Apply upstream patches for security fixes XSA-208, XSA-209 and XSA-211.

Bump PKGREVISION
author: bouyer <bouyer> 2017-03-20 18:09:21 +0000
committer: bouyer <bouyer> 2017-03-20 18:09:21 +0000
commit: 8eed678678ea682d35ea35ff6570855bbc7dc0fc (patch)
tree: c8b7808c5a8affeceecded7174c5600d06b62f3e /sysutils
parent: 232e249e9e8faa4ab5e65749ad0edaed846a7265 (diff)
download: pkgsrc-8eed678678ea682d35ea35ff6570855bbc7dc0fc.tar.gz
8 files changed, 823 insertions, 3 deletions
diff --git a/sysutils/xentools45/Makefile b/sysutils/xentools45/Makefile
index b13efe4d577..1f11b6b4610 100644
--- a/sysutils/xentools45/Makefile
+++ b/sysutils/xentools45/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2017/02/14 21:36:15 joerg Exp $
+# $NetBSD: Makefile,v 1.47 2017/03/20 18:09:21 bouyer Exp $
 
 VERSION=	4.5.5
-PKGREVISION=	3
+PKGREVISION=	4
 VERSION_IPXE=	9a93db3f0947484e30e753bbd61a10b17336e20e
 
 DISTNAME=		xen-${VERSION}
diff --git a/sysutils/xentools45/distinfo b/sysutils/xentools45/distinfo
index c77ad564d8f..d2f14580ed1 100644
--- a/sysutils/xentools45/distinfo
+++ b/sysutils/xentools45/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2016/12/20 10:22:29 bouyer Exp $
+$NetBSD: distinfo,v 1.30 2017/03/20 18:09:21 bouyer Exp $
 
 SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
 RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
@@ -25,6 +25,12 @@ SHA1 (patch-XSA-197-1) = a481196957f8942253cb18e5eef089e491d02652
 SHA1 (patch-XSA-197-2) = f5cf82cf04303f145e3cfea29c4104bc058dd043
 SHA1 (patch-XSA-198) = 5a61b6b4af265ba0b90d5750166924daafe554d7
 SHA1 (patch-XSA-199) = 481c740d36a5b8415275c4b1152bb7e2a45349a1
+SHA1 (patch-XSA-208-1) = a8eac4ac701626014b54480a5c7e382a43f892bb
+SHA1 (patch-XSA-208-2) = 148df8d7fd42f9f885e4381c1073c0a7b5c71816
+SHA1 (patch-XSA-209-1) = a7cfa5bbdb3df5d76b4caa39119c2745a6ecf321
+SHA1 (patch-XSA-209-2) = 6b90313758d1f5a33936d48fc0bcb7c3f3fb84c0
+SHA1 (patch-XSA-211-1) = 432d65327e1ebe3d3317ac5f42f3912bb23d08ca
+SHA1 (patch-XSA-211-2) = a92663c2c18290f5927780d3ed55aec497c58a8c
 SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
 SHA1 (patch-configure) = 97fa4274e425984d593cd93aea36edc681462b88
 SHA1 (patch-console_daemon_utils.c) = 915078ce6155a367e3e597fa7ab551f6afac083f
diff --git a/sysutils/xentools45/patches/patch-XSA-208-1 b/sysutils/xentools45/patches/patch-XSA-208-1
new file mode 100644
index 00000000000..c1da0fe155b
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-208-1
@@ -0,0 +1,55 @@
+$NetBSD: patch-XSA-208-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 5198037..7bf3707 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/sysutils/xentools45/patches/patch-XSA-208-2 b/sysutils/xentools45/patches/patch-XSA-208-2
new file mode 100644
index 00000000000..24f0cfc7ae7
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-208-2
@@ -0,0 +1,58 @@
+$NetBSD: patch-XSA-208-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..364e22d 100644
+--- qemu-xen-traditional/hw/cirrus_vga.c.orig
++++ qemu-xen-traditional/hw/cirrus_vga.c
+@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/sysutils/xentools45/patches/patch-XSA-209-1 b/sysutils/xentools45/patches/patch-XSA-209-1
new file mode 100644
index 00000000000..2bee92b83d1
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-209-1
@@ -0,0 +1,153 @@
+$NetBSD: patch-XSA-209-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Tue, 21 Feb 2017 10:54:38 -0800
+Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 7bf3707..34a6900 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.1.4
+
+From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 21 Feb 2017 10:54:59 -0800
+Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 34a6900..5901250 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
+-- 
+2.1.4
+
diff --git a/sysutils/xentools45/patches/patch-XSA-209-2 b/sysutils/xentools45/patches/patch-XSA-209-2
new file mode 100644
index 00000000000..fa269abe0ec
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-209-2
@@ -0,0 +1,56 @@
+$NetBSD: patch-XSA-209-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index e6c3893..45facb6 100644
+--- qemu-xen-traditional/hw/cirrus_vga.c.orig
++++ qemu-xen-traditional/hw/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
diff --git a/sysutils/xentools45/patches/patch-XSA-211-1 b/sysutils/xentools45/patches/patch-XSA-211-1
new file mode 100644
index 00000000000..d2771552e11
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-211-1
@@ -0,0 +1,262 @@
+$NetBSD: patch-XSA-211-1,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From c85f4df08b17f5808eda2b8afea1e4db7016cdc8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Feb 2017 19:09:59 +0100
+Subject: [PATCH] cirrus/vnc: zap bitblit support from console code.
+
+There is a special code path (dpy_gfx_copy) to allow graphic emulation
+notify user interface code about bitblit operations carryed out by
+guests.  It is supported by cirrus and vnc server.  The intended purpose
+is to optimize display scrolls and just send over the scroll op instead
+of a full display update.
+
+This is rarely used these days though because modern guests simply don't
+use the cirrus blitter any more.  Any linux guest using the cirrus drm
+driver doesn't.  Any windows guest newer than winxp doesn't ship with a
+cirrus driver any more and thus uses the cirrus as simple framebuffer.
+
+So this code tends to bitrot and bugs can go unnoticed for a long time.
+See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
+which fixes a bug lingering in the code for almost a year, added by
+commit "c7628bf vnc: only alloc server surface with clients connected".
+
+Also the vnc server will throttle the frame rate in case it figures the
+network can't keep up (send buffers are full).  This doesn't work with
+dpy_gfx_copy, for any copy operation sent to the vnc client we have to
+send all outstanding updates beforehand, otherwise the vnc client might
+run the client side blit on outdated data and thereby corrupt the
+display.  So this dpy_gfx_copy "optimization" might even make things
+worse on slow network links.
+
+Lets kill it once for all.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 12 ++-----
+ include/ui/console.h    |  8 -----
+ ui/console.c            | 28 ---------------
+ ui/vnc.c                | 91 -------------------------------------------------
+ 4 files changed, 3 insertions(+), 136 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index d643a0d..2e38c86 100644
+--- qemu-xen/hw/display/cirrus_vga.c.orig
++++ qemu-xen/hw/display/cirrus_vga.c
+@@ -756,11 +756,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+         }
+     }
+ 
+-    /* we have to flush all pending changes so that the copy
+-       is generated at the appropriate moment in time */
+-    if (notify)
+-        graphic_hw_update(s->vga.con);
+-
+     (*s->cirrus_rop) (s, s->vga.vram_ptr +
+ 		      (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 		      s->vga.vram_ptr +
+@@ -769,10 +764,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 		      s->cirrus_blt_width, s->cirrus_blt_height);
+ 
+     if (notify) {
+-        qemu_console_copy(s->vga.con,
+-			  sx, sy, dx, dy,
+-			  s->cirrus_blt_width / depth,
+-			  s->cirrus_blt_height);
++        dpy_gfx_update(s->vga.con, dx, dy,
++                       s->cirrus_blt_width / depth,
++                       s->cirrus_blt_height);
+     }
+ 
+     /* we don't have to notify the display that this portion has
+diff --git a/include/ui/console.h b/include/ui/console.h
+index 22ef8ca..331c07a 100644
+--- qemu-xen/include/ui/console.h.orig
++++ qemu-xen/include/ui/console.h
+@@ -158,10 +158,6 @@ typedef struct DisplayChangeListenerOps {
+                            int x, int y, int w, int h);
+     void (*dpy_gfx_switch)(DisplayChangeListener *dcl,
+                            struct DisplaySurface *new_surface);
+-    void (*dpy_gfx_copy)(DisplayChangeListener *dcl,
+-                         int src_x, int src_y,
+-                         int dst_x, int dst_y, int w, int h);
+-
+     void (*dpy_text_cursor)(DisplayChangeListener *dcl,
+                             int x, int y);
+     void (*dpy_text_resize)(DisplayChangeListener *dcl,
+@@ -223,8 +219,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info);
+ void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h);
+ void dpy_gfx_replace_surface(QemuConsole *con,
+                              DisplaySurface *surface);
+-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
+-                  int dst_x, int dst_y, int w, int h);
+ void dpy_text_cursor(QemuConsole *con, int x, int y);
+ void dpy_text_update(QemuConsole *con, int x, int y, int w, int h);
+ void dpy_text_resize(QemuConsole *con, int w, int h);
+@@ -315,8 +309,6 @@ void text_consoles_set_display(DisplayState *ds);
+ void console_select(unsigned int index);
+ void console_color_init(DisplayState *ds);
+ void qemu_console_resize(QemuConsole *con, int width, int height);
+-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
+-                       int dst_x, int dst_y, int w, int h);
+ DisplaySurface *qemu_console_surface(QemuConsole *con);
+ DisplayState *qemu_console_displaystate(QemuConsole *console);
+ 
+diff --git a/ui/console.c b/ui/console.c
+index 258af5d..cc1aa20 100644
+--- qemu-xen/ui/console.c.orig
++++ qemu-xen/ui/console.c
+@@ -1450,27 +1450,6 @@ static void dpy_refresh(DisplayState *s)
+     }
+ }
+ 
+-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
+-                  int dst_x, int dst_y, int w, int h)
+-{
+-    DisplayState *s = con->ds;
+-    DisplayChangeListener *dcl;
+-
+-    if (!qemu_console_is_visible(con)) {
+-        return;
+-    }
+-    QLIST_FOREACH(dcl, &s->listeners, next) {
+-        if (con != (dcl->con ? dcl->con : active_console)) {
+-            continue;
+-        }
+-        if (dcl->ops->dpy_gfx_copy) {
+-            dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h);
+-        } else { /* TODO */
+-            dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h);
+-        }
+-    }
+-}
+-
+ void dpy_text_cursor(QemuConsole *con, int x, int y)
+ {
+     DisplayState *s = con->ds;
+@@ -1968,13 +1947,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height)
+     dpy_gfx_replace_surface(s, surface);
+ }
+ 
+-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
+-                       int dst_x, int dst_y, int w, int h)
+-{
+-    assert(con->console_type == GRAPHIC_CONSOLE);
+-    dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h);
+-}
+-
+ DisplaySurface *qemu_console_surface(QemuConsole *console)
+ {
+     return console->surface;
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 76caa897..c3c2625 100644
+--- qemu-xen/ui/vnc.c.orig
++++ qemu-xen/ui/vnc.c
+@@ -733,96 +733,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+     return n;
+ }
+ 
+-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+-{
+-    /* send bitblit op to the vnc client */
+-    vnc_lock_output(vs);
+-    vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
+-    vnc_write_u8(vs, 0);
+-    vnc_write_u16(vs, 1); /* number of rects */
+-    vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
+-    vnc_write_u16(vs, src_x);
+-    vnc_write_u16(vs, src_y);
+-    vnc_unlock_output(vs);
+-    vnc_flush(vs);
+-}
+-
+-static void vnc_dpy_copy(DisplayChangeListener *dcl,
+-                         int src_x, int src_y,
+-                         int dst_x, int dst_y, int w, int h)
+-{
+-    VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
+-    VncState *vs, *vn;
+-    uint8_t *src_row;
+-    uint8_t *dst_row;
+-    int i, x, y, pitch, inc, w_lim, s;
+-    int cmp_bytes;
+-
+-    vnc_refresh_server_surface(vd);
+-    QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
+-        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-            vs->force_update = 1;
+-            vnc_update_client(vs, 1, true);
+-            /* vs might be free()ed here */
+-        }
+-    }
+-
+-    /* do bitblit op on the local surface too */
+-    pitch = vnc_server_fb_stride(vd);
+-    src_row = vnc_server_fb_ptr(vd, src_x, src_y);
+-    dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
+-    y = dst_y;
+-    inc = 1;
+-    if (dst_y > src_y) {
+-        /* copy backwards */
+-        src_row += pitch * (h-1);
+-        dst_row += pitch * (h-1);
+-        pitch = -pitch;
+-        y = dst_y + h - 1;
+-        inc = -1;
+-    }
+-    w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+-    if (w_lim < 0) {
+-        w_lim = w;
+-    } else {
+-        w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
+-    }
+-    for (i = 0; i < h; i++) {
+-        for (x = 0; x <= w_lim;
+-                x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
+-            if (x == w_lim) {
+-                if ((s = w - w_lim) == 0)
+-                    break;
+-            } else if (!x) {
+-                s = (VNC_DIRTY_PIXELS_PER_BIT -
+-                    (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
+-                s = MIN(s, w_lim);
+-            } else {
+-                s = VNC_DIRTY_PIXELS_PER_BIT;
+-            }
+-            cmp_bytes = s * VNC_SERVER_FB_BYTES;
+-            if (memcmp(src_row, dst_row, cmp_bytes) == 0)
+-                continue;
+-            memmove(dst_row, src_row, cmp_bytes);
+-            QTAILQ_FOREACH(vs, &vd->clients, next) {
+-                if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-                    set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
+-                            vs->dirty[y]);
+-                }
+-            }
+-        }
+-        src_row += pitch - w * VNC_SERVER_FB_BYTES;
+-        dst_row += pitch - w * VNC_SERVER_FB_BYTES;
+-        y += inc;
+-    }
+-
+-    QTAILQ_FOREACH(vs, &vd->clients, next) {
+-        if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
+-            vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
+-        }
+-    }
+-}
+-
+ static void vnc_mouse_set(DisplayChangeListener *dcl,
+                           int x, int y, int visible)
+ {
+@@ -2949,7 +2859,6 @@ static void vnc_listen_websocket_read(void *opaque)
+ static const DisplayChangeListenerOps dcl_ops = {
+     .dpy_name          = "vnc",
+     .dpy_refresh       = vnc_refresh,
+-    .dpy_gfx_copy      = vnc_dpy_copy,
+     .dpy_gfx_update    = vnc_dpy_update,
+     .dpy_gfx_switch    = vnc_dpy_switch,
+     .dpy_mouse_set     = vnc_mouse_set,
+-- 
+2.1.4
+
diff --git a/sysutils/xentools45/patches/patch-XSA-211-2 b/sysutils/xentools45/patches/patch-XSA-211-2
new file mode 100644
index 00000000000..7823cc9a3b0
--- /dev/null
+++ b/sysutils/xentools45/patches/patch-XSA-211-2
@@ -0,0 +1,230 @@
+$NetBSD: patch-XSA-211-2,v 1.1 2017/03/20 18:09:21 bouyer Exp $
+
+From dc4eee43ac608337ae96a174e0a5c1278168bd56 Mon Sep 17 00:00:00 2001
+From: Ian Jackson <ian.jackson@eu.citrix.com>
+Date: Thu, 9 Mar 2017 11:14:55 +0000
+Subject: [PATCH] cirrus/vnc: zap drop bitblit support from console code.
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+There is a special code path (dpy_gfx_copy) to allow graphic emulation
+notify user interface code about bitblit operations carryed out by
+guests.  It is supported by cirrus and vnc server.  The intended purpose
+is to optimize display scrolls and just send over the scroll op instead
+of a full display update.
+
+This is rarely used these days though because modern guests simply don't
+use the cirrus blitter any more.  Any linux guest using the cirrus drm
+driver doesn't.  Any windows guest newer than winxp doesn't ship with a
+cirrus driver any more and thus uses the cirrus as simple framebuffer.
+
+So this code tends to bitrot and bugs can go unnoticed for a long time.
+See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
+which fixes a bug lingering in the code for almost a year, added by
+commit "c7628bf vnc: only alloc server surface with clients connected".
+
+Also the vnc server will throttle the frame rate in case it figures the
+network can't keep up (send buffers are full).  This doesn't work with
+dpy_gfx_copy, for any copy operation sent to the vnc client we have to
+send all outstanding updates beforehand, otherwise the vnc client might
+run the client side blit on outdated data and thereby corrupt the
+display.  So this dpy_gfx_copy "optimization" might even make things
+worse on slow network links.
+
+Lets kill it once for all.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+These changes (dropping dpy_copy and all its references and
+implementations) reimplemented for qemu-xen-traditional.
+
+This is XSA-211.
+
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+Conflicts:
+	hw/cirrus_vga.c
+---
+ console.c       |  8 --------
+ console.h       | 16 ----------------
+ hw/cirrus_vga.c | 15 +++++----------
+ hw/vmware_vga.c |  1 +
+ vnc.c           | 35 -----------------------------------
+ 5 files changed, 6 insertions(+), 69 deletions(-)
+
+diff --git a/console.c b/console.c
+index 9984d6f..33c8bac 100644
+--- qemu-xen-traditional/console.c.orig
++++ qemu-xen-traditional/console.c
+@@ -1398,14 +1398,6 @@ void qemu_console_resize(DisplayState *ds, int width, int height)
+     }
+ }
+ 
+-void qemu_console_copy(DisplayState *ds, int src_x, int src_y,
+-                int dst_x, int dst_y, int w, int h)
+-{
+-    if (is_graphic_console()) {
+-        dpy_copy(ds, src_x, src_y, dst_x, dst_y, w, h);
+-    }
+-}
+-
+ PixelFormat qemu_different_endianness_pixelformat(int bpp)
+ {
+     PixelFormat pf;
+diff --git a/console.h b/console.h
+index 14b42f3..8306cc4 100644
+--- qemu-xen-traditional/console.h.orig
++++ qemu-xen-traditional/console.h
+@@ -98,8 +98,6 @@ struct DisplayChangeListener {
+     void (*dpy_resize)(struct DisplayState *s);
+     void (*dpy_setdata)(struct DisplayState *s);
+     void (*dpy_refresh)(struct DisplayState *s);
+-    void (*dpy_copy)(struct DisplayState *s, int src_x, int src_y,
+-                     int dst_x, int dst_y, int w, int h);
+     void (*dpy_fill)(struct DisplayState *s, int x, int y,
+                      int w, int h, uint32_t c);
+     void (*dpy_text_cursor)(struct DisplayState *s, int x, int y);
+@@ -211,18 +209,6 @@ static inline void dpy_refresh(DisplayState *s)
+     }
+ }
+ 
+-static inline void dpy_copy(struct DisplayState *s, int src_x, int src_y,
+-                             int dst_x, int dst_y, int w, int h) {
+-    struct DisplayChangeListener *dcl = s->listeners;
+-    while (dcl != NULL) {
+-        if (dcl->dpy_copy)
+-            dcl->dpy_copy(s, src_x, src_y, dst_x, dst_y, w, h);
+-        else /* TODO */
+-            dcl->dpy_update(s, dst_x, dst_y, w, h);
+-        dcl = dcl->next;
+-    }
+-}
+-
+ static inline void dpy_fill(struct DisplayState *s, int x, int y,
+                              int w, int h, uint32_t c) {
+     struct DisplayChangeListener *dcl = s->listeners;
+@@ -297,8 +283,6 @@ void text_consoles_set_display(DisplayState *ds);
+ void console_select(unsigned int index);
+ void console_color_init(DisplayState *ds);
+ void qemu_console_resize(DisplayState *ds, int width, int height);
+-void qemu_console_copy(DisplayState *ds, int src_x, int src_y,
+-                int dst_x, int dst_y, int w, int h);
+ 
+ /* sdl.c */
+ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame, int opengl_enabled);
+diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
+index d4bb462..3f941d1 100644
+--- qemu-xen-traditional/hw/cirrus_vga.c.orig
++++ qemu-xen-traditional/hw/cirrus_vga.c
+@@ -793,11 +793,6 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 	*s->cirrus_rop != cirrus_bitblt_rop_bkwd_src)
+ 	notify = 0;
+ 
+-    /* we have to flush all pending changes so that the copy
+-       is generated at the appropriate moment in time */
+-    if (notify)
+-	vga_hw_update();
+-
+     (*s->cirrus_rop) (s, s->vram_ptr +
+ 		      (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ 		      s->vram_ptr +
+@@ -806,13 +801,13 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 		      s->cirrus_blt_width, s->cirrus_blt_height);
+ 
+     if (notify)
+-	qemu_console_copy(s->ds,
+-			  sx, sy, dx, dy,
+-			  s->cirrus_blt_width / depth,
+-			  s->cirrus_blt_height);
++	dpy_update(s->ds,
++                   dx, dy,
++                   s->cirrus_blt_width / depth,
++                   s->cirrus_blt_height);
+ 
+     /* we don't have to notify the display that this portion has
+-       changed since qemu_console_copy implies this */
++       changed since dpy_update implies this */
+ 
+     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+ 				s->cirrus_blt_dstpitch, s->cirrus_blt_width,
+diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
+index d1cba28..c38e43c 100644
+--- qemu-xen-traditional/hw/vmware_vga.c.orig
++++ qemu-xen-traditional/hw/vmware_vga.c
+@@ -383,6 +383,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+ 
+ # ifdef DIRECT_VRAM
+     if (s->ds->dpy_copy)
++#  error This configuration is not supported.  See XSA-211.
+         qemu_console_copy(s->ds, x0, y0, x1, y1, w, h);
+     else
+ # endif
+diff --git a/vnc.c b/vnc.c
+index 61d1555..0e61197 100644
+--- qemu-xen-traditional/vnc.c.orig
++++ qemu-xen-traditional/vnc.c
+@@ -572,36 +572,6 @@ static void send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+ 	    send_framebuffer_update_raw(vs, x, y, w, h);
+ }
+ 
+-static void vnc_copy(DisplayState *ds, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
+-{
+-    VncState *vs = ds->opaque;
+-    int updating_client = 1;
+-
+-    if (!vs->update_requested ||
+-        src_x < vs->visible_x || src_y < vs->visible_y ||
+-	dst_x < vs->visible_x || dst_y < vs->visible_y ||
+-	(src_x + w) > (vs->visible_x + vs->visible_w) ||
+-	(src_y + h) > (vs->visible_y + vs->visible_h) ||
+-	(dst_x + w) > (vs->visible_x + vs->visible_w) ||
+-	(dst_y + h) > (vs->visible_y + vs->visible_h))
+-	updating_client = 0;
+-
+-    if (updating_client)
+-        _vnc_update_client(vs);
+-
+-    if (updating_client && vs->csock != -1 && !vs->has_update) {
+-	vnc_write_u8(vs, 0);  /* msg id */
+-	vnc_write_u8(vs, 0);
+-	vnc_write_u16(vs, 1); /* number of rects */
+-	vnc_framebuffer_update(vs, dst_x, dst_y, w, h, 1);
+-	vnc_write_u16(vs, src_x);
+-	vnc_write_u16(vs, src_y);
+-	vnc_flush(vs);
+-        vs->update_requested--;
+-    } else
+-	framebuffer_set_updated(vs, dst_x, dst_y, w, h);
+-}
+-
+ static int find_update_height(VncState *vs, int y, int maxy, int last_x, int x)
+ {
+     int h;
+@@ -1543,16 +1513,12 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
+     vs->has_pointer_type_change = 0;
+     vs->has_WMVi = 0;
+     vs->absolute = -1;
+-    dcl->dpy_copy = NULL;
+ 
+     for (i = n_encodings - 1; i >= 0; i--) {
+ 	switch (encodings[i]) {
+ 	case 0: /* Raw */
+ 	    vs->has_hextile = 0;
+ 	    break;
+-	case 1: /* CopyRect */
+-	    dcl->dpy_copy = vnc_copy;
+-	    break;
+ 	case 5: /* Hextile */
+ 	    vs->has_hextile = 1;
+ 	    break;
+@@ -2459,7 +2425,6 @@ static void vnc_listen_read(void *opaque)
+ 	vs->has_resize = 0;
+ 	vs->has_hextile = 0;
+         vs->update_requested = 0;
+-	dcl->dpy_copy = NULL;
+ 	vnc_timer_init(vs);
+     }
+ }
+-- 
+2.1.4
+
author	bouyer <bouyer>	2017-03-20 18:09:21 +0000
committer	bouyer <bouyer>	2017-03-20 18:09:21 +0000
commit	8eed678678ea682d35ea35ff6570855bbc7dc0fc (patch)
tree	c8b7808c5a8affeceecded7174c5600d06b62f3e /sysutils
parent	232e249e9e8faa4ab5e65749ad0edaed846a7265 (diff)
download	pkgsrc-8eed678678ea682d35ea35ff6570855bbc7dc0fc.tar.gz