From 57a93f16e8dad554720edcc5ed1fe613d68bf230 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 9 Nov 2021 15:45:04 +0100 Subject: [PATCH 1/9] configure: Symlink binaries using .exe suffix with MinGW MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using the MinGW toolchain, we use the .exe suffix for the executable name. We also need to use it for the symlinks in the build directory. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Stefan Weil Acked-by: Paolo Bonzini Message-Id: <20211109144504.1541206-1-philmd@redhat.com> Signed-off-by: Laurent Vivier --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 5fae19858d..28e1cf6291 100755 --- a/configure +++ b/configure @@ -3754,7 +3754,7 @@ fi for target in $target_list; do target_dir="$target" - target_name=$(echo $target | cut -d '-' -f 1) + target_name=$(echo $target | cut -d '-' -f 1)$EXESUF mkdir -p $target_dir case $target in *-user) symlink "../qemu-$target_name" "$target_dir/qemu-$target_name" ;; From dc7d6cafce8a7d36d2ebc03be3b6162e0eb98c22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 16 Nov 2021 20:39:55 +0100 Subject: [PATCH 2/9] target/i386/kvm: Replace use of __u32 type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit QEMU coding style mandates to not use Linux kernel internal types for scalars types. Replace __u32 by uint32_t. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Message-Id: <20211116193955.2793171-1-philmd@redhat.com> Signed-off-by: Laurent Vivier --- target/i386/kvm/kvm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index 5a698bde19..13f8e30c2a 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -1406,7 +1406,7 @@ static int hyperv_fill_cpuids(CPUState *cs, c->edx = cpu->hyperv_limits[2]; if (hyperv_feat_enabled(cpu, HYPERV_FEAT_EVMCS)) { - __u32 function; + uint32_t function; /* Create zeroed 0x40000006..0x40000009 leaves */ for (function = HV_CPUID_IMPLEMENT_LIMITS + 1; From 4455922f7bb8fef2f5aa0a4d3901041bcc4b659d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 17 Nov 2021 18:45:33 +0100 Subject: [PATCH 3/9] qemu-keymap: Add license in generated files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Warner Losh Message-Id: <20211117174533.1900570-1-philmd@redhat.com> Signed-off-by: Laurent Vivier --- qemu-keymap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/qemu-keymap.c b/qemu-keymap.c index 536e8f2385..4095b654a6 100644 --- a/qemu-keymap.c +++ b/qemu-keymap.c @@ -187,6 +187,7 @@ int main(int argc, char *argv[]) } fprintf(outfile, + "# SPDX-License-Identifier: GPL-2.0-or-later\n" "#\n" "# generated by qemu-keymap\n" "# model : %s\n" From 74fb2f4f4c47c966ab54687392e6561b4de4bb8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Sun, 5 Dec 2021 23:41:09 +0100 Subject: [PATCH 4/9] hw/avr: Realize AVRCPU qdev object using qdev_realize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TYPE_AVR_CPU inherits TYPE_CPU, which itself inherits TYPE_DEVICE. TYPE_DEVICE instances are realized using qdev_realize(), we don't need to access QOM internal values. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael Rolnik Message-Id: <20211205224109.322152-1-f4bug@amsat.org> Signed-off-by: Laurent Vivier --- hw/avr/atmega.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/avr/atmega.c b/hw/avr/atmega.c index 0608e2d475..a34803e642 100644 --- a/hw/avr/atmega.c +++ b/hw/avr/atmega.c @@ -233,7 +233,7 @@ static void atmega_realize(DeviceState *dev, Error **errp) /* CPU */ object_initialize_child(OBJECT(dev), "cpu", &s->cpu, mc->cpu_type); - object_property_set_bool(OBJECT(&s->cpu), "realized", true, &error_abort); + qdev_realize(DEVICE(&s->cpu), NULL, &error_abort); cpudev = DEVICE(&s->cpu); /* SRAM */ From f71d31fa811f15d40ab076b350c2067d30ac22b1 Mon Sep 17 00:00:00 2001 From: Leonardo Garcia Date: Tue, 23 Nov 2021 08:48:31 -0300 Subject: [PATCH 5/9] hw/virtio/vhost: Fix typo in comment. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Leonardo Garcia Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Message-Id: Signed-off-by: Laurent Vivier --- hw/virtio/vhost.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c index 437347ad01..20913cf8fb 100644 --- a/hw/virtio/vhost.c +++ b/hw/virtio/vhost.c @@ -313,7 +313,7 @@ static int vhost_dev_has_iommu(struct vhost_dev *dev) * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support * incremental memory mapping API via IOTLB API. For platform that * does not have IOMMU, there's no need to enable this feature - * which may cause unnecessary IOTLB miss/update trnasactions. + * which may cause unnecessary IOTLB miss/update transactions. */ return virtio_bus_device_iommu_enabled(vdev) && virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM); From 036ef344b6c51f651a3b5c6ca56868fa3e6554fe Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Mon, 18 Oct 2021 16:50:44 +0800 Subject: [PATCH 6/9] docs/block-replication.txt: Fix replication top-id command demo This demo not correct, the original childs1 can't pass the the bdrv_is_root_node check in replcation_start(). Keep consistent with docs/COLO-FT.txt Signed-off-by: Zhang Chen Reviewed-by: Laurent Vivier Message-Id: <20211018085044.2788276-1-chen.zhang@intel.com> Signed-off-by: Laurent Vivier --- docs/block-replication.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/block-replication.txt b/docs/block-replication.txt index b0f23761c6..e1b28a6cc1 100644 --- a/docs/block-replication.txt +++ b/docs/block-replication.txt @@ -179,7 +179,7 @@ Primary: Secondary: -drive if=none,driver=raw,file.filename=1.raw,id=colo1 \ - -drive if=none,id=childs1,driver=replication,mode=secondary,top-id=childs1 + -drive if=none,id=childs1,driver=replication,mode=secondary,top-id=top-disk1 file.file.filename=active_disk.qcow2,\ file.driver=qcow2,\ file.backing.file.filename=hidden_disk.qcow2,\ From 2c674fada72079583a3f2cc1790b16a0259c4fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 3 Sep 2021 19:44:44 +0200 Subject: [PATCH 7/9] glib-compat: Introduce g_memdup2() wrapper MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When experimenting raising GLIB_VERSION_MIN_REQUIRED to 2.68 (Fedora 34 provides GLib 2.68.1) we get: hw/virtio/virtio-crypto.c:245:24: error: 'g_memdup' is deprecated: Use 'g_memdup2' instead [-Werror,-Wdeprecated-declarations] ... g_memdup() has been updated by g_memdup2() to fix eventual security issues (size argument is 32-bit and could be truncated / wrapping). GLib recommends to copy their static inline version of g_memdup2(): https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 Our glib-compat.h provides a comment explaining how to deal with these deprecated declarations (see commit e71e8cc0355 "glib: enforce the minimum required version and warn about old APIs"). Following this comment suggestion, implement the g_memdup2_qemu() wrapper to g_memdup2(), and use the safer equivalent inlined when we are using pre-2.68 GLib. Reported-by: Eric Blake Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake Message-Id: <20210903174510.751630-3-philmd@redhat.com> Signed-off-by: Laurent Vivier --- include/glib-compat.h | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/include/glib-compat.h b/include/glib-compat.h index 9e95c888f5..8d01a8c01f 100644 --- a/include/glib-compat.h +++ b/include/glib-compat.h @@ -68,6 +68,43 @@ * without generating warnings. */ +/* + * g_memdup2_qemu: + * @mem: (nullable): the memory to copy. + * @byte_size: the number of bytes to copy. + * + * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it + * from @mem. If @mem is %NULL it returns %NULL. + * + * This replaces g_memdup(), which was prone to integer overflows when + * converting the argument from a #gsize to a #guint. + * + * This static inline version is a backport of the new public API from + * GLib 2.68, kept internal to GLib for backport to older stable releases. + * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. + * + * Returns: (nullable): a pointer to the newly-allocated copy of the memory, + * or %NULL if @mem is %NULL. + */ +static inline gpointer g_memdup2_qemu(gconstpointer mem, gsize byte_size) +{ +#if GLIB_CHECK_VERSION(2, 68, 0) + return g_memdup2(mem, byte_size); +#else + gpointer new_mem; + + if (mem && byte_size != 0) { + new_mem = g_malloc(byte_size); + memcpy(new_mem, mem, byte_size); + } else { + new_mem = NULL; + } + + return new_mem; +#endif +} +#define g_memdup2(m, s) g_memdup2_qemu(m, s) + #if defined(G_OS_UNIX) /* * Note: The fallback implementation is not MT-safe, and it returns a copy of From 460056dbe6b2df363de6d8c2a9c9ba862653d6bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 3 Sep 2021 19:45:06 +0200 Subject: [PATCH 8/9] tests/qtest: Replace g_memdup() by g_memdup2() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2() wrapper. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20210903174510.751630-25-philmd@redhat.com> Signed-off-by: Laurent Vivier --- tests/qtest/libqos/ahci.c | 6 +++--- tests/qtest/libqos/qgraph.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/qtest/libqos/ahci.c b/tests/qtest/libqos/ahci.c index fba3e7a954..eaa2096512 100644 --- a/tests/qtest/libqos/ahci.c +++ b/tests/qtest/libqos/ahci.c @@ -639,8 +639,8 @@ void ahci_exec(AHCIQState *ahci, uint8_t port, AHCIOpts *opts; uint64_t buffer_in; - opts = g_memdup((opts_in == NULL ? &default_opts : opts_in), - sizeof(AHCIOpts)); + opts = g_memdup2((opts_in == NULL ? &default_opts : opts_in), + sizeof(AHCIOpts)); buffer_in = opts->buffer; @@ -860,7 +860,7 @@ AHCICommand *ahci_command_create(uint8_t command_name) g_assert(!props->ncq || props->lba48); /* Defaults and book-keeping */ - cmd->props = g_memdup(props, sizeof(AHCICommandProp)); + cmd->props = g_memdup2(props, sizeof(AHCICommandProp)); cmd->name = command_name; cmd->xbytes = props->size; cmd->prd_size = 4096; diff --git a/tests/qtest/libqos/qgraph.c b/tests/qtest/libqos/qgraph.c index d1dc491930..109ff04e1e 100644 --- a/tests/qtest/libqos/qgraph.c +++ b/tests/qtest/libqos/qgraph.c @@ -93,7 +93,7 @@ static void add_edge(const char *source, const char *dest, edge->type = type; edge->dest = g_strdup(dest); edge->edge_name = g_strdup(opts->edge_name ?: dest); - edge->arg = g_memdup(opts->arg, opts->size_arg); + edge->arg = g_memdup2(opts->arg, opts->size_arg); edge->before_cmd_line = opts->before_cmd_line ? g_strconcat(" ", opts->before_cmd_line, NULL) : NULL; From ce2ff9cccf0c5f123f9d1e3d5e4fc07d1c2c159d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 3 Sep 2021 19:45:10 +0200 Subject: [PATCH 9/9] checkpatch: Do not allow deprecated g_memdup() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit g_memdup() is insecure and as been deprecated in GLib 2.68. QEMU provides the safely equivalent g_memdup2() wrapper. Do not allow more g_memdup() calls in the repository, provide a hint to use g_memdup2(). Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Eric Blake Message-Id: <20210903174510.751630-29-philmd@redhat.com> Signed-off-by: Laurent Vivier --- scripts/checkpatch.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index cb8eff233e..5caa739db4 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -2850,6 +2850,11 @@ sub process { WARN("consider using g_path_get_$1() in preference to g_strdup($1())\n" . $herecurr); } +# enforce g_memdup2() over g_memdup() + if ($line =~ /\bg_memdup\s*\(/) { + ERROR("use g_memdup2() instead of unsafe g_memdup()\n" . $herecurr); + } + # recommend qemu_strto* over strto* for numeric conversions if ($line =~ /\b(strto[^kd].*?)\s*\(/) { ERROR("consider using qemu_$1 in preference to $1\n" . $herecurr);