Other variables (e.g. sectors_per_block) are calculated using these
variables, and if not range-checked illegal values could be obtained
causing infinite loops and other potential issues when calculating
BAT entries.
The 1.00 VHDX spec requires BlockSize to be min 1MB, max 256MB.
LogicalSectorSize is required to be either 512 or 4096 bytes.
Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The maximum blocks_in_image is 0xffffffff / 4, which also limits the
maximum disk_size for a VDI image to 1024TB. Note that this is the maximum
size that QEMU will currently support with this driver, not necessarily the
maximum size allowed by the image format.
This also fixes an incorrect error message, a bug introduced by commit
5b7aa9b56d (Reported by Stefan Weil)
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This fixes some cases of division by zero crashes.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This adds checks to make sure that max_table_entries and block_size
are in sane ranges. Memory is allocated based on max_table_entries,
and block_size is used to calculate indices into that allocated
memory, so if these values are incorrect that can lead to potential
unbounded memory allocation, or invalid memory accesses.
Also, the allocation of the pagetable is changed from g_malloc0()
to qemu_blockalign().
Signed-off-by: Jeff Cody <jcody@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
32 bit truncation could let us access the wrong offset in the image.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This fixes two possible division by zero crashes: In bochs_open() and in
seek_to_sector().
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
It should neither become negative nor allow unbounded memory
allocations. This fixes aborts in g_malloc() and an s->catalog_bitmap
buffer overflow on big endian hosts.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Gets us rid of integer overflows resulting in negative sizes which
aren't correctly checked.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
This is an on-disk structure, so offsets must be accurate.
Before this patch, sizeof(bochs) != sizeof(header_v1), which makes the
memcpy() between both invalid. We're lucky enough that the destination
buffer happened to be the larger one, and the memcpy size to be taken
from the smaller one, so we didn't get a buffer overflow in practice.
This patch unifies the both structures, eliminating the need to do a
memcpy in the first place. The common fields are extracted to the top
level of the struct and the actually differing part gets a union of the
two versions.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
cloop stores the number of compressed blocks in the n_blocks header
field. The file actually contains n_blocks + 1 offsets, where the extra
offset is the end-of-file offset.
The following line in cloop_read_block() results in an out-of-bounds
offsets[] access:
uint32_t bytes = s->offsets[block_num + 1] - s->offsets[block_num];
This patch allocates and loads the extra offset so that
cloop_read_block() works correctly when the last block is accessed.
Notice that we must free s->offsets[] unconditionally now since there is
always an end-of-file offset.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The offsets[] array allows efficient seeking and tells us the maximum
compressed data size. If the offsets are bogus the maximum compressed
data size will be unrealistic.
This could cause g_malloc() to abort and bogus offsets mean the image is
broken anyway. Therefore we should refuse such images.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Limit offsets_size to 512 MB so that:
1. g_malloc() does not abort due to an unreasonable size argument.
2. offsets_size does not overflow the bdrv_pread() int size argument.
This limit imposes a maximum image size of 16 TB at 256 KB block size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The following integer overflow in offsets_size can lead to out-of-bounds
memory stores when n_blocks has a huge value:
uint32_t n_blocks, offsets_size;
[...]
ret = bdrv_pread(bs->file, 128 + 4, &s->n_blocks, 4);
[...]
s->n_blocks = be32_to_cpu(s->n_blocks);
/* read offsets */
offsets_size = s->n_blocks * sizeof(uint64_t);
s->offsets = g_malloc(offsets_size);
[...]
for(i=0;i<s->n_blocks;i++) {
s->offsets[i] = be64_to_cpu(s->offsets[i]);
offsets_size can be smaller than n_blocks due to integer overflow.
Therefore s->offsets[] is too small when the for loop byteswaps offsets.
This patch refuses to open files if offsets_size would overflow.
Note that changing the type of offsets_size is not a fix since 32-bit
hosts still only have 32-bit size_t.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Avoid unbounded s->uncompressed_block memory allocation by checking that
the block_size header field has a reasonable value. Also enforce the
assumption that the value is a non-zero multiple of 512.
These constraints conform to cloop 2.639's code so we accept existing
image files.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Add a cloop format-specific test case. Later patches add tests for
input validation to the script.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Add the cloop block driver to qemu-iotests.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
irq_state is cleared before calling pci_device_deassert_intx, but the
latter misbehaves if the former isn't accurate. In this case, any raised
IRQs are not cleared, which hits an assertion in pcibus_reset:
qemu-system-x86_64: hw/pci/pci.c:250: pcibus_reset: Assertion
`bus->irq_count[i] == 0' failed.
pci_device_deassert_intx should clear irq_state anyways, so add
an assert.
This fixes migration with usb2 + usb-tablet.
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: 7da1ad94ce027183b4049c2de370cb191b0073c1.1396290569.git.crobinso@redhat.com
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
CPU address spaces touching load and store helpers as well as the
movement of (almost) all fields from CPU_COMMON to CPUState have led to
a noticeable increase of CPU() usage in "hot" paths for both TCG and KVM.
While CPU()'s OBJECT_CHECK() might help detect development errors, i.e.
in form of crashes due to QOM vs. non-QOM mismatches rather than QOM
type mismatches, it is not really needed at runtime since mostly used in
CPU-specific paths, coming from a target-specific CPU subtype. If that
pointer is damaged, other errors are highly likely to occur elsewhere
anyway.
Keep the CPU() macro for a consistent developer experience and for
flexibility to exchange its implementation, but turn it into a pure,
unchecked C cast for now.
Compare commit 6e42be7cd1.
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Linux guests, when using more than 4GB of RAM, may end up using 1GB pages
to store (kernel) data. When this happens, we're unable to debug a running
Linux kernel with GDB:
(gdb) p node_data[0]->node_id
Cannot access memory at address 0xffff88013fffd3a0
(gdb)
GDB returns this error because x86_cpu_get_phys_page_debug() doesn't support
translating 1GB pages in IA-32e paging mode and returns an error to GDB.
This commit adds support for 1GB page translation for IA32e paging.
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Before deleting .git, determine the version and save it in .version file.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Message-id: 1395277315-7806-1-git-send-email-afaerber@suse.de
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Here are some bugfixes for 2.0.
A bugfix for acpi for pci bridges, and a build fix for
old systems without pthread_setname_np: both fix regressions
so we definitely want to include them.
HPET fix is not for a regression but looks very safe,
fixes a nasty bug and has been on list for a while.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJTNWRMAAoJECgfDbjSjVRp6CoH/A3iLi+jkV4EhQQzU8U6vOmi
PIV71600rZd29u4hk6w5pyev6yyXSBwatmWk+vzHvINUIcc22KUue+773nXPW/fH
3oIgTwjKndE98V5vTSeOgOdD7iFuWlcgHQHLXXMsgpY1hVMS/1kidZdb+36o8euI
kdE+AxYGXS8Z3oBRFfROpT4v0UZ17qIaL4tqA4JJWMh/A3Qp3HY+ffU3ODAvKSQw
KWVWmKvbh82I25HOvALoMwtu26x48jhzu586pHBuEsHgTJKKBrAUdWph+2f1eSC+
xTgduKWEgK6Z9dCYDQwDaM8CqNzjqVzfgRu0RCSHtgTxCWaIN3dQbxEFi7WQ2Yo=
=dfqJ
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
acpi,pc,build bug fixes
Here are some bugfixes for 2.0.
A bugfix for acpi for pci bridges, and a build fix for
old systems without pthread_setname_np: both fix regressions
so we definitely want to include them.
HPET fix is not for a regression but looks very safe,
fixes a nasty bug and has been on list for a while.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# gpg: Signature made Fri 28 Mar 2014 12:00:12 GMT using RSA key ID D28D5469
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>"
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>"
* remotes/mst/tags/for_upstream:
acpi: fix ACPI generation for pci bridges
Don't enable a HPET timer if HPET is disabled
Detect pthread_setname_np at configure time
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit 8dcf525abc
acpi-build: append description for non-hotplug
appended description for all occupied non hotpluggable PCI slots.
However the bridge devices are already added to SSDT,
adding them again will create an incorrect SSDT table.
Fixed by skipping the pci bridge devices, marking them as 'system'.
Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
The arm ldrd/strd insns must cause alignment traps, whereas
at least for armv7 ldr/str must handle unaligned operations.
While this is hardly the only problem facing user-only emu,
this solves one problem for i386 on armv7 emulation.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reported-by: Huw Davies <huw@codeweavers.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iJwEAAECAAYFAlM0QokACgkQUlPFrXTwyDg0MAP/aV+I1bH7nAIXEPxfFNUd4bBQ
PsgaDTOd44G8SGjBqpO7EvgElBPfKnRfQjDmNV2LqYK6p+NMtlUh+ULDjxEBMBRU
hDXOWMlhHUU1to3vdN6qsRhCHNMEQUFeJWpv5EVIaD/VZkcgpz90F4WF6ZE0Xs9R
ZuUVbV/bapaow7bKoIk=
=3iLr
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-03-27' into staging
trivial patches for 2014-03-27
# gpg: Signature made Thu 27 Mar 2014 15:23:53 GMT using RSA key ID 74F0C838
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg: aka "Michael Tokarev <mjt@corpit.ru>"
# gpg: aka "Michael Tokarev <mjt@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: E190 8639 3B10 B51B AC2C 8B73 5253 C5AD 74F0 C838
* remotes/mjt/tags/trivial-patches-2014-03-27: (23 commits)
linux-user: remove duplicate statement
hw/timer/grlib_gptimer: remove unnecessary assignment
hw/pci-host/apb.c: Avoid shifting left into sign bit
hw/intc/xilinx_intc: Avoid shifting left into sign bit
hw/intc/slavio_intctl: Avoid shifting left into sign bit
tests/libqos/pci-pc: Avoid shifting left into sign bit
hw/ppc: Avoid shifting left into sign bit
hw/intc/openpic: Avoid shifting left into sign bit
hw/usb/hcd-ohci.c: Avoid shifting left into sign bit
target-mips: Avoid shifting left into sign bit
hw/i386/acpi_build.c: Avoid shifting left into sign bit
hw/pci/pci_host.c: Avoid shifting left into sign bit
hw/intc/apic.c: Use uint32_t for mask word in foreach_apic
target-i386: Avoid shifting left into sign bit
CODING_STYLE: Section about mixed declarations
doc: update default PowerPC framebuffer settings
doc: update sun4m documentation
fix return check for KVM_GET_DIRTY_LOG ioctl
target-i386: Add missing 'static' and 'const' attributes
util: Add 'static' attribute to function implementation
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
A HPET timer can be started when HPET is not yet
enabled. This will not generate an interrupt
to the guest, but causes problems when HPET is later
enabled.
A timer that is created and expires at least once before
HPET is enabled will have an initialized comparator based
on a hpet_offset of 0 (uninitialized). When HPET is
enabled, hpet_set_timer() is called a second time, which
modifies the timer expiry to a time based on the
difference between current ticks (measured with the
newly initialized hpet_offset) and the timer's
comparator (which was generated before hpet_offset was
initialized). This results in a long period of no HPET
timer ticks.
When this occurs with a CentOS 5.x guest, the guest
may not receive timer interrupts during its narrow
timer check window and panic on boot.
Signed-off-by: Matt Lupfer <mlupfer@ddn.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Warn if no way of setting thread name is available.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* Don't default to integratorcp board if no machine specified
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJTNDEIAAoJEDwlJe0UNgzeKqwQAISsctPHa4VswH+E/13fw0gE
QDXBjcAZzkrC4KP+iqm8ZrC3H7sOfqQgCJmrpupaGuOxTzHIbmZMpJFUbOOGf1MJ
tpAjdIeGmsWkBIl12c+aPHKy+EjwOs0n6A3pJJgFvaUfxR1U9coj/xak39XICErw
qD+fx1P3nvBm0FZHfybNJHdGWZeHixvODMq/oGhAY7h3T0NODL2r+aOThihkZe2I
lYB0zPKtyUDN5SEN3by1Ydv+uw0gQbM3HC+nH/ybsNl13ZeN8lSoyQryrYiLRQGY
CpoxzMGQV9/w3J1KkMrLvoPOoiuoE2/oOrOWgoP+qYa0QKrD6dDy3m7uk1Pgp2g0
bZWGxj6MKnSaYBgtXA1tp/XijlIBOM0CSa1DaS8voHy74sDrKnzsJF7qun3eVvUu
ptjbppxrJMrjHJ4/Qldcs+Xjfb+sXDdLt65nTmCEQ/IQpyvo2zVLET10B5g58Pyf
m8Ob2eGKEDSouw2y5LfKsQtZyN9fRCsC5MN0BJqSjOB2gOzgn5hx2Nv71W8eudaR
+65ZuF65IaDtMR1rTidzrE0SFZ21uYo/YLB77mOrsiIjL/XzGxvhffugt5Wpeuqq
lmZ8fBVhBoja2POn8dTALslCxBv8DPI3w5uYtNFriCKJ4bWdeiAg0LM1GvVKuwBW
oM4WyGLNdyZ7VJdvENmB
=HPUl
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20140327' into staging
target-arm queue:
* Don't default to integratorcp board if no machine specified
# gpg: Signature made Thu 27 Mar 2014 14:09:12 GMT using RSA key ID 14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
* remotes/pmaydell/tags/pull-target-arm-20140327:
vl.c: Improve message when no default machine is found
hw/arm: Stop specifying integratorcp as the default board
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Avoid undefined behaviour shifting left into the sign bit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix when doing "1 << 31" to avoid undefined behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to various places where we were doing "1 << 31",
which is undefined behaviour, and also to other constant
definitions in the same groups, for consistency.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to avoid undefined behaviour. This is only strictly
necessary for the 1 << 31 cases; for consistency we extend it
to other constants in the same group.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to avoid undefined behaviour. This is only
strictly necessary for the 1<<31 cases, but we add it for the
other constants in these groups for consistency.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to various places where we shift a 1 left by 31,
to avoid undefined behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to avoid undefined behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add U suffix to avoid undefined behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Use unsigned arithmetic for operations on the mask word
in the foreach_apic() macro, to avoid relying on undefined
behaviour when shifting into the sign bit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Add 'U' suffixes where necessary to avoid (1 << 31) which
shifts left into the sign bit, which is undefined behaviour.
Add the suffix also for other constants in the same groupings
even if they don't shift into bit 31, for consistency.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
We had an unwritten rule about declarations having to be at beginning of
blocks. Make it a written rule.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
