~ubuntu-virt/qemu/+git/qemu-lp-import:stable-2.3

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

dfa83a6... by Michael Roth on 2015-08-10

Update version for 2.3.1 release

35a616e... by Paolo Bonzini <email address hidden> on 2015-07-21

qemu-char: handle EINTR for TCP character devices

Signed-off-by: Paolo Bonzini <email address hidden>
(cherry picked from commit 9172f428afc1461b1d9b33ebca3a679b9adf7c3a)
Signed-off-by: Michael Roth <email address hidden>

35c30d3... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: check TCP Data Offset field (CVE-2015-5165)

The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310)
Signed-off-by: Michael Roth <email address hidden>

f4c861f... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: skip offload on short TCP header (CVE-2015-5165)

TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:

  tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
  int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f)
Signed-off-by: Michael Roth <email address hidden>

b7a197c... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: check IP Total Length field (CVE-2015-5165)

The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17)
Signed-off-by: Michael Roth <email address hidden>

8561109... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: check IP Header Length field (CVE-2015-5165)

The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76)
Signed-off-by: Michael Roth <email address hidden>

ce4f451... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)

Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:

  int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
  ...
  eth_payload_data = saved_buffer + ETH_HLEN;
  ...
  ip = (ip_header*)eth_payload_data;
  if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd)
Signed-off-by: Michael Roth <email address hidden>

6722c12... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)

The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.

Remove the if statement to reduce nesting.

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847)
Signed-off-by: Michael Roth <email address hidden>

8dd45dc... by Stefan Hajnoczi <email address hidden> on 2015-07-15

rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.

The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.

Reported-by: 朱东海(启路) <email address hidden>
Reviewed-by: Jason Wang <email address hidden>
Signed-off-by: Stefan Hajnoczi <email address hidden>
(cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5)
Signed-off-by: Michael Roth <email address hidden>

e750591... by Aurelien Jarno <email address hidden> on 2015-07-31

tcg/mips: fix add2

The add2 code in the tcg_out_addsub2 function doesn't take into account
the case where rl == al == bl. In that case we can't compute the carry
after the addition. As it corresponds to a multiplication by 2, the
carry bit is the bit 31.

While this is a corner case, this prevents x86-64 guests to boot on a
MIPS host.

Cc: <email address hidden>
Reviewed-by: Richard Henderson <email address hidden>
Signed-off-by: Aurelien Jarno <email address hidden>
(cherry picked from commit c99d69694af4ed15b33e3f7c2e3ef6972c14358d)
Signed-off-by: Michael Roth <email address hidden>