vnc: fix websocket security issues (cve-2015-1779).

# gpg: Signature made Wed Apr  1 16:14:34 2015 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-cve-2015-1779-20150401-2:
  CVE-2015-1779: limit size of HTTP headers from websockets clients
  CVE-2015-1779: incrementally decode websocket frames
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.

A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.

The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]

  @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
  -        *payload_size = input->offset;
  +        *payload_size = *payload_remain;

[ kraxel: fix 32bit build ]

  @@ -306,7 +306,7 @@ struct VncState
  -    uint64_t ws_payload_remain;
  +    size_t ws_payload_remain;
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Fix for object_del of in-use memory, pvpanic
regression, PPC regression and bogus error message with
Oxygen theme.

# gpg: Signature made Wed Apr  1 09:08:20 2015 BST using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  Revert "exec: Respect as_tranlsate_internal length clamp"
  rcu: do not create thread in pthread_atfork callback
  pc: acpi: fix pvpanic regression
  hostmem: Prevent removing an in-use memory backend
  qom: Add can_be_deleted callback to UserCreatableClass
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This reverts commit c3c1bb99.
It causes problems with boards that declare memory regions shorter
than the registers they contain.
Reported-by: NZoltan Balaton <balaton@eik.bme.hu>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If QEMU forks after the CPU threads have been created, qemu_mutex_lock_iothread
will not be able to do qemu_cpu_kick_thread.  There is no solution other than
assuming that forks after the CPU threads have been created will end up in an
exec.  Forks before the CPU threads have been created (such as -daemonize)
have to call rcu_after_fork manually.

Notably, the oxygen theme for GTK+ forks and shows a "No such process" error
without this patch.

This patch can be reverted once the iothread loses the "kick the TCG thread"
magic.

User-mode emulation does not use the iothread, so it can also call
rcu_after_fork.

Reported by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Commit cd61cb2e  pc: acpi-build: generate pvpanic device description dynamically

introduced regression changing pvpanic device HID from
QEMU0001 to QEMU0002.
Fix AML generated code so that pvpanic device
would keep its original HID. i.e. QEMU0001
Signed-off-by: NIgor Mammedov <imammedo@redhat.com>
Reported-by: NGal Hammer <ghammer@redhat.com>
Message-Id: <1427717907-25027-1-git-send-email-imammedo@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

showing a memory device whose memdev is removed leads an assert:

(qemu) object_add memory-backend-ram,id=ram0,size=128M
(qemu) device_add pc-dimm,id=d0,memdev=ram0
(qemu) object_del ram0
(qemu) info memory-devices
**
ERROR:qom/object.c:1274:object_get_canonical_path_component:\
                            assertion failed: (obj->parent != NULL)
Aborted

The patch prevents removing an in-use mem backend and error out.
Signed-off-by: NLin Ma <lma@suse.com>
Message-Id: <1427704589-7688-3-git-send-email-lma@suse.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If backends implement the can_be_deleted and it returns false,
Then the qmp_object_del won't delete the given backends.
Signed-off-by: NLin Ma <lma@suse.com>
Message-Id: <1427704589-7688-2-git-send-email-lma@suse.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

QOM infrastructure fixes and device conversions

* Fix for adding alias properties with [*]

# gpg: Signature made Tue Mar 31 11:59:00 2015 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-peter:
  qom: Fix object_property_add_alias() with [*]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Commit 80742642 (qom: Add description field in ObjectProperty struct)
introduced property descriptions and copied them for alias properties.

Instead of using the caller-supplied property name, use the returned
property name for setting the description. This avoids an Error when
setting a property description for a property with literal "[*]" that
doesn't exist due to automatic property naming in object_property_add().
Reviewed-by: NGonglei <arei.gonglei@huawei.com>
Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org (v2.2+)
Signed-off-by: NAndreas Färber <afaerber@suse.de>

QTest cleanups

* Change fw_cfg-test and i440fx-test GTester paths
* Extend libqtest API as necessary

# gpg: Signature made Mon Mar 30 18:29:39 2015 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qtest-for-2.3:
  i440fx-test: Fix test paths to include architecture
  qtest: Add qtest_add() wrapper macro
  qtest: Add qtest_add_data_func() wrapper function
  fw_cfg-test: Fix test path to include architecture
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

TriCore bugfixes

# gpg: Signature made Mon Mar 30 12:40:50 2015 BST using RSA key ID 6B69CA14
# gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>"

* remotes/bkoppelmann/tags/pull-tricore-20150330:
  target-tricore: fix CACHEA/I_POSTINC/PREINC using data register..
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

s390x fixes:
- virtqueue index issues in virtio-ccw
- cleanup and sign extension fix for the ipl device

# gpg: Signature made Mon Mar 30 08:52:54 2015 BST using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20150330:
  s390x/ipl: avoid sign extension
  s390x: do not include ram_addr.h
  virtio-ccw: range check in READ_VQ_CONF
  virtio-ccw: fix range check for SET_VQ
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Replace g_test_add_func() with new qtest_add_func() and g_test_add()
macro with qtest_add() macro. This effectively changes GTester paths:

  /i440fx/foo -> /x86_64/i440fx/foo etc.

Cc: qemu-stable@nongnu.org
Reviewed-by: NJohn Snow <jsnow@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

It extends g_test_add() macro with the architecture path.
Reviewed-by: NJohn Snow <jsnow@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

It calls g_test_add_data_func() with a path supplemented by the
architecture, like qtest_add_func() does.
Reviewed-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Use qtest_add_func() instead of g_test_add_func() to reflect
the architecture tested, changing GTester paths as follows:

  /fw_cfg/foo -> /x86_64/fw_cfg/foo etc.

Cc: qemu-stable@nongnu.org
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

..for address calculation instead address registers.
Signed-off-by: NBastian Koppelmann <kbastian@mail.uni-paderborn.de>

Make s390_update_iplstate() return uint32_t to avoid sign extensions
for cssids > 127. While this doesn't matter in practice yet (as
nobody supports MCSS-E and thus won't see the real cssid), play safe.
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NJason J. Herne <jjherne@linux.vnet.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

ram_addr.h is an internal interface and it is not needed anyway by
hw/s390x/ipl.c.

Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: NThomas Huth <huth@tuxfamily.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-Id: <1427295389-5054-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

Processing for READ_VQ_CONF needs to check whether the requested queue
value is actually in the supported range and post a channel program
check if not.

Cc: qemu-stable@nongnu.org
Reviewed-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: NDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com>

# gpg: Signature made Fri Mar 27 22:19:31 2015 GMT using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-pull-request:
  AHCI: Protect cmd register
  AHCI: Do not (re)map FB/CLB buffers while not running
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Many bits in the CMD register are supposed to be strictly read-only.
We should not be deleting them on every write.

As a side-effect: pay explicit attention to when a guest marks off
the FIS Receive or Start bits, and disable the status bits ourselves,
instead of letting them implicitly fall off.
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-3-git-send-email-jsnow@redhat.com

The FIS Receive Buffer and Command List Buffer pointers
should not be edited while the FIS receive engine or
Command Receive engines are running.

Currently, we attempt to re-map the buffers every time they
are adjusted, but while the AHCI engines are off, these registers
may contain stale values, so we should not attempt to re-map these
values until the engines are reactivated.
Reported-by: NJordan Hargrave <jharg93@gmail.com>
Signed-off-by: NJohn Snow <jsnow@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1426283454-15590-2-git-send-email-jsnow@redhat.com

# gpg: Signature made Fri Mar 27 11:59:41 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  hw/net/e1000: fix integer endianness
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

# gpg: Signature made Fri Mar 27 10:13:35 2015 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request:
  block: Document blockdev-add's immaturity
  qemu-iotests: Test unaligned 4k zero write
  block: Fix unaligned zero write
  nvme: Fix unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

It's detected by coverity.In is_vlan_packet s->mac_reg[VET] is
unsigned int but is dereferenced as a narrower unsigned short.
This may lead to unexpected results depending on machine
endianness.
Signed-off-by: NShannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: NShannon Zhao <shannon.zhao@linaro.org>
Message-id: 1426224119-8352-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Message-id: 1426858337-21423-1-git-send-email-armbru@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1427160230-4489-3-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

If the zero write is not aligned, bdrv_co_do_pwritev will segfault
because of accessing to the NULL qiov passed in by bdrv_co_write_zeroes.
Fix this by allocating a local qiov in bdrv_co_do_pwritev if the request
is not aligned. (In this case the padding iovs are necessary anyway, so
it doesn't hurt.)

Also add a check at the end of bdrv_co_do_pwritev to clear the zero flag
if padding is involved.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1427160230-4489-2-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The shift operation on nlb gives a 32 bit result if no type cast is
applied. This bug was reported by Coverity.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1426348844-8793-1-git-send-email-sw@weilnetz.de
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

gtk: do not call gtk_widget_get_window if drawing area is not initialized

# gpg: Signature made Thu Mar 26 16:59:55 2015 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-gtk-20150326-1:
  gtk: do not call gtk_widget_get_window if drawing area is not initialized
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Bugfixes and making SCSI adapters IOMMU-friendly.

# gpg: Signature made Thu Mar 26 13:24:05 2015 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  virtio-scsi-dataplane: fix memory leak for VirtIOSCSIVring
  misc: fix typos in copyright declaration
  exec: avoid possible overwriting of mmaped area in qemu_ram_remap
  sparc: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  mips: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  m68k: memory: Replace memory_region_init_ram with memory_region_allocate_system_memory
  nbd: Fix up comment after commit e140177d
  vmw_pvscsi: use PCI DMA APIs
  megasas: use PCI DMA APIs
  cpus: Don't kick un-realized cpus.
  i6300esb: Fix signed integer overflow
  i6300esb: Correct endiannness
  fw_cfg: factor out initialization of FW_CFG_ID (rev. number)
  rcu tests: fix compilation on 32-bit ppc
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Libseccomp dependency was mandating version 2.2.0 on all architectures
and this was causing configure and virt-test to break on non-updates
distros. This patch works-around it and give a more flexible way to
check the version, giving more time for other distros to update
libseccomp version.
Signed-off-by: NEduardo Otubo <eduardo.otubo@profitbricks.com>
Reported-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NJuan Quintela <quintela@redhat.com>
Tested-by: NJuan Quintela <quintela@redhat.com>
Message-id: 1427385385-30571-1-git-send-email-eduardo.otubo@profitbricks.com
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This prevents gtk_widget_get_window to return a NULL pointer.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

migration/next for 20150326

# gpg: Signature made Thu Mar 26 14:31:55 2015 GMT using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20150326:
  migration:  remove last_sent_block from save_page_header
  rdma: Fix cleanup in error paths
  Avoid crashing on multiple -incoming
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Compression code (still not on tree) want to call this funtion from
outside the migration thread, so we can't write to last_sent_block.

Instead of reverting full patch:

[PULL 07/11] save_block_hdr: we can recalculate

Just revert the parts that touch last_sent_block.
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>

As part of commit e325b49a,
order in which resources are destroyed was changed for fixing
a seg fault. Due to this change, CQ will never get destroyed as
CQ should be destroyed after QP destruction. Seg fault is caused
improper cleanup when connection fails. Fixing cleanup after
connection failure and order in which resources are destroyed
in qemu_rdma_cleanup() routine.
Signed-off-by: NMeghana Cheripady <meghana.cheripady@emulex.com>
Signed-off-by: NPadmanabh Ratnakar <padmanabh.ratnakar@emulex.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>