<feed xmlns='http://www.w3.org/2005/Atom'>
<title>qemu/qemu.git, branch v2.4.0.1</title>
<subtitle>QEMU main repository</subtitle>
<id>https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=v2.4.0.1</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=v2.4.0.1'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/'/>
<updated>2015-09-22T21:53:29+00:00</updated>
<entry>
<title>Update version for 2.4.0.1 release</title>
<updated>2015-09-22T21:53:29+00:00</updated>
<author>
<name>Michael Roth</name>
<email>mdroth@linux.vnet.ibm.com</email>
</author>
<published>2015-09-22T21:53:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=83c92b45140be773f0c5545dddea35a89db1ad03'/>
<id>urn:sha1:83c92b45140be773f0c5545dddea35a89db1ad03</id>
<content type='text'>
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>net: avoid infinite loop when receiving packets(CVE-2015-5278)</title>
<updated>2015-09-21T22:04:22+00:00</updated>
<author>
<name>P J P</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2015-09-15T11:16:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1'/>
<id>urn:sha1:5a1ccdfe44946e726b4c6fda8a4493b3931a68c1</id>
<content type='text'>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang &lt;luodalongde@gmail.com&gt;
Signed-off-by: P J P &lt;pjp@fedoraproject.org&gt;
Signed-off-by: Stefan Hajnoczi &lt;stefanha@redhat.com&gt;
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>net: add checks to validate ring buffer pointers(CVE-2015-5279)</title>
<updated>2015-09-21T22:04:14+00:00</updated>
<author>
<name>P J P</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2015-09-15T11:10:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755'/>
<id>urn:sha1:7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755</id>
<content type='text'>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang &lt;luodalongde@gmail.com&gt;
Signed-off-by: P J P &lt;pjp@fedoraproject.org&gt;
Signed-off-by: Stefan Hajnoczi &lt;stefanha@redhat.com&gt;
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)</title>
<updated>2015-09-21T22:04:05+00:00</updated>
<author>
<name>P J P</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2015-09-04T16:21:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b'/>
<id>urn:sha1:3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b</id>
<content type='text'>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P &lt;pjp@fedoraproject.org&gt;
Signed-off-by: Stefan Hajnoczi &lt;stefanha@redhat.com&gt;
Reviewed-by: Thomas Huth &lt;thuth@redhat.com&gt;
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vnc: fix memory corruption (CVE-2015-5225)</title>
<updated>2015-09-21T22:03:16+00:00</updated>
<author>
<name>Gerd Hoffmann</name>
<email>kraxel@redhat.com</email>
</author>
<published>2015-08-17T17:56:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=efec4dcd2552e85ed57f276b58f09fc385727450'/>
<id>urn:sha1:efec4dcd2552e85ed57f276b58f09fc385727450</id>
<content type='text'>
The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) &lt;zuozhi.fzz@alibaba-inc.com&gt;
Reviewed-by: P J P &lt;ppandit@redhat.com&gt;
Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>Update version for v2.4.0 release</title>
<updated>2015-08-11T14:30:34+00:00</updated>
<author>
<name>Peter Maydell</name>
<email>peter.maydell@linaro.org</email>
</author>
<published>2015-08-11T14:30:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=5c79ae3615d5dafdf1bb09b7a356a3a005714e3d'/>
<id>urn:sha1:5c79ae3615d5dafdf1bb09b7a356a3a005714e3d</id>
<content type='text'>
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
</content>
</entry>
<entry>
<title>Update version for v2.4.0-rc4 release</title>
<updated>2015-08-05T16:02:58+00:00</updated>
<author>
<name>Peter Maydell</name>
<email>peter.maydell@linaro.org</email>
</author>
<published>2015-08-05T16:02:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=2d697366a14ce95da2e9a59ea9872d3034eb49e4'/>
<id>urn:sha1:2d697366a14ce95da2e9a59ea9872d3034eb49e4</id>
<content type='text'>
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
</content>
</entry>
<entry>
<title>Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging</title>
<updated>2015-08-05T15:02:00+00:00</updated>
<author>
<name>Peter Maydell</name>
<email>peter.maydell@linaro.org</email>
</author>
<published>2015-08-05T15:02:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=0175409df42c20257171df87657dd705558aa94d'/>
<id>urn:sha1:0175409df42c20257171df87657dd705558aa94d</id>
<content type='text'>
virtio fix for 2.4

Fixes migration in virtio 1 mode.
We still have a known bug with memory hotplug, it doesn't
look like we can fix that in time for 2.4.

Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;

# gpg: Signature made Wed 05 Aug 2015 15:57:39 BST using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin &lt;mst@kernel.org&gt;"
# gpg:                 aka "Michael S. Tsirkin &lt;mst@redhat.com&gt;"

* remotes/mst/tags/for_upstream:
  virtio: fix 1.0 virtqueue migration

Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
</content>
</entry>
<entry>
<title>block: don't register quorum driver if SHA256 support is unavailable</title>
<updated>2015-08-05T14:19:32+00:00</updated>
<author>
<name>Sascha Silbe</name>
<email>silbe@linux.vnet.ibm.com</email>
</author>
<published>2015-08-04T14:48:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=e94867ed5f241008d0f53142b2704a075f9ed505'/>
<id>urn:sha1:e94867ed5f241008d0f53142b2704a075f9ed505</id>
<content type='text'>
Commit 488981a4 [block: convert quorum blockdrv to use crypto APIs]
broke qemu-iotest 041 on hosts with GnuTLS &lt; 2.10.0. It converted a
compile-time check to a run-time check at device open time. The result
is that we now advertise a feature (the quorum block driver) that will
never work (on those hosts). There's no way (short of parsing
human-readable error messages) for qemu-iotests or any other API
consumer to recognise that the quorum block driver isn't _actually_
available and shouldn't be used or tested.

Move the run-time check to bdrv_quorum_init() to avoid registering the
quorum block driver if we know it cannot work. This way API consumers
can recognise it's unavailable.

Fixes: 488981a4af396551a3178d032cc2b41d9553ada2
Signed-off-by: Sascha Silbe &lt;silbe@linux.vnet.ibm.com&gt;
Reviewed-by: Eric Blake &lt;eblake@redhat.com&gt;
Reviewed-by: Daniel P. Berrange &lt;berrange@redhat.com&gt;
Reviewed-by: Alberto Garcia &lt;berto@igalia.com&gt;
Message-id: 1438699705-21761-1-git-send-email-silbe@linux.vnet.ibm.com
Signed-off-by: Peter Maydell &lt;peter.maydell@linaro.org&gt;
</content>
</entry>
<entry>
<title>virtio: fix 1.0 virtqueue migration</title>
<updated>2015-08-05T13:56:34+00:00</updated>
<author>
<name>Jason Wang</name>
<email>jasowang@redhat.com</email>
</author>
<published>2015-08-05T09:50:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=74aae7b22b8a67cf31937b2f4bdefe2881e799e9'/>
<id>urn:sha1:74aae7b22b8a67cf31937b2f4bdefe2881e799e9</id>
<content type='text'>
1.0 does not requires physically-contiguous pages layout for a
virtqueue. So we could not infer avail and used from desc. This means
we need to migrate vring.avail and vring.used when host support virtio
1.0. This fixes malfunction of virtio 1.0 device after migration.

Cc: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Cc: Cornelia Huck &lt;cornelia.huck@de.ibm.com&gt;
Cc: Dr. David Alan Gilbert &lt;dgilbert@redhat.com&gt;
Signed-off-by: Jason Wang &lt;jasowang@redhat.com&gt;
Reviewed-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
</content>
</entry>
</feed>
