diff options
author | bouyer <bouyer> | 2017-03-20 18:09:21 +0000 |
---|---|---|
committer | bouyer <bouyer> | 2017-03-20 18:09:21 +0000 |
commit | 8eed678678ea682d35ea35ff6570855bbc7dc0fc (patch) | |
tree | c8b7808c5a8affeceecded7174c5600d06b62f3e /sysutils | |
parent | 232e249e9e8faa4ab5e65749ad0edaed846a7265 (diff) | |
download | pkgsrc-8eed678678ea682d35ea35ff6570855bbc7dc0fc.tar.gz |
Apply upstream patches for security fixes XSA-208, XSA-209 and XSA-211.
Bump PKGREVISION
Diffstat (limited to 'sysutils')
-rw-r--r-- | sysutils/xentools45/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xentools45/distinfo | 8 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-208-1 | 55 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-208-2 | 58 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-209-1 | 153 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-209-2 | 56 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-211-1 | 262 | ||||
-rw-r--r-- | sysutils/xentools45/patches/patch-XSA-211-2 | 230 |
8 files changed, 823 insertions, 3 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile index b13efe4d577..1f11b6b4610 100644 --- a/sysutils/xentools45/Makefile +++ b/sysutils/xentools45/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.46 2017/02/14 21:36:15 joerg Exp $ +# $NetBSD: Makefile,v 1.47 2017/03/20 18:09:21 bouyer Exp $ VERSION= 4.5.5 -PKGREVISION= 3 +PKGREVISION= 4 VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e DISTNAME= xen-${VERSION} diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo index c77ad564d8f..d2f14580ed1 100644 --- a/sysutils/xentools45/distinfo +++ b/sysutils/xentools45/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $ +$NetBSD: distinfo,v 1.30 2017/03/20 18:09:21 bouyer Exp $ SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 @@ -25,6 +25,12 @@ SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7 SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1 +SHA1 (patch-XSA-208-1) = a8eac4ac701626014b54480a5c7e382a43f892bb +SHA1 (patch-XSA-208-2) = 148df8d7fd42f9f885e4381c1073c0a7b5c71816 +SHA1 (patch-XSA-209-1) = a7cfa5bbdb3df5d76b4caa39119c2745a6ecf321 +SHA1 (patch-XSA-209-2) = 6b90313758d1f5a33936d48fc0bcb7c3f3fb84c0 +SHA1 (patch-XSA-211-1) = 432d65327e1ebe3d3317ac5f42f3912bb23d08ca +SHA1 (patch-XSA-211-2) = a92663c2c18290f5927780d3ed55aec497c58a8c SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f diff --git a/sysutils/xentools45/patches/patch-XSA-208-1 b/sysutils/xentools45/patches/patch-XSA-208-1 new file mode 100644 index 00000000000..c1da0fe155b --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-208-1 @@ -0,0 +1,55 @@ +$NetBSD: patch-XSA-208-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +Cc: P J P <ppandit@redhat.com> +Cc: Laszlo Ersek <lersek@redhat.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 5198037..7bf3707 100644 +--- qemu-xen/hw/display/cirrus_vga.c.orig ++++ qemu-xen/hw/display/cirrus_vga.c +@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/sysutils/xentools45/patches/patch-XSA-208-2 b/sysutils/xentools45/patches/patch-XSA-208-2 new file mode 100644 index 00000000000..24f0cfc7ae7 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-208-2 @@ -0,0 +1,58 @@ +$NetBSD: patch-XSA-208-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +[ This is CVE-2017-2615 / XSA-208 - Ian Jackson ] + +Cc: qemu-stable@nongnu.org +Cc: P J P <ppandit@redhat.com> +Cc: Laszlo Ersek <lersek@redhat.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Stefano Stabellini <sstabellini@kernel.org> +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- + hw/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..364e22d 100644 +--- qemu-xen-traditional/hw/cirrus_vga.c.orig ++++ qemu-xen-traditional/hw/cirrus_vga.c +@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max >= s->vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vram_size) { + return true; + } + } else { +-- +2.1.4 + diff --git a/sysutils/xentools45/patches/patch-XSA-209-1 b/sysutils/xentools45/patches/patch-XSA-209-1 new file mode 100644 index 00000000000..2bee92b83d1 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-209-1 @@ -0,0 +1,153 @@ +$NetBSD: patch-XSA-209-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 13 Feb 2017 15:22:15 +0000 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +This is XSA-208. + +upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64 + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers <brogers@suse.com> +Date: Tue, 21 Feb 2017 10:54:38 -0800 +Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers <brogers@suse.com> +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 7bf3707..34a6900 100644 +--- qemu-xen/hw/display/cirrus_vga.c.orig ++++ qemu-xen/hw/display/cirrus_vga.c +@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.1.4 + +From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 21 Feb 2017 10:54:59 -0800 +Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to + cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Reported-by: Gerd Hoffmann <ghoffman@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 34a6900..5901250 100644 +--- qemu-xen/hw/display/cirrus_vga.c.orig ++++ qemu-xen/hw/display/cirrus_vga.c +@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.1.4 + diff --git a/sysutils/xentools45/patches/patch-XSA-209-2 b/sysutils/xentools45/patches/patch-XSA-209-2 new file mode 100644 index 00000000000..fa269abe0ec --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-209-2 @@ -0,0 +1,56 @@ +$NetBSD: patch-XSA-209-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From: Gerd Hoffmann <kraxel@redhat.com> +Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj + +Reported-by: Gerd Hoffmann <ghoffman@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> +--- +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index e6c3893..45facb6 100644 +--- qemu-xen-traditional/hw/cirrus_vga.c.orig ++++ qemu-xen-traditional/hw/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); diff --git a/sysutils/xentools45/patches/patch-XSA-211-1 b/sysutils/xentools45/patches/patch-XSA-211-1 new file mode 100644 index 00000000000..d2771552e11 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-211-1 @@ -0,0 +1,262 @@ +$NetBSD: patch-XSA-211-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From c85f4df08b17f5808eda2b8afea1e4db7016cdc8 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 14 Feb 2017 19:09:59 +0100 +Subject: [PATCH] cirrus/vnc: zap bitblit support from console code. + +There is a special code path (dpy_gfx_copy) to allow graphic emulation +notify user interface code about bitblit operations carryed out by +guests. It is supported by cirrus and vnc server. The intended purpose +is to optimize display scrolls and just send over the scroll op instead +of a full display update. + +This is rarely used these days though because modern guests simply don't +use the cirrus blitter any more. Any linux guest using the cirrus drm +driver doesn't. Any windows guest newer than winxp doesn't ship with a +cirrus driver any more and thus uses the cirrus as simple framebuffer. + +So this code tends to bitrot and bugs can go unnoticed for a long time. +See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV" +which fixes a bug lingering in the code for almost a year, added by +commit "c7628bf vnc: only alloc server surface with clients connected". + +Also the vnc server will throttle the frame rate in case it figures the +network can't keep up (send buffers are full). This doesn't work with +dpy_gfx_copy, for any copy operation sent to the vnc client we have to +send all outstanding updates beforehand, otherwise the vnc client might +run the client side blit on outdated data and thereby corrupt the +display. So this dpy_gfx_copy "optimization" might even make things +worse on slow network links. + +Lets kill it once for all. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 12 ++----- + include/ui/console.h | 8 ----- + ui/console.c | 28 --------------- + ui/vnc.c | 91 ------------------------------------------------- + 4 files changed, 3 insertions(+), 136 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index d643a0d..2e38c86 100644 +--- qemu-xen/hw/display/cirrus_vga.c.orig ++++ qemu-xen/hw/display/cirrus_vga.c +@@ -756,11 +756,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + } + } + +- /* we have to flush all pending changes so that the copy +- is generated at the appropriate moment in time */ +- if (notify) +- graphic_hw_update(s->vga.con); +- + (*s->cirrus_rop) (s, s->vga.vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vga.vram_ptr + +@@ -769,10 +764,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + s->cirrus_blt_width, s->cirrus_blt_height); + + if (notify) { +- qemu_console_copy(s->vga.con, +- sx, sy, dx, dy, +- s->cirrus_blt_width / depth, +- s->cirrus_blt_height); ++ dpy_gfx_update(s->vga.con, dx, dy, ++ s->cirrus_blt_width / depth, ++ s->cirrus_blt_height); + } + + /* we don't have to notify the display that this portion has +diff --git a/include/ui/console.h b/include/ui/console.h +index 22ef8ca..331c07a 100644 +--- qemu-xen/include/ui/console.h.orig ++++ qemu-xen/include/ui/console.h +@@ -158,10 +158,6 @@ typedef struct DisplayChangeListenerOps { + int x, int y, int w, int h); + void (*dpy_gfx_switch)(DisplayChangeListener *dcl, + struct DisplaySurface *new_surface); +- void (*dpy_gfx_copy)(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); +- + void (*dpy_text_cursor)(DisplayChangeListener *dcl, + int x, int y); + void (*dpy_text_resize)(DisplayChangeListener *dcl, +@@ -223,8 +219,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info); + void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_gfx_replace_surface(QemuConsole *con, + DisplaySurface *surface); +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + void dpy_text_cursor(QemuConsole *con, int x, int y); + void dpy_text_update(QemuConsole *con, int x, int y, int w, int h); + void dpy_text_resize(QemuConsole *con, int w, int h); +@@ -315,8 +309,6 @@ void text_consoles_set_display(DisplayState *ds); + void console_select(unsigned int index); + void console_color_init(DisplayState *ds); + void qemu_console_resize(QemuConsole *con, int width, int height); +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + DisplaySurface *qemu_console_surface(QemuConsole *con); + DisplayState *qemu_console_displaystate(QemuConsole *console); + +diff --git a/ui/console.c b/ui/console.c +index 258af5d..cc1aa20 100644 +--- qemu-xen/ui/console.c.orig ++++ qemu-xen/ui/console.c +@@ -1450,27 +1450,6 @@ static void dpy_refresh(DisplayState *s) + } + } + +-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- DisplayState *s = con->ds; +- DisplayChangeListener *dcl; +- +- if (!qemu_console_is_visible(con)) { +- return; +- } +- QLIST_FOREACH(dcl, &s->listeners, next) { +- if (con != (dcl->con ? dcl->con : active_console)) { +- continue; +- } +- if (dcl->ops->dpy_gfx_copy) { +- dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h); +- } else { /* TODO */ +- dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h); +- } +- } +-} +- + void dpy_text_cursor(QemuConsole *con, int x, int y) + { + DisplayState *s = con->ds; +@@ -1968,13 +1947,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height) + dpy_gfx_replace_surface(s, surface); + } + +-void qemu_console_copy(QemuConsole *con, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- assert(con->console_type == GRAPHIC_CONSOLE); +- dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h); +-} +- + DisplaySurface *qemu_console_surface(QemuConsole *console) + { + return console->surface; +diff --git a/ui/vnc.c b/ui/vnc.c +index 76caa897..c3c2625 100644 +--- qemu-xen/ui/vnc.c.orig ++++ qemu-xen/ui/vnc.c +@@ -733,96 +733,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + return n; + } + +-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h) +-{ +- /* send bitblit op to the vnc client */ +- vnc_lock_output(vs); +- vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE); +- vnc_write_u8(vs, 0); +- vnc_write_u16(vs, 1); /* number of rects */ +- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT); +- vnc_write_u16(vs, src_x); +- vnc_write_u16(vs, src_y); +- vnc_unlock_output(vs); +- vnc_flush(vs); +-} +- +-static void vnc_dpy_copy(DisplayChangeListener *dcl, +- int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- VncDisplay *vd = container_of(dcl, VncDisplay, dcl); +- VncState *vs, *vn; +- uint8_t *src_row; +- uint8_t *dst_row; +- int i, x, y, pitch, inc, w_lim, s; +- int cmp_bytes; +- +- vnc_refresh_server_surface(vd); +- QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vs->force_update = 1; +- vnc_update_client(vs, 1, true); +- /* vs might be free()ed here */ +- } +- } +- +- /* do bitblit op on the local surface too */ +- pitch = vnc_server_fb_stride(vd); +- src_row = vnc_server_fb_ptr(vd, src_x, src_y); +- dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y); +- y = dst_y; +- inc = 1; +- if (dst_y > src_y) { +- /* copy backwards */ +- src_row += pitch * (h-1); +- dst_row += pitch * (h-1); +- pitch = -pitch; +- y = dst_y + h - 1; +- inc = -1; +- } +- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- if (w_lim < 0) { +- w_lim = w; +- } else { +- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT); +- } +- for (i = 0; i < h; i++) { +- for (x = 0; x <= w_lim; +- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) { +- if (x == w_lim) { +- if ((s = w - w_lim) == 0) +- break; +- } else if (!x) { +- s = (VNC_DIRTY_PIXELS_PER_BIT - +- (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- s = MIN(s, w_lim); +- } else { +- s = VNC_DIRTY_PIXELS_PER_BIT; +- } +- cmp_bytes = s * VNC_SERVER_FB_BYTES; +- if (memcmp(src_row, dst_row, cmp_bytes) == 0) +- continue; +- memmove(dst_row, src_row, cmp_bytes); +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT), +- vs->dirty[y]); +- } +- } +- } +- src_row += pitch - w * VNC_SERVER_FB_BYTES; +- dst_row += pitch - w * VNC_SERVER_FB_BYTES; +- y += inc; +- } +- +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h); +- } +- } +-} +- + static void vnc_mouse_set(DisplayChangeListener *dcl, + int x, int y, int visible) + { +@@ -2949,7 +2859,6 @@ static void vnc_listen_websocket_read(void *opaque) + static const DisplayChangeListenerOps dcl_ops = { + .dpy_name = "vnc", + .dpy_refresh = vnc_refresh, +- .dpy_gfx_copy = vnc_dpy_copy, + .dpy_gfx_update = vnc_dpy_update, + .dpy_gfx_switch = vnc_dpy_switch, + .dpy_mouse_set = vnc_mouse_set, +-- +2.1.4 + diff --git a/sysutils/xentools45/patches/patch-XSA-211-2 b/sysutils/xentools45/patches/patch-XSA-211-2 new file mode 100644 index 00000000000..7823cc9a3b0 --- /dev/null +++ b/sysutils/xentools45/patches/patch-XSA-211-2 @@ -0,0 +1,230 @@ +$NetBSD: patch-XSA-211-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $ + +From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001 +From: Ian Jackson <ian.jackson@eu.citrix.com> +Date: Thu, 9 Mar 2017 11:14:55 +0000 +Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code. + +From: Gerd Hoffmann <kraxel@redhat.com> + +There is a special code path (dpy_gfx_copy) to allow graphic emulation +notify user interface code about bitblit operations carryed out by +guests. It is supported by cirrus and vnc server. The intended purpose +is to optimize display scrolls and just send over the scroll op instead +of a full display update. + +This is rarely used these days though because modern guests simply don't +use the cirrus blitter any more. Any linux guest using the cirrus drm +driver doesn't. Any windows guest newer than winxp doesn't ship with a +cirrus driver any more and thus uses the cirrus as simple framebuffer. + +So this code tends to bitrot and bugs can go unnoticed for a long time. +See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV" +which fixes a bug lingering in the code for almost a year, added by +commit "c7628bf vnc: only alloc server surface with clients connected". + +Also the vnc server will throttle the frame rate in case it figures the +network can't keep up (send buffers are full). This doesn't work with +dpy_gfx_copy, for any copy operation sent to the vnc client we have to +send all outstanding updates beforehand, otherwise the vnc client might +run the client side blit on outdated data and thereby corrupt the +display. So this dpy_gfx_copy "optimization" might even make things +worse on slow network links. + +Lets kill it once for all. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +These changes (dropping dpy_copy and all its references and +implementations) reimplemented for qemu-xen-traditional. + +This is XSA-211. + +Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> + +Conflicts: + hw/cirrus_vga.c +--- + console.c | 8 -------- + console.h | 16 ---------------- + hw/cirrus_vga.c | 15 +++++---------- + hw/vmware_vga.c | 1 + + vnc.c | 35 ----------------------------------- + 5 files changed, 6 insertions(+), 69 deletions(-) + +diff --git a/console.c b/console.c +index 9984d6f..33c8bac 100644 +--- qemu-xen-traditional/console.c.orig ++++ qemu-xen-traditional/console.c +@@ -1398,14 +1398,6 @@ void qemu_console_resize(DisplayState *ds, int width, int height) + } + } + +-void qemu_console_copy(DisplayState *ds, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) +-{ +- if (is_graphic_console()) { +- dpy_copy(ds, src_x, src_y, dst_x, dst_y, w, h); +- } +-} +- + PixelFormat qemu_different_endianness_pixelformat(int bpp) + { + PixelFormat pf; +diff --git a/console.h b/console.h +index 14b42f3..8306cc4 100644 +--- qemu-xen-traditional/console.h.orig ++++ qemu-xen-traditional/console.h +@@ -98,8 +98,6 @@ struct DisplayChangeListener { + void (*dpy_resize)(struct DisplayState *s); + void (*dpy_setdata)(struct DisplayState *s); + void (*dpy_refresh)(struct DisplayState *s); +- void (*dpy_copy)(struct DisplayState *s, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + void (*dpy_fill)(struct DisplayState *s, int x, int y, + int w, int h, uint32_t c); + void (*dpy_text_cursor)(struct DisplayState *s, int x, int y); +@@ -211,18 +209,6 @@ static inline void dpy_refresh(DisplayState *s) + } + } + +-static inline void dpy_copy(struct DisplayState *s, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h) { +- struct DisplayChangeListener *dcl = s->listeners; +- while (dcl != NULL) { +- if (dcl->dpy_copy) +- dcl->dpy_copy(s, src_x, src_y, dst_x, dst_y, w, h); +- else /* TODO */ +- dcl->dpy_update(s, dst_x, dst_y, w, h); +- dcl = dcl->next; +- } +-} +- + static inline void dpy_fill(struct DisplayState *s, int x, int y, + int w, int h, uint32_t c) { + struct DisplayChangeListener *dcl = s->listeners; +@@ -297,8 +283,6 @@ void text_consoles_set_display(DisplayState *ds); + void console_select(unsigned int index); + void console_color_init(DisplayState *ds); + void qemu_console_resize(DisplayState *ds, int width, int height); +-void qemu_console_copy(DisplayState *ds, int src_x, int src_y, +- int dst_x, int dst_y, int w, int h); + + /* sdl.c */ + void sdl_display_init(DisplayState *ds, int full_screen, int no_frame, int opengl_enabled); +diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c +index d4bb462..3f941d1 100644 +--- qemu-xen-traditional/hw/cirrus_vga.c.orig ++++ qemu-xen-traditional/hw/cirrus_vga.c +@@ -793,11 +793,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + *s->cirrus_rop != cirrus_bitblt_rop_bkwd_src) + notify = 0; + +- /* we have to flush all pending changes so that the copy +- is generated at the appropriate moment in time */ +- if (notify) +- vga_hw_update(); +- + (*s->cirrus_rop) (s, s->vram_ptr + + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask), + s->vram_ptr + +@@ -806,13 +801,13 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + s->cirrus_blt_width, s->cirrus_blt_height); + + if (notify) +- qemu_console_copy(s->ds, +- sx, sy, dx, dy, +- s->cirrus_blt_width / depth, +- s->cirrus_blt_height); ++ dpy_update(s->ds, ++ dx, dy, ++ s->cirrus_blt_width / depth, ++ s->cirrus_blt_height); + + /* we don't have to notify the display that this portion has +- changed since qemu_console_copy implies this */ ++ changed since dpy_update implies this */ + + cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, + s->cirrus_blt_dstpitch, s->cirrus_blt_width, +diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c +index d1cba28..c38e43c 100644 +--- qemu-xen-traditional/hw/vmware_vga.c.orig ++++ qemu-xen-traditional/hw/vmware_vga.c +@@ -383,6 +383,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s, + + # ifdef DIRECT_VRAM + if (s->ds->dpy_copy) ++# error This configuration is not supported. See XSA-211. + qemu_console_copy(s->ds, x0, y0, x1, y1, w, h); + else + # endif +diff --git a/vnc.c b/vnc.c +index 61d1555..0e61197 100644 +--- qemu-xen-traditional/vnc.c.orig ++++ qemu-xen-traditional/vnc.c +@@ -572,36 +572,6 @@ static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h) + send_framebuffer_update_raw(vs, x, y, w, h); + } + +-static void vnc_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h) +-{ +- VncState *vs = ds->opaque; +- int updating_client = 1; +- +- if (!vs->update_requested || +- src_x < vs->visible_x || src_y < vs->visible_y || +- dst_x < vs->visible_x || dst_y < vs->visible_y || +- (src_x + w) > (vs->visible_x + vs->visible_w) || +- (src_y + h) > (vs->visible_y + vs->visible_h) || +- (dst_x + w) > (vs->visible_x + vs->visible_w) || +- (dst_y + h) > (vs->visible_y + vs->visible_h)) +- updating_client = 0; +- +- if (updating_client) +- _vnc_update_client(vs); +- +- if (updating_client && vs->csock != -1 && !vs->has_update) { +- vnc_write_u8(vs, 0); /* msg id */ +- vnc_write_u8(vs, 0); +- vnc_write_u16(vs, 1); /* number of rects */ +- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, 1); +- vnc_write_u16(vs, src_x); +- vnc_write_u16(vs, src_y); +- vnc_flush(vs); +- vs->update_requested--; +- } else +- framebuffer_set_updated(vs, dst_x, dst_y, w, h); +-} +- + static int find_update_height(VncState *vs, int y, int maxy, int last_x, int x) + { + int h; +@@ -1543,16 +1513,12 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) + vs->has_pointer_type_change = 0; + vs->has_WMVi = 0; + vs->absolute = -1; +- dcl->dpy_copy = NULL; + + for (i = n_encodings - 1; i >= 0; i--) { + switch (encodings[i]) { + case 0: /* Raw */ + vs->has_hextile = 0; + break; +- case 1: /* CopyRect */ +- dcl->dpy_copy = vnc_copy; +- break; + case 5: /* Hextile */ + vs->has_hextile = 1; + break; +@@ -2459,7 +2425,6 @@ static void vnc_listen_read(void *opaque) + vs->has_resize = 0; + vs->has_hextile = 0; + vs->update_requested = 0; +- dcl->dpy_copy = NULL; + vnc_timer_init(vs); + } + } +-- +2.1.4 + |