ati: use vga_read_byte in ati_cursor_define
sd: sdhci: assert data_count is within fifo_buffer
msix: add valid.accepts methods to check address
Signed-off-by: Alex Chen <alex.chen@huawei.com>
hw: usb: hcd-ohci: check for processed TD before retire
hw: ehci: check return value of 'usb_packet_map'
hw: usb: hcd-ohci: check len and frame_number variables
hw/net/e1000e: advance desc_offset in case of null descriptor
Signed-off-by: Alex Chen <alex.chen@huawei.com>
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
CVE-2020-29129 CVE-2020-29130
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
-> https://www.openwall.com/lists/oss-security/2020/11/27/1
Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry-picked from 2e1dcbc0)
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Since filemonitor testcase requires that host kernel being a LTS version,
we cannot guarantee that on OBS system. Let's disable it by default.
Signed-off-by: Ying Fang <fangying1@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
target/arm: Add isar_feature tests for PAN + ATS1E1
target/arm: Add ID_AA64MMFR2_EL1
target/arm: Add and use FIELD definitions for ID_AA64DFR0_EL1
target/arm: Use FIELD macros for clearing ID_DFR0 PERFMON field
target/arm: Define an aa32_pmu_8_1 isar feature test function
target/arm: Add _aa64_ and _any_ versions of pmu_8_1 isar checks
target/arm: Stop assuming DBGDIDR always exists
target/arm: Move DBGDIDR into ARMISARegisters
target/arm: Enable ARMv8.2-ATS1E1 in -cpu max
target/arm: Test correct register in aa32_pan and aa32_ats1e1 checks
target/arm: Read debug-related ID registers from KVM
target/arm/monitor: Introduce qmp_query_cpu_model_expansion
target/arm/monitor: query-cpu-model-expansion crashed qemu when using machine type none
target/arm: convert isar regs to array
target/arm: parse cpu feature related options
target/arm: register CPU features for property
target/arm: Allow ID registers to synchronize to KVM
target/arm: introduce CPU feature dependency mechanism
target/arm: introduce KVM_CAP_ARM_CPU_FEATURE
target/arm: Add CPU features to query-cpu-model-expansion
target/arm: Update ID fields
target/arm: Add more CPU features
target/arm: ignore evtstrm and cpuid CPU features
target/arm: Update the ID registers of Kunpeng-920
target/arm: only set ID_PFR1_EL1.GIC for AArch32 guest
target/arm: clear EL2 and EL3 only when kvm is not enabled
Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Liang Yan <lyan@suse.com>
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment()
sm501: Convert printf + abort to qemu_log_mask
sm501: Shorten long variable names in sm501_2d_operation
sm501: Use BIT(x) macro to shorten constant
sm501: Clean up local variables in sm501_2d_operation
sm501: Replace hand written implementation with pixman where possible
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid and could
lead to data leakage in icmp6_send_echoreply().
Add the kvm_adjvtime vcpu property for ARM Cortex-A72 cpu model,
so that virtual time adjust will be enabled for it.
Signed-off-by: Ying Fang <fangying1@huawei.com>
This patch drops the vtimer virtual timer adjust, cross version migration
from openEuler qemu-4.0.1 to qemu-4.1.0 is not supported as a consequence.
By default openEuler qemu-4.1.0 use kvm_adjvtime as the virtual timer.
Signed-off-by: Ying Fang <fangying1@huawei.com>
Vtimer adjust is used in openEuler qemu-4.0.1, however kvm_adjvtime
is introduced in openEuler qemu-4.1.0. To maintain the compatibility
and enable cross version migration, let's enable vtimer adjust only
if kvm_adjvtime is not enabled, otherwise there may be conflicts
between vtimer adjust and kvm_adjvtime.
After this modification:
1: openEuler qemu-4.0.1 use vtimer as the default virtual timer
2: openEuler qemu-4.1.0 use kvm_adjvtime as the defaut virtual timer
Migration from openEuler qemu-4.0.1 to openEuler qemu-4.1.0 will
be ok, but migration path from upstream qemu-4.0.1 to openEuler
qemu-4..0.1 will be broken.
Since openEuler qemu-4.1.0, kvm_adjvtime is used as the default
virtual timer. So please upgrade to openEuler qemu-4.1.0 and
use the virt-4.1 machine.
Signed-off-by: Ying Fang <fangying1@huawei.com>
Machine compatibility for kvm-no-adjvtime is missed,
let's add it for virt machine 4.0, thus kvm-no-adjvtime
is supported in v4.1.0.
Signed-off-by: Ying Fang <fangying1@huawei.com>
To support cross version migration, we had to add the vtimer back
which was introduced in openEuler qemu-4.0.1.
Signed-off-by: Ying Fang <fangying1@huawei.com>
