From c1be973ae1135588ed77b365bfd3bf063bac78ae Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Tue, 21 Jun 2011 20:34:17 +0300 Subject: [PATCH 1/5] vhost: fix double free on device stop vhost dev stop failed to clear the log field. Typically not an issue as dev start overwrites this field, but if logging gets disabled before the following start, it doesn't so this causes a double free. Signed-off-by: Michael S. Tsirkin --- hw/vhost.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/vhost.c b/hw/vhost.c index 80f771e448..c3d88214fe 100644 --- a/hw/vhost.c +++ b/hw/vhost.c @@ -784,5 +784,6 @@ void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev) hdev->started = false; qemu_free(hdev->log); + hdev->log = NULL; hdev->log_size = 0; } From 33d5ad53c1039989c4ecf583ed52a584d3888495 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Sun, 26 Jun 2011 16:17:27 +0300 Subject: [PATCH 2/5] pci_ids: tweak names to match linux/pci_ids.h Sync xen names to ones used by linux. Add xen platform device id as well. Signed-off-by: Michael S. Tsirkin --- hw/pci_ids.h | 3 ++- hw/xen_platform.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/hw/pci_ids.h b/hw/pci_ids.h index d94578c87d..b49c602844 100644 --- a/hw/pci_ids.h +++ b/hw/pci_ids.h @@ -110,4 +110,5 @@ #define PCI_DEVICE_ID_INTEL_82371AB_2 0x7112 #define PCI_DEVICE_ID_INTEL_82371AB_3 0x7113 -#define PCI_VENDOR_ID_XENSOURCE 0x5853 +#define PCI_VENDOR_ID_XEN 0x5853 +#define PCI_DEVICE_ID_XEN_PLATFORM 0x0001 diff --git a/hw/xen_platform.c b/hw/xen_platform.c index b167eee1ff..9a01735d31 100644 --- a/hw/xen_platform.c +++ b/hw/xen_platform.c @@ -290,10 +290,10 @@ static int xen_platform_initfn(PCIDevice *dev) pci_conf = d->pci_dev.config; - pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_XENSOURCE); - pci_config_set_device_id(pci_conf, 0x0001); - pci_set_word(pci_conf + PCI_SUBSYSTEM_VENDOR_ID, PCI_VENDOR_ID_XENSOURCE); - pci_set_word(pci_conf + PCI_SUBSYSTEM_ID, 0x0001); + pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_XEN); + pci_config_set_device_id(pci_conf, PCI_DEVICE_ID_XEN_PLATFORM); + pci_set_word(pci_conf + PCI_SUBSYSTEM_VENDOR_ID, PCI_VENDOR_ID_XEN); + pci_set_word(pci_conf + PCI_SUBSYSTEM_ID, PCI_DEVICE_ID_XEN_PLATFORM); pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_IO | PCI_COMMAND_MEMORY); From ce4fd422a6c5119baf4a2c3115c7ea63efb0f68e Mon Sep 17 00:00:00 2001 From: Anthony PERARD Date: Wed, 22 Jun 2011 16:58:31 +0100 Subject: [PATCH 3/5] hw/piix_pci.c: Fix PIIX3-xen to initialize ids Signed-off-by: Anthony PERARD Signed-off-by: Michael S. Tsirkin --- hw/piix_pci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/piix_pci.c b/hw/piix_pci.c index 26ce90451a..d08b31a266 100644 --- a/hw/piix_pci.c +++ b/hw/piix_pci.c @@ -478,6 +478,9 @@ static PCIDeviceInfo i440fx_info[] = { .no_hotplug = 1, .init = piix3_initfn, .config_write = piix3_write_config_xen, + .vendor_id = PCI_VENDOR_ID_INTEL, + .device_id = PCI_DEVICE_ID_INTEL_82371SB_0, // 82371SB PIIX3 PCI-to-ISA bridge (Step A1) + .class_id = PCI_CLASS_BRIDGE_ISA, },{ /* end of list */ } From 0d2b962d16feaf1eb1a4658a4c1b85642418cd07 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Sun, 26 Jun 2011 16:30:45 +0300 Subject: [PATCH 4/5] xen: move to new pci initializers move ids to pci info structure Signed-off-by: Michael S. Tsirkin --- hw/xen_platform.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/hw/xen_platform.c b/hw/xen_platform.c index 9a01735d31..f43e175b4e 100644 --- a/hw/xen_platform.c +++ b/hw/xen_platform.c @@ -290,18 +290,10 @@ static int xen_platform_initfn(PCIDevice *dev) pci_conf = d->pci_dev.config; - pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_XEN); - pci_config_set_device_id(pci_conf, PCI_DEVICE_ID_XEN_PLATFORM); - pci_set_word(pci_conf + PCI_SUBSYSTEM_VENDOR_ID, PCI_VENDOR_ID_XEN); - pci_set_word(pci_conf + PCI_SUBSYSTEM_ID, PCI_DEVICE_ID_XEN_PLATFORM); - pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_IO | PCI_COMMAND_MEMORY); - pci_config_set_revision(pci_conf, 1); pci_config_set_prog_interface(pci_conf, 0); - pci_config_set_class(pci_conf, PCI_CLASS_OTHERS << 8 | 0x80); - pci_conf[PCI_INTERRUPT_PIN] = 1; pci_register_bar(&d->pci_dev, 0, 0x100, @@ -330,6 +322,13 @@ static PCIDeviceInfo xen_platform_info = { .qdev.size = sizeof(PCIXenPlatformState), .qdev.vmsd = &vmstate_xen_platform, .qdev.reset = platform_reset, + + .vendor_id = PCI_VENDOR_ID_XEN, + .device_id = PCI_DEVICE_ID_XEN_PLATFORM, + .class_id = PCI_CLASS_OTHERS << 8 | 0x80, + .subsystem_vendor_id = PCI_VENDOR_ID_XEN, + .subsystem_id = PCI_DEVICE_ID_XEN_PLATFORM, + .revision = 1, }; static void xen_platform_register(void) From c8eac1cfa1e9104a658b4614ada758861b8d823a Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Mon, 20 Jun 2011 13:42:27 +0300 Subject: [PATCH 5/5] virtio: fix indirect descriptor buffer overflow We were previously allowing arbitrarily-long indirect descriptors, which could lead to a buffer overflow in qemu-kvm process. CVE-2011-2212 Signed-off-by: Michael S. Tsirkin --- hw/virtio.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/virtio.c b/hw/virtio.c index cc47a06a4e..a8f4940da2 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -449,9 +449,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) struct iovec *sg; if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) { + if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) { + error_report("Too many write descriptors in indirect table"); + exit(1); + } elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i); sg = &elem->in_sg[elem->in_num++]; } else { + if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) { + error_report("Too many read descriptors in indirect table"); + exit(1); + } elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i); sg = &elem->out_sg[elem->out_num++]; }