CVE-2013-4544
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-5-git-send-email-dmitry@daynix.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

CVE-2013-4544
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-4-git-send-email-dmitry@daynix.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

CVE-2013-4544
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-3-git-send-email-dmitry@daynix.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

CVE-2013-4544
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Reported-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 1396604722-11902-2-git-send-email-dmitry@daynix.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Commit 9561fda8 changed the type of
'opaque' for link properties, but missed updating this call site.
Reproducer:

./x86_64-softmmu/qemu-system-x86_64 -qmp unix:./qmp.sock,server &
./scripts/qmp/qmp-shell ./qmp.sock
(QEMU) qom-list path=//machine/i440fx/pci.0/child[2]
Reported-by: NMarcin Gibuła <m.gibula@beyond.pl>
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Message-id: 2f8f007ce2152ac3b65f0811199662799c509225.1397155389.git.crobinso@redhat.com
Acked-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

When VM guest programs multicast addresses for
a virtio net card, it supplies a 32 bit
entries counter for the number of addresses.
These addresses are read into tail portion of
a fixed macs array which has size MAC_TABLE_ENTRIES,
at offset equal to in_use.

To avoid overflow of this array by guest, qemu attempts
to test the size as follows:
-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {

however, as mac_data.entries is uint32_t, this sum
can overflow, e.g. if in_use is 1 and mac_data.entries
is 0xffffffff then in_use + mac_data.entries will be 0.

Qemu will then read guest supplied buffer into this
memory, overflowing buffer on heap.

CVE-2014-0150

Cc: qemu-stable@nongnu.org
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1397218574-25058-1-git-send-email-mst@redhat.com
Reviewed-by: NMichael Tokarev <mjt@tls.msk.ru>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Block patches for 2.0.0-rc3

# gpg: Signature made Fri 11 Apr 2014 13:37:34 BST using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block-commit: speed is an optional parameter
  iscsi: Remember to set ret for iscsi_open in error case
  bochs: Fix catalog size check
  bochs: Fix memory leak in bochs_open() error path
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

sdl2 relative mouse mode fixes.

# gpg: Signature made Fri 11 Apr 2014 11:36:46 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-sdl-1:
  input: sdl2: Fix relative mode to match SDL1 behavior
  input: sdl2: Fix guest_cursor logic
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

As speed is an optional parameter for the QMP block-commit command, it
should be set to 0 if not given (as it is undefined if has_speed is
false), that is, the speed should not be limited.

Cc: qemu-stable@nongnu.org
Signed-off-by: NMax Reitz <mreitz@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The old check was off by a factor of 512 and didn't consider cases where
we don't get an exact division. This could lead to an out-of-bounds
array access in seek_to_sector().
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>

Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>

Right now relative mode accelerates too fast, and has the 'invisible wall'
problem. SDL2 added an explicit API to handle this use case, so let's use
it.
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Unbreaks relative mouse mode with sdl2, just like was done with sdl.c
in c3aa84b6.
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

acpi: DSDT update

Two fixes here:
- Test fix to avoid warning with make check.
- Hex file update so people building QEMU
  without installing iasl get exactly the same ACPI
  as with.

Both should help avoid user confusion.

As it's very easy to check that the produced ACPI
binary didn't change, I think these are very low risk.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Thu 10 Apr 2014 17:09:43 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  acpi: update generated hex files
  tests/acpi: update expected DSDT files
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

MacOSX clang silently swallows unrecognized -f options when doing a link
with '-framework' also on the command line, so to detect support for
the various -fstack-protector options we must do a plain .c to .o compile,
not a complete compile-and-link.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1397041487-28477-1-git-send-email-peter.maydell@linaro.org

commit f2ccc311
    dsdt: tweak ACPI ID for hotplug resource device
changes the DSDT, update hex files to match

Otherwise the fix is only effective if QEMU is built
with iasl.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

commit f2ccc311
    dsdt: tweak ACPI ID for hotplug resource device
changes the DSDT, update test expected files to match
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reported-by: NIgor Mammedov <imammedo@redhat.com>

Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The raven_io_read() and raven_io_write() functions pass and
return values in little-endian format (since the IO op struct
is marked DEVICE_LITTLE_ENDIAN); however they were storing the
values in the buffer to pass to address_space_read/write()
in host-endian order, which meant that on big-endian hosts
the values were inadvertently reversed. Use the *_le_p()
accessors instead so that we are consistent regardless of
host endianness.

Strictly speaking the byte order of the buffer for
address_space_rw() is target byte order (which for PPC
will be BE) but it doesn't actually matter as long as we
are consistent about the marking on the IO op struct and
which stl_*_p().

This bug was probably introduced due to confusion caused by
the two different versions of ldl_p() and friends:
 bswap.h defines versions meaning "host endianness access"
 cpu-all.h defines versions meaning "target endianness access"
As a target-independent source file prep.c gets the bswap.h
versions; the very similar looking code in ioport.c is
compiled per-target and gets the cpu-all.h versions.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1396972271-22660-1-git-send-email-peter.maydell@linaro.org
Reviewed-by: NRichard Henderson <rth@twiddle.net>

acpi bug fix

Here is a single last minute fix for 2.0

This changes the HID of the container used to claim
resources for CPU hotplug.
As a result, windows XP SP3 no longer brings up
an annoying "found new hardware" wizard on boot.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Tue 08 Apr 2014 13:23:30 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>"

* remotes/mst/tags/for_upstream:
  dsdt: tweak ACPI ID for hotplug resource device
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

ACPI0004 seems too new:
Windows XP complains about an unrecognized device.
This is a regression since 1.7.
Use PNP0A06 instead - Generic Container Device.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-By: NIgor Mammedov <imammedo@redhat.com>

gtk: Implement grab-on-click behavior in relative mode

# gpg: Signature made Tue 08 Apr 2014 12:58:49 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-5:
  gtk: Implement grab-on-click behavior in relative mode
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This patch changes the behavior in the relative mode to be compatible
with other UIs, namely, grabbing the input at the first left click.
It improves the usability a lot; otherwise you have to press ctl-alt-G
or select from menu at each time you want to move the pointer.  Also,
the input grab is cleared when the current mode is switched to the
absolute mode.

The automatic reset of the implicit grabbing is needed since the
switching to the absolute mode happens always after the click even on
Gtk.  That is, we cannot check whether the absolute mode is already
available at the first click time even though it should have been
switched in X11 input driver side.
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Patch queue for ppc - 2014-04-08

This is the final queue for 2.0! It fixes a lot of bugs people have
seen during testing:

  - Fix e500 SMP
  - Fix book3s_64 DEC
  - Fix VSX (new feature in 2.0) for LE hosts
  - Fix PR KVM on top of pHyp (SLOF update)

# gpg: Signature made Tue 08 Apr 2014 10:24:18 BST using RSA key ID 03FEDC60
# gpg: Can't check signature: public key not found

* remotes/agraf/tags/signed-ppc-for-upstream:
  PPC: Add l1 cache sizes for 970 and above systems
  ppce500_spin: Initialize struct properly
  PPC: Only enter MSR_POW when no interrupts pending
  PPC: Clean up DECR implementation
  target-ppc: Correct VSX Integer to FP Conversion
  target-ppc: Correct VSX FP to Integer Conversion
  target-ppc: Correct VSX FP to FP Conversions
  target-ppc: Correct VSX Scalar Compares
  target-ppc: Correct Simple VSR LE Host Inversions
  target-ppc: Correct LE Host Inversion of Lower VSRs
  target-ppc: Define Endian-Correct Accessors for VSR Field Access
  target-ppc: Bug: VSX Convert to Integer Should Truncate
  softfloat: Introduce float32_to_uint64_round_to_zero
  pseries: Update SLOF firmware image to qemu-slof-20140404
  PPC: E500: Set PIR default reset value rather than SPR value
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

* remotes/mdroth/qga-pull-2014-4-7:
  vss-win32: Fix build with mingw64-headers-3.1.0
  Makefile: add qga-vss-dll-obj-y to nested variables
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Book3s_64 guests expect the L1 cache size in device tree, so let's give
them proper values for all CPU types we support.

This fixes a "not compliant" warning with sles11 guests on -M pseries for me.
Signed-off-by: NAlexander Graf <agraf@suse.de>

The spinning struct is in guest endianness, so we need to initialize
its variables in guest endianness too.

This fixes booting e500 guests with SMP on x86 for me.
Signed-off-by: NAlexander Graf <agraf@suse.de>

We were entering the power saving state even when interrupts (like an
external interrupt or a decrementer interrupt) were still in flight.

In case we find a pending interrupt, don't enter power saving state.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Reviewed-by: NTom Musta <tmusta@gmail.com>

There are 3 different variants of the decrementor for BookE and BookS.

The BookE variant sets TSR[DIS] to 1 when the DEC value becomes 1 or 0. TSR[DIS]
is then the indicator whether the decrementor interrupt line is asserted or not.

The old BookS variant treats DEC as an edge interrupt that gets triggered when
the DEC value's top bit turns 1 from 0.

The new BookS variant maintains the assertion bit inside DEC itself. Whenever
the DEC value becomes negative (top bit set) the DEC interrupt line is asserted.

So far we implemented mostly the old BookS variant. Let's do them all properly.

This fixes booting pseries ppc64 guest images in TCG mode for me.
Signed-off-by: NAlexander Graf <agraf@suse.de>

This patch corrects the VSX integer to floating point conversion instructions
by using the endian correct accessors.  The auxiliary "j" index used by the
existing macros is now obsolete and is removed.  The JOFFSET preprocessor
macro is also obsolete and removed.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This patch corrects the VSX floating point to integer conversion
instructions by using the endian correct accessors.  The auxiliary
"j" index used by the existing macros is now obsolete and is removed.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This change corrects the VSX double precision to single precision and
single precision to double precisions conversion routines.  The endian
correct accessors are now used.  The auxiliary "j" index is no longer
necessary and is eliminated.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This change fixes the VSX scalar compare instructions.  The existing usage of "x.f64[0]"
is changed to "x.VsrD(0)".
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

A common pattern in the VSX helper code macros is the use of "x.fld[i]" where
"x" is a VSR and "fld" is an argument to a macro ("f64" or "f32" is passed).
This is not always correct on LE hosts.

This change addresses all instances of this pattern to be "x.fld" where "fld" is:

  - "VsrD(0)" for scalar instructions accessing 64-bit numbers
  - "VsrD(i)" for vector instructions accessing 64-bit numbers
  - "VsrW(i)" for vector instructions accessing 32-bit numbers

Note that there are no instances of this pattern where a scalar instruction
accesses a 32-bit number.

Note also that it would be correct to use "VsrD(i)" for scalar instructions since
the loop index is only ever "0".  I have choosen to use "VsrD(0)" instead ... it
seems a little clearer.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This change properly orders the doublewords of the VSRs 0-31.  Because these
registers are constructed from separate doublewords, they must be inverted
on Little Endian hosts.  The inversion is performed both when the VSR is read
and when it is written.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This change defines accessors for VSR doubleword and word fields that
are correct from a host Endian perspective.  This allows code to
use the Power ISA indexing numbers in code.

For example, the xscvdpsxws instruction has a target VSR that looks
like this:

  0           32       64                    127
  +-----------+--------+-----------+-----------+
  | undefined | SW     | undefined | undefined |
  +-----------+--------+-----------+-----------+

VSX helper code will use VsrW(1) to access this field.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The various VSX Convert to Integer instructions should truncate the
floating point number to an integer value, which is equivalent to
a round-to-zero rounding mode.  The existing VSX floating point to
integer conversion helpers are erroneously using the rounding mode set
int the PowerPC Floating Point Status and Control Register (FPSCR).
This change corrects this defect by using the appropriate
float*_to_*_round_to_zero() routines fro the softfloat library.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This change adds the float32_to_uint64_round_to_zero function to the softfloat
library.  This function fills out the complement of float32 to INT round-to-zero
conversion rountines, where INT is {int32_t, uint32_t, int64_t, uint64_t}.

This contribution can be licensed under either the softfloat-2a or -2b
license.
Signed-off-by: NTom Musta <tommusta@gmail.com>
Tested-by: NTom Musta <tommusta@gmail.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The change log is:
  > Isolate sc 1 detection logic
  > build: auto-detect ppc64 architecture
  > cas: increase hcall buffer size to accomodate 256 cpus
  > usb: change device tree naming
  > usb-core: adjust port numbers in set_address
  > virtio-scsi: correct srplun comment
  > Fix kernel loading
  > Workaround to make grub2 assign server ip from dhcp ack packet only
  > ELF: Enter LE binary in LE mode
  > ELF loading should fail for virt != phys
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>