1. 25 6月, 2012 19 次提交
  2. 01 6月, 2012 1 次提交
  3. 31 5月, 2012 3 次提交
  4. 30 5月, 2012 10 次提交
    • A
      Merge remote-tracking branch 'mdroth/qga-pull-5-29-12-v2' into staging · d6111501
      Anthony Liguori 提交于
      * mdroth/qga-pull-5-29-12-v2:
        qemu-ga: avoid blocking on atime update when reading /etc/mtab
        qemu-ga: Fix use of environ on Darwin
      d6111501
    • J
      block: prevent snapshot mode $TMPDIR symlink attack · eba25057
      Jim Meyering 提交于
      In snapshot mode, bdrv_open creates an empty temporary file without
      checking for mkstemp or close failure, and ignoring the possibility
      of a buffer overrun given a surprisingly long $TMPDIR.
      Change the get_tmp_filename function to return int (not void),
      so that it can inform its two callers of those failures.
      Also avoid the risk of buffer overrun and do not ignore mkstemp
      or close failure.
      Update both callers (in block.c and vvfat.c) to propagate
      temp-file-creation failure to their callers.
      
      get_tmp_filename creates and closes an empty file, while its
      callers later open that presumed-existing file with O_CREAT.
      The problem was that a malicious user could provoke mkstemp failure
      and race to create a symlink with the selected temporary file name,
      thus causing the qemu process (usually root owned) to open through
      the symlink, overwriting an attacker-chosen file.
      
      This addresses CVE-2012-2652.
      http://bugzilla.redhat.com/CVE-2012-2652Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
      Signed-off-by: NJim Meyering <meyering@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      eba25057
    • G
      xhci: add usage info to docs · e78bd5ab
      Gerd Hoffmann 提交于
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      e78bd5ab
    • G
      vnc: fix segfault in vnc_display_pw_expire() · 1643f2b2
      Gerd Hoffmann 提交于
      NULL pointer dereference in case no vnc server is configured.
      Catch this and return -EINVAL like vnc_display_password() does.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      1643f2b2
    • E
      Expose CPUID leaf 7 only for -cpu host · 13526728
      Eduardo Habkost 提交于
      Changes v2 -> v3;
        - Check for kvm_enabled() before setting cpuid_7_0_ebx_features
      
      Changes v1 -> v2:
        - Use kvm_arch_get_supported_cpuid() instead of host_cpuid() on
          cpu_x86_fill_host().
      
        We should use GET_SUPPORTED_CPUID for all bits on "-cpu host"
        eventually, but I am not changing all the other CPUID leaves because
        we may not be able to test such an intrusive change in time for 1.1.
      
      Description of the bug:
      
      Since QEMU 0.15, the CPUID information on CPUID[EAX=7,ECX=0] is being
      returned unfiltered to the guest, directly from the GET_SUPPORTED_CPUID
      return value.
      
      The problem is that this makes the resulting CPU feature flags
      unpredictable and dependent on the host CPU and kernel version. This
      breaks live-migration badly if migrating from a host CPU that supports
      some features on that CPUID leaf (running a recent kernel) to a kernel
      or host CPU that doesn't support it.
      
      Migration also is incorrect (the virtual CPU changes under the guest's
      feet) if you migrate in the opposite direction (from an old CPU/kernel
      to a new CPU/kernel), but with less serious consequences (guests
      normally query CPUID information only once on boot).
      
      Fortunately, the bug affects only users using cpudefs with level >= 7.
      
      The right behavior should be to explicitly enable those features on
      [cpudef] config sections or on the "-cpu" command-line arguments. Right
      now there is no predefined CPU model on QEMU that has those features:
      the latest Intel model we have is Sandy Bridge.
      
      I would like to get this fixed on 1.1, so I am submitting this patch,
      that enables those features only if "-cpu host" is being used (as we
      don't have any pre-defined CPU model that actually have those features).
      After 1.1 is released, we can make those features properly configurable
      on [cpudef] and -cpu configuration.
      
      One problem is: with this patch, users with the following setup:
      - Running QEMU 1.0;
      - Using a cpudef having level >= 7;
      - Running a kernel that supports the features on CPUID leaf 7; and
      - Running on a CPU that supports some features on CPUID leaf 7
      won't be able to live-migrate to QEMU 1.1. But for these users
      live-migration is already broken (they can't live-migrate to hosts with
      older CPUs or older kernels, already), I don't see how to avoid this
      problem.
      Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      13526728
    • M
      qemu-ga: avoid blocking on atime update when reading /etc/mtab · 9e2fa418
      Michael Roth 提交于
      Currently we re-read/re-process /etc/mtab to get an updated list of
      mounts when guest-fsfreeze-thaw is called. This can cause an atime
      update on /etc/mtab, which will block if we're in a frozen state.
      
      Instead, use /proc's version of mtab, which may not be up-to-date with
      options passed via -o remount, but is compatible for our use cases since
      we only care about the filesystem type.
      Reported-by: NMatsuda, Daiki <matsudadik@intellilink.co.jp>
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      9e2fa418
    • A
      qemu-ga: Fix use of environ on Darwin · eecae147
      Andreas Färber 提交于
      Use _NSGetEnviron() helper to access the environment.
      Signed-off-by: NAndreas Färber <andreas.faerber@web.de>
      Cc: Charlie Somerville <charlie@charliesomerville.com>
      Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
      eecae147
    • Amos_沧海桑田's avatar
      pci: call object_unparent() before free_qdev() · a6de8ed8
      Amos_沧海桑田 提交于
      Start VM with 8 multiple-function block devs, hot-removing
      those block devs by 'device_del ...' would cause qemu abort.
      
      | (qemu) device_del virti0-0-0
      | (qemu) **
      |ERROR:qom/object.c:389:object_delete: assertion failed: (obj->ref == 0)
      
      It's a regression introduced by commit 57c9fafe
      
      The whole PCI slot should be removed once. Currently only one func
      is cleaned in pci_unplug_device(), if you try to remove a single
      func by monitor cmd.
      
      free_qdev() are called for all functions in slot,
      but unparent_delete() is only called for one
      function.
      
      Signed-off-by: XXXX
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      a6de8ed8
    • S
      fix multiboot loading if load_end_addr == 0 · 9c3a596a
      Scott Moser 提交于
      The previous multiboot load code did not treat the case where
      load_end_addr was 0 specially.  The multiboot specification says the
      following:
       * load_end_addr
         Contains the physical address of the end of the data segment.
         (load_end_addr - load_addr) specifies how much data to load. This
         implies that the text and data segments must be consecutive in the
         OS image; this is true for existing a.out executable formats. If
         this field is zero, the boot loader assumes that the text and data
         segments occupy the whole OS image file.
      Signed-off-by: NScott Moser <smoser@ubuntu.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      9c3a596a
    • A
      vga: fix vram double-mapping with -vga std and -M pc-0.12 · 8294a64d
      Avi Kivity 提交于
      With pc-0.12, we map the video RAM both through the PCI BAR (the guest does
      this) and through a fixed mapping at 0xe0000000.  The memory API doesn't allow
      this double map, and aborts.
      
      Fix by using an alias.
      Reported-by: NMichael Tokarev <mjt@tls.msk.ru>
      Signed-off-by: NAvi Kivity <avi@redhat.com>
      Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
      8294a64d
  5. 29 5月, 2012 7 次提交