | index 162f802..54d4c3b 100644 | ||
33 | --- a/hw/net/net_tx_pkt.c | ||
34 | +++ b/hw/net/net_tx_pkt.c | ||
35 | @@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, | ||
36 | hwaddr mapped_len = 0; | ||
37 | struct iovec *ventry; | ||
38 | assert(pkt); | ||
39 | - assert(pkt->max_raw_frags > pkt->raw_frags); | ||
40 | + | ||
41 | + if (pkt->raw_frags >= pkt->max_raw_frags) { | ||
42 | + return false; | ||
43 | + } | ||
44 | |||
45 | if (!len) { | ||
46 | return true; | ||
47 | -- | ||
48 | 2.17.1 | ||
49 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch new file mode 100644 index 0000000000..aa7bc82329 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 | ||
2 | From: Felipe Franciosi <felipe@nutanix.com> | ||
3 | Date: Thu, 23 Jan 2020 12:44:59 +0000 | ||
4 | Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) | ||
5 | |||
6 | When querying an iSCSI server for the provisioning status of blocks (via | ||
7 | GET LBA STATUS), Qemu only validates that the response descriptor zero's | ||
8 | LBA matches the one requested. Given the SCSI spec allows servers to | ||
9 | respond with the status of blocks beyond the end of the LUN, Qemu may | ||
10 | have its heap corrupted by clearing/setting too many bits at the end of | ||
11 | its allocmap for the LUN. | ||
12 | |||
13 | A malicious guest in control of the iSCSI server could carefully program | ||
14 | Qemu's heap (by selectively setting the bitmap) and then smash it. | ||
15 | |||
16 | This limits the number of bits that iscsi_co_block_status() will try to | ||
17 | update in the allocmap so it can't overflow the bitmap. | ||
18 | |||
19 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc] | ||
20 | CVE: CVE-2020-1711 | ||
21 | |||
22 | Fixes: CVE-2020-1711 | ||
23 | Cc: qemu-stable@nongnu.org | ||
24 | Signed-off-by: Felipe Franciosi <felipe@nutanix.com> | ||
25 | Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> | ||
26 | Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> | ||
27 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
28 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | block/iscsi.c | 5 +++-- | ||
31 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
32 | |||
33 | diff --git a/block/iscsi.c b/block/iscsi.c | ||
34 | index 2aea7e3..cbd5729 100644 | ||
35 | --- a/block/iscsi.c | ||
36 | +++ b/block/iscsi.c | ||
37 | @@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, | ||
38 | struct scsi_get_lba_status *lbas = NULL; | ||
39 | struct scsi_lba_status_descriptor *lbasd = NULL; | ||
40 | struct IscsiTask iTask; | ||
41 | - uint64_t lba; | ||
42 | + uint64_t lba, max_bytes; | ||
43 | int ret; | ||
44 | |||
45 | iscsi_co_init_iscsitask(iscsilun, &iTask); | ||
46 | @@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, | ||
47 | } | ||
48 | |||
49 | lba = offset / iscsilun->block_size; | ||
50 | + max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; | ||
51 | |||
52 | qemu_mutex_lock(&iscsilun->mutex); | ||
53 | retry: | ||
54 | @@ -764,7 +765,7 @@ retry: | ||
55 | goto out_unlock; | ||
56 | } | ||
57 | |||
58 | - *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; | ||
59 | + *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); | ||
60 | |||
61 | if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || | ||
62 | lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { | ||
63 | -- | ||
64 | 1.8.3.1 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 0000000000..df6bca6db6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:07:35 +0800 | ||
4 | Subject: [PATCH] tcp_emu: Fix oob access | ||
5 | |||
6 | The main loop only checks for one available byte, while we sometimes | ||
7 | need two bytes. | ||
8 | |||
9 | CVE: CVE-2020-7039 | ||
10 | Upstream-Status: Backport | ||
11 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] | ||
12 | |||
13 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
14 | --- | ||
15 | slirp/src/tcp_subr.c | 6 ++++++ | ||
16 | 1 file changed, 6 insertions(+) | ||
17 | |||
18 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
19 | index d6dd133..4bea2d4 100644 | ||
20 | --- a/slirp/src/tcp_subr.c | ||
21 | +++ b/slirp/src/tcp_subr.c | ||
22 | @@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
23 | break; | ||
24 | |||
25 | case 5: | ||
26 | + if (bptr == m->m_data + m->m_len - 1) | ||
27 | + return 1; /* We need two bytes */ | ||
28 | /* | ||
29 | * The difference between versions 1.0 and | ||
30 | * 2.0 is here. For future versions of | ||
31 | @@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
32 | /* This is the field containing the port | ||
33 | * number that RA-player is listening to. | ||
34 | */ | ||
35 | + | ||
36 | + if (bptr == m->m_data + m->m_len - 1) | ||
37 | + return 1; /* We need two bytes */ | ||
38 | + | ||
39 | lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; | ||
40 | if (lport < 6970) | ||
41 | lport += 256; /* don't know why */ | ||
42 | -- | ||
43 | 2.7.4 | ||
44 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch new file mode 100644 index 0000000000..4a00fa2afd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:10:34 +0800 | ||
4 | Subject: [PATCH] slirp: use correct size while emulating commands | ||
5 | |||
6 | While emulating services in tcp_emu(), it uses 'mbuf' size | ||
7 | 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) | ||
8 | size to avoid possible OOB access. | ||
9 | Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
10 | Signed-off-by: Samuel Thibault's avatarSamuel Thibault | ||
11 | <samuel.thibault@ens-lyon.org> | ||
12 | Message-Id: <20200109094228.79764-3-ppandit@redhat.com> | ||
13 | |||
14 | CVE: CVE-2020-7039 | ||
15 | Upstream-Status: Backport | ||
16 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80] | ||
17 | |||
18 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
19 | --- | ||
20 | slirp/src/tcp_subr.c | 9 ++++----- | ||
21 | 1 file changed, 4 insertions(+), 5 deletions(-) | ||
22 | |||
23 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
24 | index 4bea2d4..e8ed4ef 100644 | ||
25 | --- a/slirp/src/tcp_subr.c | ||
26 | +++ b/slirp/src/tcp_subr.c | ||
27 | @@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
28 | n4 = (laddr & 0xff); | ||
29 | |||
30 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
31 | - m->m_len += snprintf(bptr, m->m_size - m->m_len, | ||
32 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
33 | "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, | ||
34 | n5, n6, x == 7 ? buff : ""); | ||
35 | return 1; | ||
36 | @@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
37 | n4 = (laddr & 0xff); | ||
38 | |||
39 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
40 | - m->m_len += | ||
41 | - snprintf(bptr, m->m_size - m->m_len, | ||
42 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
43 | "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", | ||
44 | n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); | ||
45 | |||
46 | @@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
47 | if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && | ||
48 | (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, | ||
49 | htons(lport), SS_FACCEPTONCE)) != NULL) | ||
50 | - m->m_len = | ||
51 | - snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; | ||
52 | + m->m_len = snprintf(m->m_data, M_ROOM(m), | ||
53 | + "%d", ntohs(so->so_fport)) + 1; | ||
54 | return 1; | ||
55 | |||
56 | case EMU_IRC: | ||
57 | -- | ||
58 | 2.7.4 | ||
59 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch new file mode 100644 index 0000000000..70ce480d80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001 | ||
2 | From: Changqing Li <changqing.li@windriver.com> | ||
3 | Date: Thu, 27 Feb 2020 12:15:04 +0800 | ||
4 | Subject: [PATCH] slirp: use correct size while emulating IRC commands | ||
5 | |||
6 | While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size | ||
7 | 'm->m_size' to write DCC commands via snprintf(3). This may | ||
8 | lead to OOB write access, because 'bptr' points somewhere in | ||
9 | the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) | ||
10 | size to avoid OOB access. | ||
11 | Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com> | ||
12 | Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Samuel Thibault's avatarSamuel Thibault | ||
14 | <samuel.thibault@ens-lyon.org> | ||
15 | Message-Id: <20200109094228.79764-2-ppandit@redhat.com> | ||
16 | |||
17 | CVE: CVE-2020-7039 | ||
18 | Upstream-Status: Backport | ||
19 | [https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9] | ||
20 | |||
21 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
22 | --- | ||
23 | slirp/src/tcp_subr.c | 11 ++++++----- | ||
24 | 1 file changed, 6 insertions(+), 5 deletions(-) | ||
25 | |||
26 | diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c | ||
27 | index e8ed4ef..3a4a8ee 100644 | ||
28 | --- a/slirp/src/tcp_subr.c | ||
29 | +++ b/slirp/src/tcp_subr.c | ||
30 | @@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
31 | return 1; | ||
32 | } | ||
33 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
34 | - m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", | ||
35 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
36 | + "DCC CHAT chat %lu %u%c\n", | ||
37 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
38 | ntohs(so->so_fport), 1); | ||
39 | } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, | ||
40 | @@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
41 | return 1; | ||
42 | } | ||
43 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
44 | - m->m_len += | ||
45 | - snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, | ||
46 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
47 | + "DCC SEND %s %lu %u %u%c\n", buff, | ||
48 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
49 | ntohs(so->so_fport), n1, 1); | ||
50 | } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, | ||
51 | @@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) | ||
52 | return 1; | ||
53 | } | ||
54 | m->m_len = bptr - m->m_data; /* Adjust length */ | ||
55 | - m->m_len += | ||
56 | - snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, | ||
57 | + m->m_len += snprintf(bptr, M_FREEROOM(m), | ||
58 | + "DCC MOVE %s %lu %u %u%c\n", buff, | ||
59 | (unsigned long)ntohl(so->so_faddr.s_addr), | ||
60 | ntohs(so->so_fport), n1, 1); | ||
61 | } | ||
62 | -- | ||
63 | 2.7.4 | ||
64 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch new file mode 100644 index 0000000000..11be4c92e7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 13 Jan 2020 17:44:31 +0530 | ||
4 | Subject: [PATCH] slirp: tftp: restrict relative path access | ||
5 | |||
6 | tftp restricts relative or directory path access on Linux systems. | ||
7 | Apply same restrictions on Windows systems too. It helps to avoid | ||
8 | directory traversal issue. | ||
9 | |||
10 | Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 | ||
11 | Reported-by: Peter Maydell <peter.maydell@linaro.org> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | ||
14 | Message-Id: <20200113121431.156708-1-ppandit@redhat.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch] | ||
17 | CVE: CVE-2020-7211 | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | |||
20 | --- | ||
21 | slirp/src/tftp.c | 9 +++++++-- | ||
22 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
23 | |||
24 | diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c | ||
25 | index 093c2e0..e52e71b 100644 | ||
26 | --- a/slirp/src/tftp.c | ||
27 | +++ b/slirp/src/tftp.c | ||
28 | @@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, | ||
29 | k += 6; /* skipping octet */ | ||
30 | |||
31 | /* do sanity checks on the filename */ | ||
32 | - if (!strncmp(req_fname, "../", 3) || | ||
33 | - req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { | ||
34 | + if ( | ||
35 | +#ifdef G_OS_WIN32 | ||
36 | + strstr(req_fname, "..\\") || | ||
37 | + req_fname[strlen(req_fname) - 1] == '\\' || | ||
38 | +#endif | ||
39 | + strstr(req_fname, "../") || | ||
40 | + req_fname[strlen(req_fname) - 1] == '/') { | ||
41 | tftp_send_error(spt, 2, "Access violation", tp); | ||
42 | return; | ||
43 | } | ||
44 | -- | ||
45 | 2.24.1 | ||
46 | |||