diff options
| author | Roger Pau Monné <royger@FreeBSD.org> | 2015-11-14 09:27:31 +0000 |
|---|---|---|
| committer | Roger Pau Monné <royger@FreeBSD.org> | 2015-11-14 09:27:31 +0000 |
| commit | 9da11fae5635a37a9ddffaf4d748819929f75cfc (patch) | |
| tree | 98cdd042aca2818e51c414d6af54d4b42d4875e5 /sysutils/xen-tools/files | |
| parent | - Switch to options helpers (diff) | |
xen: update to 4.5.2
...and add XSA-156.
Sponsored by: Citrix Systems R&D
Reviewed by: bapt
Differential Revision: https://reviews.freebsd.org/D4150
Notes
Notes:
svn path=/head/; revision=401564
Diffstat (limited to 'sysutils/xen-tools/files')
| -rw-r--r-- | sysutils/xen-tools/files/xsa137.patch | 231 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa138-qemuu-1.patch | 76 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa138-qemuu-2.patch | 28 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa138-qemuu-3.patch | 71 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa139-qemuu-4.5.patch | 38 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch | 82 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch | 373 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch | 39 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch | 53 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch | 34 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch | 35 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch | 32 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa142-4.5.patch | 53 | ||||
| -rw-r--r-- | sysutils/xen-tools/files/xsa153-libxl.patch | 86 |
14 files changed, 0 insertions, 1231 deletions
diff --git a/sysutils/xen-tools/files/xsa137.patch b/sysutils/xen-tools/files/xsa137.patch deleted file mode 100644 index ffc7fa7d49e3..000000000000 --- a/sysutils/xen-tools/files/xsa137.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 593fe52faa1b85567a7ec20c69d8cfbc7368ae5b Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Mon, 15 Jun 2015 14:50:42 +0100 -Subject: [PATCH] xl: Sane handling of extra config file arguments - -Various xl sub-commands take additional parameters containing = as -additional config fragments. - -The handling of these config fragments has a number of bugs: - - 1. Use of a static 1024-byte buffer. (If truncation would occur, - with semi-trusted input, a security risk arises due to quotes - being lost.) - - 2. Mishandling of the return value from snprintf, so that if - truncation occurs, the to-write pointer is updated with the - wanted-to-write length, resulting in stack corruption. (This is - XSA-137.) - - 3. Clone-and-hack of the code for constructing the appended - config file. - -These are fixed here, by introducing a new function -`string_realloc_append' and using it everywhere. The `extra_info' -buffers are replaced by pointers, which start off NULL and are -explicitly freed on all return paths. - -The separate variable which will become dom_info.extra_config is -abolished (which involves moving the clearing of dom_info). - -Additional bugs I observe, not fixed here: - - 4. The functions which now call string_realloc_append use ad-hoc - error returns, with multiple calls to `return'. This currently - necessitates multiple new calls to `free'. - - 5. Many of the paths in xl call exit(-rc) where rc is a libxl status - code. This is a ridiculous exit status `convention'. - - 6. The loops for handling extra config data are clone-and-hacks. - - 7. Once the extra config buffer is accumulated, it must be combined - with the appropriate main config file. The code to do this - combining is clone-and-hacked too. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Tested-by: Ian Jackson <Ian.Jackson@eu.citrix.com> -Acked-by: Ian Campbell <ian,campbell@citrix.com> ---- -v2: Use SSIZE_MAX, not INT_MAX. - Check *accumulate for NULL, not accumulate. - Move memset of dom_info. ---- - tools/libxl/xl_cmdimpl.c | 64 +++++++++++++++++++++++++++++----------------- - 1 file changed, 40 insertions(+), 24 deletions(-) - -diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c -index c858068..c01a851 100644 ---- a/tools/libxl/xl_cmdimpl.c -+++ b/tools/libxl/xl_cmdimpl.c -@@ -151,7 +151,7 @@ struct domain_create { - int console_autoconnect; - int checkpointed_stream; - const char *config_file; -- const char *extra_config; /* extra config string */ -+ char *extra_config; /* extra config string */ - const char *restore_file; - int migrate_fd; /* -1 means none */ - char **migration_domname_r; /* from malloc */ -@@ -4805,11 +4805,25 @@ int main_vm_list(int argc, char **argv) - return 0; - } - -+static void string_realloc_append(char **accumulate, const char *more) -+{ -+ /* Appends more to accumulate. Accumulate is either NULL, or -+ * points (always) to a malloc'd nul-terminated string. */ -+ -+ size_t oldlen = *accumulate ? strlen(*accumulate) : 0; -+ size_t morelen = strlen(more) + 1/*nul*/; -+ if (oldlen > SSIZE_MAX || morelen > SSIZE_MAX - oldlen) { -+ fprintf(stderr,"Additional config data far too large\n"); -+ exit(-ERROR_FAIL); -+ } -+ -+ *accumulate = xrealloc(*accumulate, oldlen + morelen); -+ memcpy(*accumulate + oldlen, more, morelen); -+} -+ - int main_create(int argc, char **argv) - { - const char *filename = NULL; -- char *p; -- char extra_config[1024]; - struct domain_create dom_info; - int paused = 0, debug = 0, daemonize = 1, console_autoconnect = 0, - quiet = 0, monitor = 1, vnc = 0, vncautopass = 0; -@@ -4824,6 +4838,8 @@ int main_create(int argc, char **argv) - {0, 0, 0, 0} - }; - -+ dom_info.extra_config = NULL; -+ - if (argv[1] && argv[1][0] != '-' && !strchr(argv[1], '=')) { - filename = argv[1]; - argc--; argv++; -@@ -4863,20 +4879,21 @@ int main_create(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ memset(&dom_info, 0, sizeof(dom_info)); -+ -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&dom_info.extra_config, argv[optind]); -+ string_realloc_append(&dom_info.extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(dom_info.extra_config); - return 2; - } - } - -- memset(&dom_info, 0, sizeof(dom_info)); - dom_info.debug = debug; - dom_info.daemonize = daemonize; - dom_info.monitor = monitor; -@@ -4884,16 +4901,18 @@ int main_create(int argc, char **argv) - dom_info.dryrun = dryrun_only; - dom_info.quiet = quiet; - dom_info.config_file = filename; -- dom_info.extra_config = extra_config; - dom_info.migrate_fd = -1; - dom_info.vnc = vnc; - dom_info.vncautopass = vncautopass; - dom_info.console_autoconnect = console_autoconnect; - - rc = create_domain(&dom_info); -- if (rc < 0) -+ if (rc < 0) { -+ free(dom_info.extra_config); - return -rc; -+ } - -+ free(dom_info.extra_config); - return 0; - } - -@@ -4901,8 +4920,7 @@ int main_config_update(int argc, char **argv) - { - uint32_t domid; - const char *filename = NULL; -- char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - void *config_data = 0; - int config_len = 0; - libxl_domain_config d_config; -@@ -4940,15 +4958,15 @@ int main_config_update(int argc, char **argv) - break; - } - -- extra_config[0] = '\0'; -- for (p = extra_config; optind < argc; optind++) { -+ for (; optind < argc; optind++) { - if (strchr(argv[optind], '=') != NULL) { -- p += snprintf(p, sizeof(extra_config) - (p - extra_config), -- "%s\n", argv[optind]); -+ string_realloc_append(&extra_config, argv[optind]); -+ string_realloc_append(&extra_config, "\n"); - } else if (!filename) { - filename = argv[optind]; - } else { - help("create"); -+ free(extra_config); - return 2; - } - } -@@ -4957,7 +4975,8 @@ int main_config_update(int argc, char **argv) - rc = libxl_read_file_contents(ctx, filename, - &config_data, &config_len); - if (rc) { fprintf(stderr, "Failed to read config file: %s: %s\n", -- filename, strerror(errno)); return ERROR_FAIL; } -+ filename, strerror(errno)); -+ free(extra_config); return ERROR_FAIL; } - if (strlen(extra_config)) { - if (config_len > INT_MAX - (strlen(extra_config) + 2 + 1)) { - fprintf(stderr, "Failed to attach extra configration\n"); -@@ -4998,7 +5017,7 @@ int main_config_update(int argc, char **argv) - libxl_domain_config_dispose(&d_config); - - free(config_data); -- -+ free(extra_config); - return 0; - } - -@@ -7255,7 +7274,7 @@ int main_cpupoolcreate(int argc, char **argv) - { - const char *filename = NULL, *config_src=NULL; - const char *p; -- char extra_config[1024]; -+ char *extra_config = NULL; - int opt; - static struct option opts[] = { - {"defconfig", 1, 0, 'f'}, -@@ -7289,13 +7308,10 @@ int main_cpupoolcreate(int argc, char **argv) - break; - } - -- memset(extra_config, 0, sizeof(extra_config)); - while (optind < argc) { - if ((p = strchr(argv[optind], '='))) { -- if (strlen(extra_config) + 1 + strlen(argv[optind]) < sizeof(extra_config)) { -- strcat(extra_config, "\n"); -- strcat(extra_config, argv[optind]); -- } -+ string_realloc_append(&extra_config, "\n"); -+ string_realloc_append(&extra_config, argv[optind]); - } else if (!filename) { - filename = argv[optind]; - } else { --- -1.7.10.4 - diff --git a/sysutils/xen-tools/files/xsa138-qemuu-1.patch b/sysutils/xen-tools/files/xsa138-qemuu-1.patch deleted file mode 100644 index 8a41848ddf25..000000000000 --- a/sysutils/xen-tools/files/xsa138-qemuu-1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 122e955..44fcc23 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -1.8.3.1 diff --git a/sysutils/xen-tools/files/xsa138-qemuu-2.patch b/sysutils/xen-tools/files/xsa138-qemuu-2.patch deleted file mode 100644 index f860cfa3db6c..000000000000 --- a/sysutils/xen-tools/files/xsa138-qemuu-2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - --- -1.8.3.1 - diff --git a/sysutils/xen-tools/files/xsa138-qemuu-3.patch b/sysutils/xen-tools/files/xsa138-qemuu-3.patch deleted file mode 100644 index 3ade9b16002f..000000000000 --- a/sysutils/xen-tools/files/xsa138-qemuu-3.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <kwolf@redhat.com> -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 44fcc23..50449ca 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -1.8.3.1 - diff --git a/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch b/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch deleted file mode 100644 index 70ea0661d43a..000000000000 --- a/sysutils/xen-tools/files/xsa139-qemuu-4.5.patch +++ /dev/null @@ -1,38 +0,0 @@ -pci_piix3_xen_ide_unplug should completely unhook the unplugged -IDEDevice from the corresponding BlockBackend, otherwise the next call -to release_drive will try to detach the drive again. - -Suggested-by: Kevin Wolf <kwolf@redhat.com> -Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> ---- - hw/ide/piix.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/hw/ide/piix.c b/hw/ide/piix.c -index 40757eb..0524dce 100644 ---- a/hw/ide/piix.c -+++ b/hw/ide/piix.c -@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - PCIIDEState *pci_ide; - DriveInfo *di; - int i = 0; -+ IDEDevice *idedev; - - pci_ide = PCI_IDE(dev); - -@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - } - bdrv_close(di->bdrv); - pci_ide->bus[di->bus].ifs[di->unit].bs = NULL; -+ if (!(i % 2)) { -+ idedev = pci_ide->bus[di->bus].master; -+ } else { -+ idedev = pci_ide->bus[di->bus].slave; -+ } -+ idedev->conf.bs = NULL; - drive_put_ref(di); - } - } --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch deleted file mode 100644 index 043d1893579c..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-1.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:16:58 +0100 -Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing - -Transmit offload needs to parse packet headers. If header fields have -unexpected values the offload processing is skipped. - -The code currently uses nested ifs because there is relatively little -input validation. The next patches will add missing input validation -and a goto label is more appropriate to avoid deep if statement nesting. - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 41 ++++++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 19 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 5f0197c..91ba33b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2174,28 +2174,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DPRINTF("+++ C+ mode has IP packet\n"); -- -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DPRINTF("+++ C+ mode packet has bad IP version %d " -- "expected %d\n", IP_HEADER_VERSION(ip), -- IP_HEADER_VERSION_4); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ goto skip_offload; - } - -+ DPRINTF("+++ C+ mode has IP packet\n"); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DPRINTF("+++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4); -+ goto skip_offload; -+ } -+ -+ hlen = IP_HEADER_LENGTH(ip); -+ ip_protocol = ip->ip_p; -+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ - if (ip) - { - if (txdw0 & CP_TX_IPCS) -@@ -2391,6 +2393,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch deleted file mode 100644 index 7a76a8a40d25..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-2.patch +++ /dev/null @@ -1,373 +0,0 @@ -From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:16:59 +0100 -Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement - -The previous patch stopped using the ip pointer as an indicator that the -IP header is present. When we reach the if (ip) {...} statement we know -ip is always non-NULL. - -Remove the if statement to reduce nesting. - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++---------------------------- - 1 file changed, 151 insertions(+), 154 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 91ba33b..2f12d42 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2198,198 +2198,195 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -- if (ip) -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DPRINTF("+++ C+ mode need IP checksum\n"); -+ DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */ -+ /* bad packet header len */ -+ /* or packet too short */ - } -- -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ else - { -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); -+ } -+ } - -- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -- "frame data %d specified MSS=%d\n", ETH_MTU, -- ip_data_len, saved_size - ETH_HLEN, large_send_mss); -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- int tcp_send_offset = 0; -- int send_count = 0; -+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -+ "frame data %d specified MSS=%d\n", ETH_MTU, -+ ip_data_len, saved_size - ETH_HLEN, large_send_mss); - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -- "data len %d TCP chunk size %d\n", ip_data_len, -- tcp_hlen, tcp_data_len, tcp_chunk_size); -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -+ "data len %d TCP chunk size %d\n", ip_data_len, -+ tcp_hlen, tcp_data_len, tcp_chunk_size); - -- int is_last_frame = 0; -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -- -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -- -- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -- be32_to_cpu(p_tcp_hdr->th_seq)); -- -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -- -- DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -- "packet with %d bytes data\n", tcp_hlen + -- chunk_size); -- -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -- -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -- -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -- -- p_tcp_hdr->th_sum = 0; -- -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -- tcp_checksum); -- -- p_tcp_hdr->th_sum = tcp_checksum; -- -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -- -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -- -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -- -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DPRINTF("+++ C+ mode TSO IP header len=%d " -- "checksum=%04x\n", hlen, ip->ip_sum); -- -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DPRINTF("+++ C+ mode TSO transferring packet size " -- "%d\n", tso_send_size); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -- 0, (uint8_t *) dot1q_buffer); -- -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -+ int is_last_frame = 0; - -- /* Stop sending this frame */ -- saved_size = 0; -- } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) - { -- DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ uint16_t chunk_size = tcp_chunk_size; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -+ be32_to_cpu(p_tcp_hdr->th_seq)); - - /* add 4 TCP pseudoheader fields */ - /* copy IP source and destination fields */ - memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -+ "packet with %d bytes data\n", tcp_hlen + -+ chunk_size); -+ -+ if (tcp_send_offset) - { -- DPRINTF("+++ C+ mode calculating TCP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) -+ { -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); - -- p_tcp_hdr->th_sum = 0; -+ p_tcp_hdr->th_sum = 0; - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode TCP checksum %04x\n", -- tcp_checksum); -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -+ tcp_checksum); - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DPRINTF("+++ C+ mode calculating UDP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ p_tcp_hdr->th_sum = tcp_checksum; - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- p_udp_hdr->uh_sum = 0; -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode UDP checksum %04x\n", -- udp_checksum); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DPRINTF("+++ C+ mode TSO IP header len=%d " -+ "checksum=%04x\n", hlen, ip->ip_sum); - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DPRINTF("+++ C+ mode TSO transferring packet size " -+ "%d\n", tso_send_size); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -+ 0, (uint8_t *) dot1q_buffer); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; - } -+ -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); -+ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DPRINTF("+++ C+ mode calculating TCP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode TCP checksum %04x\n", -+ tcp_checksum); -+ -+ p_tcp_hdr->th_sum = tcp_checksum; -+ } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DPRINTF("+++ C+ mode calculating UDP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ -+ p_udp_hdr->uh_sum = 0; -+ -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode UDP checksum %04x\n", -+ udp_checksum); -+ -+ p_udp_hdr->uh_sum = udp_checksum; -+ } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } - } - --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch deleted file mode 100644 index 5676f4653284..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-3.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:17:00 +0100 -Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header - -Transmit offload features access Ethernet and IP headers the packet. If -the packet is too short we must not attempt to access header fields: - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - ... - eth_payload_data = saved_buffer + ETH_HLEN; - ... - ip = (ip_header*)eth_payload_data; - if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 2f12d42..d377b6b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2164,6 +2164,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode offloaded task checksum\n"); - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = NULL; - int hlen = 0; --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch deleted file mode 100644 index 495d8d616b26..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-4.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:17:01 +0100 -Subject: [PATCH 4/7] rtl8139: check IP Header Length field - -The IP Header Length field was only checked in the IP checksum case, but -is used in other cases too. - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index d377b6b..cd5ac05 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2200,6 +2200,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; -+ } -+ - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -@@ -2207,17 +2211,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); - } - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch deleted file mode 100644 index e633ea6b2e0b..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-5.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:17:02 +0100 -Subject: [PATCH 5/7] rtl8139: check IP Total Length field - -The IP Total Length field includes the IP header and data. Make sure it -is valid and does not exceed the Ethernet payload size. - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index cd5ac05..ed2b23b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2205,7 +2205,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; - - if (txdw0 & CP_TX_IPCS) - { --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch deleted file mode 100644 index dd716a6d6dc7..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-6.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:17:03 +0100 -Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header - -TCP Large Segment Offload accesses the TCP header in the packet. If the -packet is too short we must not attempt to access header fields: - - tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index ed2b23b..c8f0df9 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2224,6 +2224,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) - { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; -+ } -+ - int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - - DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch b/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch deleted file mode 100644 index 4c0ad7993545..000000000000 --- a/sysutils/xen-tools/files/xsa140-qemuu-unstable-7.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi <stefanha@redhat.com> -Date: Wed, 15 Jul 2015 18:17:04 +0100 -Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field - -The TCP Data Offset field contains the length of the header. Make sure -it is valid and does not exceed the IP data length. - -Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index c8f0df9..2df4a51 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2253,6 +2253,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } -+ - /* ETH_MTU = ip header len + tcp header len + payload */ - int tcp_data_len = ip_data_len - tcp_hlen; - int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; --- -2.1.4 - diff --git a/sysutils/xen-tools/files/xsa142-4.5.patch b/sysutils/xen-tools/files/xsa142-4.5.patch deleted file mode 100644 index 712950f6795a..000000000000 --- a/sysutils/xen-tools/files/xsa142-4.5.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 07ca00703f76ad392eda5ee52cce1197cf49c30a Mon Sep 17 00:00:00 2001 -From: Stefano Stabellini <stefano.stabellini@eu.citrix.com> -Subject: [PATCH v2.1 for-4.5] libxl: handle read-only drives with qemu-xen - -The current libxl code doesn't deal with read-only drives at all. - -Upstream QEMU and qemu-xen only support read-only cdrom drives: make -sure to specify "readonly=on" for cdrom drives and return error in case -the user requested a non-cdrom read-only drive. - -This is XSA-142, discovered by Lin Liu -(https://bugzilla.redhat.com/show_bug.cgi?id=1257893). - -Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> - -Backport to Xen 4.5 and earlier, apropos of report and review from -Michael Young. - -Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> ---- - tools/libxl/libxl_dm.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c -index b4ce523..d74fb14 100644 ---- a/tools/libxl/libxl_dm.c -+++ b/tools/libxl/libxl_dm.c -@@ -797,13 +797,18 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, - if (disks[i].is_cdrom) { - if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) - drive = libxl__sprintf -- (gc, "if=ide,index=%d,media=cdrom,cache=writeback,id=ide-%i", -- disk, dev_number); -+ (gc, "if=ide,index=%d,readonly=%s,media=cdrom,cache=writeback,id=ide-%i", -+ disk, disks[i].readwrite ? "off" : "on", dev_number); - else - drive = libxl__sprintf -- (gc, "file=%s,if=ide,index=%d,media=cdrom,format=%s,cache=writeback,id=ide-%i", -- disks[i].pdev_path, disk, format, dev_number); -+ (gc, "file=%s,if=ide,index=%d,readonly=%s,media=cdrom,format=%s,cache=writeback,id=ide-%i", -+ disks[i].pdev_path, disk, disks[i].readwrite ? "off" : "on", format, dev_number); - } else { -+ if (!disks[i].readwrite) { -+ LIBXL__LOG(ctx, LIBXL__LOG_ERROR, "qemu-xen doesn't support read-only disk drivers"); -+ return NULL; -+ } -+ - if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) { - LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "cannot support" - " empty disk format for %s", disks[i].vdev); --- -1.7.10.4 - diff --git a/sysutils/xen-tools/files/xsa153-libxl.patch b/sysutils/xen-tools/files/xsa153-libxl.patch deleted file mode 100644 index 14a50eb02ee4..000000000000 --- a/sysutils/xen-tools/files/xsa153-libxl.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 27593ec62bdad8621df910931349d964a6dbaa8c Mon Sep 17 00:00:00 2001 -From: Ian Jackson <ian.jackson@eu.citrix.com> -Date: Wed, 21 Oct 2015 16:18:30 +0100 -Subject: [PATCH XSA-153 v3] libxl: adjust PoD target by memory fudge, too - -PoD guests need to balloon at least as far as required by PoD, or risk -crashing. Currently they don't necessarily know what the right value -is, because our memory accounting is (at the very least) confusing. - -Apply the memory limit fudge factor to the in-hypervisor PoD memory -target, too. This will increase the size of the guest's PoD cache by -the fudge factor LIBXL_MAXMEM_CONSTANT (currently 1Mby). This ensures -that even with a slightly-off balloon driver, the guest will be -stable even under memory pressure. - -There are two call sites of xc_domain_set_pod_target that need fixing: - -The one in libxl_set_memory_target is straightforward. - -The one in xc_hvm_build_x86.c:setup_guest is more awkward. Simply -setting the PoD target differently does not work because the various -amounts of memory during domain construction no longer match up. -Instead, we adjust the guest memory target in xenstore (but only for -PoD guests). - -This introduces a 1Mby discrepancy between the balloon target of a PoD -guest at boot, and the target set by an apparently-equivalent `xl -mem-set' (or similar) later. This approach is low-risk for a security -fix but we need to fix this up properly in xen.git#staging and -probably also in stable trees. - -This is XSA-153. - -Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> ---- - tools/libxl/libxl.c | 2 +- - tools/libxl/libxl_dom.c | 9 ++++++++- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/tools/libxl/libxl.c b/tools/libxl/libxl.c -index d38d0c7..1366177 100644 ---- a/tools/libxl/libxl.c -+++ b/tools/libxl/libxl.c -@@ -4815,7 +4815,7 @@ retry_transaction: - } - - rc = xc_domain_set_pod_target(ctx->xch, domid, -- new_target_memkb / 4, NULL, NULL, NULL); -+ (new_target_memkb + LIBXL_MAXMEM_CONSTANT) / 4, NULL, NULL, NULL); - if (rc != 0) { - LIBXL__LOG_ERRNO(ctx, LIBXL__LOG_ERROR, - "xc_domain_set_pod_target domid=%d, memkb=%d " -diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c -index b514377..8019f4e 100644 ---- a/tools/libxl/libxl_dom.c -+++ b/tools/libxl/libxl_dom.c -@@ -486,6 +486,7 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid, - xs_transaction_t t; - char **ents; - int i, rc; -+ int64_t mem_target_fudge; - - if (info->num_vnuma_nodes && !info->num_vcpu_soft_affinity) { - rc = set_vnuma_affinity(gc, domid, info); -@@ -518,11 +519,17 @@ int libxl__build_post(libxl__gc *gc, uint32_t domid, - } - } - -+ mem_target_fudge = -+ (info->type == LIBXL_DOMAIN_TYPE_HVM && -+ info->max_memkb > info->target_memkb) -+ ? LIBXL_MAXMEM_CONSTANT : 0; -+ - ents = libxl__calloc(gc, 12 + (info->max_vcpus * 2) + 2, sizeof(char *)); - ents[0] = "memory/static-max"; - ents[1] = GCSPRINTF("%"PRId64, info->max_memkb); - ents[2] = "memory/target"; -- ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb); -+ ents[3] = GCSPRINTF("%"PRId64, info->target_memkb - info->video_memkb -+ - mem_target_fudge); - ents[4] = "memory/videoram"; - ents[5] = GCSPRINTF("%"PRId64, info->video_memkb); - ents[6] = "domid"; --- -1.7.10.4 - |