# also update debian/changelog
KVMVER=2.9.1
-KVMPKGREL=2
+KVMPKGREL=3
KVMPACKAGE = pve-qemu-kvm
KVMSRC = qemu
+pve-qemu-kvm (2.9.1-3) stable; urgency=medium
+
+ * fix CVE-2017-15119: reject large nbd option requests
+
+ * fix CVE-2017-13672: vga: handle cirrus vbe mode wraparounds
+
+ * fix CVE-2017-15268: websocket issue with slow VNC clients
+
+ * fix CVE-2017-15289: cirrus: OOB access issue in mode4and5 write functions
+
+ * fix CVE-2017-15038: 9p: virtfs: information disclosure when reading
+ extended attributes
+
+ * various other vga stable fixes
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 29 Nov 2017 09:56:39 +0100
+
pve-qemu-kvm (2.9.1-2) stable; urgency=medium
* fix #1107: fix an issue where virtio devices would error on valid commands
-From b143eba39dd462833093ee1c9660bb157e72ce54 Mon Sep 17 00:00:00 2001
+From c2835302a557437ef22944902da17686247edd35 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 4 Jul 2016 15:02:26 +0200
-Subject: [PATCH 01/13] Revert "target-i386: disable LINT0 after reset"
+Subject: [PATCH 01/23] Revert "target-i386: disable LINT0 after reset"
This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
---
-From aec6bba73f7d7692de2c4196ee80e4d753b45604 Mon Sep 17 00:00:00 2001
+From 7ea086a97a09774c9ac8f0df236a0acb01dfc1ef Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Fri, 2 Jun 2017 10:54:24 +0100
-Subject: [PATCH 02/13] virtio-serial: fix segfault on disconnect
+Subject: [PATCH 02/23] virtio-serial: fix segfault on disconnect
Since commit d4c19cdeeb2f1e474bc426a6da261f1d7346eb5b ("virtio-serial:
add missing virtio_detach_element() call") the following commands may
-From 3884a6e250302f5f3d002ed03c20fb9678ea85e7 Mon Sep 17 00:00:00 2001
+From 8a6382046bb0a71f1deb7b7ca3954662353f3f65 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 1 Jun 2017 17:26:14 +0200
-Subject: [PATCH 03/13] megasas: always store SCSIRequest* into MegasasCmd
+Subject: [PATCH 03/23] megasas: always store SCSIRequest* into MegasasCmd
This ensures that the request is unref'ed properly, and avoids a
segmentation fault in the new qtest testcase that is added.
-From 918e23903f5712274830bb20e2d5603bf5794af7 Mon Sep 17 00:00:00 2001
+From 76d3fb511849efb8bcd8690cd008a46408fac6dd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 17 Jul 2017 17:33:26 +0530
-Subject: [PATCH 04/13] slirp: check len against dhcp options array end
+Subject: [PATCH 04/23] slirp: check len against dhcp options array end
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
-From f635d03bc56b8d56589f8f962f893de1e8126c06 Mon Sep 17 00:00:00 2001
+From 1c0ba3702859ca6affc1a3f9cad3d35ccc4773ed Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 9 Aug 2017 17:02:11 +0100
-Subject: [PATCH 05/13] IDE: Do not flush empty CDROM drives
+Subject: [PATCH 05/23] IDE: Do not flush empty CDROM drives
The block backend changed in a way that flushing empty CDROM drives now
crashes. Amend IDE to avoid doing so until the root problem can be
-From 9d6486413e60b1d973f7ec2ac006fc9b8e210ddd Mon Sep 17 00:00:00 2001
+From 14a318bd04ab27f0f8f5dbe5aba53a817f85e016 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:24 +0200
-Subject: [PATCH 06/13] bitmap: add bitmap_copy_and_clear_atomic
+Subject: [PATCH 06/23] bitmap: add bitmap_copy_and_clear_atomic
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170421091632.30900-2-kraxel@redhat.com
-From a89da93a2d3ffd3ba9516da89ecfbb0dd5fd51ad Mon Sep 17 00:00:00 2001
+From 2628973e5f8a50f3b308395fa8a33b8f4fdc9024 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:25 +0200
-Subject: [PATCH 07/13] memory: add support getting and using a dirty bitmap
+Subject: [PATCH 07/23] memory: add support getting and using a dirty bitmap
copy.
This patch adds support for getting and using a local copy of the dirty
-From cef8fb2b8ea711b6686032f86b1caf1815786aaa Mon Sep 17 00:00:00 2001
+From 248536e4a93b254fc38aa369f76e828c9ce9b45e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:26 +0200
-Subject: [PATCH 08/13] vga: add vga_scanline_invalidated helper
+Subject: [PATCH 08/23] vga: add vga_scanline_invalidated helper
Add vga_scanline_invalidated helper to check whenever a scanline was
invalidated. Add a sanity check to fix OOB read access for display
-From f7f03687246e62d8efed10ee5ce8c571fc3debc4 Mon Sep 17 00:00:00 2001
+From 54b1106d9a24dadae42c4f4c25b4fa2560183f5b Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 21 Apr 2017 11:16:27 +0200
-Subject: [PATCH 09/13] vga: make display updates thread safe.
+Subject: [PATCH 09/23] vga: make display updates thread safe.
The vga code clears the dirty bits *after* reading the framebuffer
memory. So if the guest framebuffer updates hits the race window
-From 616f285a074869fd79bc26509a0bd50e6e04e39d Mon Sep 17 00:00:00 2001
+From acd029e2a9b9ea93997fcb19c6cd71d6dd6c9cb6 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 May 2017 12:48:39 +0200
-Subject: [PATCH 10/13] vga: fix display update region calculation
+Subject: [PATCH 10/23] vga: fix display update region calculation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
-From c93a020a1c6a37398d124f063af23d6acb3eb5cb Mon Sep 17 00:00:00 2001
+From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:38 +0200
-Subject: [PATCH 11/13] vga: fix display update region calculation (split
+Subject: [PATCH 11/23] vga: fix display update region calculation (split
screen)
vga display update mis-calculated the region for the dirty bitmap
-From 15c2b7e06a85dd78c7d45b3703639735eee09c01 Mon Sep 17 00:00:00 2001
+From 51b08381408f248b1149c0177a90f61f703b8432 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:39 +0200
-Subject: [PATCH 12/13] vga: stop passing pointers to vga_draw_line* functions
+Subject: [PATCH 12/23] vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
-From fff4299fb7be857e93ff5c6ea0f871c62d159c1d Mon Sep 17 00:00:00 2001
+From 158e47c5a3ebe4b67d35b7c1e8fecad258e735db Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Sep 2017 12:02:56 +0530
-Subject: [PATCH 13/13] multiboot: validate multiboot header address values
+Subject: [PATCH 13/23] multiboot: validate multiboot header address values
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
-From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001
+From 5cd576814744853a855ab64400e2d8d9c0b7bb0e Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 19 Sep 2017 14:20:28 +0200
-Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop
+Date: Wed, 20 Sep 2017 08:09:33 +0200
+Subject: [PATCH 14/23] virtio: fix descriptor counting in virtqueue_pop
While changing the s/g list allocation, commit 3b3b0628
also changed the descriptor counting to count iovec entries
Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/
Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements")
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- /dev/null
+From 93b7498c9e8adcd51c70f8df88b9228658b43595 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 29 Nov 2017 09:39:55 +0100
+Subject: [PATCH 15/23] nbd/server: CVE-2017-15119 Reject options larger than
+ 32M
+
+Backported-from: fdad35ef6c58
+---
+ nbd/server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index a98bb21a0a..4d6da8ac06 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
+ }
+ length = be32_to_cpu(length);
+
++ if (length > NBD_MAX_BUFFER_SIZE) {
++ LOG("len (%" PRIu32" ) is larger than max len (%u)",
++ length, NBD_MAX_BUFFER_SIZE);
++ return -EINVAL;
++ }
++
+ TRACE("Checking option 0x%" PRIx32, clientflags);
+ if (client->tlscreds &&
+ client->ioc == (QIOChannel *)client->sioc) {
+--
+2.11.0
+
--- /dev/null
+From 8b2be8e3f9c1ca9f78b1c87ead13f54fbd98198a Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Fri, 4 Aug 2017 12:33:29 +0100
+Subject: [PATCH 16/23] vga/migration: Update memory map in post_load
+
+After migration the chain4 alias mapping added by 80763888 (in 2011)
+might be missing, since there's no call to vga_update_memory_access
+in the post_load after the registers are updated. Add it back.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Message-id: 20170804113329.13609-1-dgilbert@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vga.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 13e4a5d55d..a99d831e04 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -2050,6 +2050,7 @@ static int vga_common_post_load(void *opaque, int version_id)
+ /* force refresh */
+ s->graphic_mode = -1;
+ vbe_update_vgaregs(s);
++ vga_update_memory_access(s);
+ return 0;
+ }
+
+--
+2.11.0
+
--- /dev/null
+From 3a1728b97f64e3ed4efc827bce7ff917ea5b6dd1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:21 +0200
+Subject: [PATCH 17/23] vga: drop line_offset variable
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index a99d831e04..77af807a51 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1464,7 +1464,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ {
+ DisplaySurface *surface = qemu_console_surface(s->con);
+ int y1, y, update, linesize, y_start, double_scan, mask, depth;
+- int width, height, shift_control, line_offset, bwidth, bits;
++ int width, height, shift_control, bwidth, bits;
+ ram_addr_t page0, page1;
+ DirtyBitmapSnapshot *snap = NULL;
+ int disp_width, multi_scan, multi_run;
+@@ -1614,7 +1614,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ s->cursor_invalidate(s);
+ }
+
+- line_offset = s->line_offset;
+ #if 0
+ printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
+ width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
+@@ -1629,7 +1628,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+
+ if (!full_update) {
+ ram_addr_t region_start = addr1;
+- ram_addr_t region_end = addr1 + line_offset * height;
++ ram_addr_t region_end = addr1 + s->line_offset * height;
+ vga_sync_dirty_bitmap(s);
+ if (s->line_compare < height) {
+ /* split screen mode */
+@@ -1681,7 +1680,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ if (!multi_run) {
+ mask = (s->cr[VGA_CRTC_MODE] & 3) ^ 3;
+ if ((y1 & mask) == mask)
+- addr1 += line_offset;
++ addr1 += s->line_offset;
+ y1++;
+ multi_run = multi_scan;
+ } else {
+--
+2.11.0
+
--- /dev/null
+From b63830cd6f59a87ef9bdb4f466ce8f4bd2ff5315 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:22 +0200
+Subject: [PATCH 18/23] vga: handle cirrus vbe mode wraparounds.
+
+Commit "3d90c62548 vga: stop passing pointers to vga_draw_line*
+functions" is incomplete. It doesn't handle the case that the vga
+rendering code tries to create a shared surface, i.e. a pixman image
+backed by vga video memory. That can not work in case the guest display
+wraps from end of video memory to the start. So force shadowing in that
+case. Also adjust the snapshot region calculation.
+
+Can trigger with cirrus only, when programming vbe modes using the bochs
+api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds
+can't happen.
+
+Fixes: CVE-2017-13672
+Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681
+Cc: P J P <ppandit@redhat.com>
+Reported-by: David Buchanan <d@vidbuchanan.co.uk>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-3-kraxel@redhat.com
+---
+ hw/display/vga.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 77af807a51..7bdbf7441e 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1465,13 +1465,13 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ DisplaySurface *surface = qemu_console_surface(s->con);
+ int y1, y, update, linesize, y_start, double_scan, mask, depth;
+ int width, height, shift_control, bwidth, bits;
+- ram_addr_t page0, page1;
++ ram_addr_t page0, page1, region_start, region_end;
+ DirtyBitmapSnapshot *snap = NULL;
+ int disp_width, multi_scan, multi_run;
+ uint8_t *d;
+ uint32_t v, addr1, addr;
+ vga_draw_line_func *vga_draw_line = NULL;
+- bool share_surface;
++ bool share_surface, force_shadow = false;
+ pixman_format_code_t format;
+ #ifdef HOST_WORDS_BIGENDIAN
+ bool byteswap = !s->big_endian_fb;
+@@ -1484,6 +1484,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ s->get_resolution(s, &width, &height);
+ disp_width = width;
+
++ region_start = (s->start_addr * 4);
++ region_end = region_start + s->line_offset * height;
++ if (region_end > s->vbe_size) {
++ /* wraps around (can happen with cirrus vbe modes) */
++ region_start = 0;
++ region_end = s->vbe_size;
++ force_shadow = true;
++ }
++
+ shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;
+ double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7);
+ if (shift_control != 1) {
+@@ -1523,7 +1532,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ format = qemu_default_pixman_format(depth, !byteswap);
+ if (format) {
+ share_surface = dpy_gfx_check_format(s->con, format)
+- && !s->force_shadow;
++ && !s->force_shadow && !force_shadow;
+ } else {
+ share_surface = false;
+ }
+@@ -1627,8 +1636,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ y1 = 0;
+
+ if (!full_update) {
+- ram_addr_t region_start = addr1;
+- ram_addr_t region_end = addr1 + s->line_offset * height;
+ vga_sync_dirty_bitmap(s);
+ if (s->line_compare < height) {
+ /* split screen mode */
+@@ -1651,10 +1658,17 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ addr = (addr & ~0x8000) | ((y1 & 2) << 14);
+ }
+ update = full_update;
+- page0 = addr;
+- page1 = addr + bwidth - 1;
++ page0 = addr & s->vbe_size_mask;
++ page1 = (addr + bwidth - 1) & s->vbe_size_mask;
+ if (full_update) {
+ update = 1;
++ } else if (page1 < page0) {
++ /* scanline wraps from end of video memory to the start */
++ assert(force_shadow);
++ update = memory_region_snapshot_get_dirty(&s->vram, snap,
++ page0, 0);
++ update |= memory_region_snapshot_get_dirty(&s->vram, snap,
++ page1, 0);
+ } else {
+ update = memory_region_snapshot_get_dirty(&s->vram, snap,
+ page0, page1 - page0);
+--
+2.11.0
+
--- /dev/null
+From 918868b77c7a04d3e2aa7bbc7f9255dafe75f709 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:23 +0200
+Subject: [PATCH 19/23] vga: add ram_addr_t cast
+
+Reported by Coverity.
+
+Fixes: CID 1381409
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-4-kraxel@redhat.com
+---
+ hw/display/vga.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 7bdbf7441e..63ba404ef2 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1485,7 +1485,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ disp_width = width;
+
+ region_start = (s->start_addr * 4);
+- region_end = region_start + s->line_offset * height;
++ region_end = region_start + (ram_addr_t)s->line_offset * height;
+ if (region_end > s->vbe_size) {
+ /* wraps around (can happen with cirrus vbe modes) */
+ region_start = 0;
+--
+2.11.0
+
--- /dev/null
+From 3c51ccd7bb43dd763a1ff3112b8a0cd7e145ca4f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 Oct 2017 11:28:30 +0100
+Subject: [PATCH 20/23] vga: fix region checks in wraparound case
+
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: 20171030102830.4469-1-kraxel@redhat.com
+---
+ hw/display/vga.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 63ba404ef2..a58d8bcd67 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1666,9 +1666,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ /* scanline wraps from end of video memory to the start */
+ assert(force_shadow);
+ update = memory_region_snapshot_get_dirty(&s->vram, snap,
+- page0, 0);
++ page0, s->vbe_size - page0);
+ update |= memory_region_snapshot_get_dirty(&s->vram, snap,
+- page1, 0);
++ 0, page1);
+ } else {
+ update = memory_region_snapshot_get_dirty(&s->vram, snap,
+ page0, page1 - page0);
+--
+2.11.0
+
--- /dev/null
+From 89a1271a7687018cdbf2b7f92cf3d50d079e100e Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 9 Oct 2017 14:43:42 +0100
+Subject: [PATCH 21/23] io: monitor encoutput buffer size from websocket
+ GSource
+
+The websocket GSource is monitoring the size of the rawoutput
+buffer to determine if the channel can accepts more writes.
+The rawoutput buffer, however, is merely a temporary staging
+buffer before data is copied into the encoutput buffer. Thus
+its size will always be zero when the GSource runs.
+
+This flaw causes the encoutput buffer to grow without bound
+if the other end of the underlying data channel doesn't
+read data being sent. This can be seen with VNC if a client
+is on a slow WAN link and the guest OS is sending many screen
+updates. A malicious VNC client can act like it is on a slow
+link by playing a video in the guest and then reading data
+very slowly, causing QEMU host memory to expand arbitrarily.
+
+This issue is assigned CVE-2017-15268, publically reported in
+
+ https://bugs.launchpad.net/qemu/+bug/1718964
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ io/channel-websock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index 8fabadea2f..882bbb4cbc 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -26,7 +26,7 @@
+ #include "trace.h"
+
+
+-/* Max amount to allow in rawinput/rawoutput buffers */
++/* Max amount to allow in rawinput/encoutput buffers */
+ #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
+
+ #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
+@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
+ if (wsource->wioc->rawinput.offset) {
+ cond |= G_IO_IN;
+ }
+- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
++ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ cond |= G_IO_OUT;
+ }
+
+--
+2.11.0
+
--- /dev/null
+From 184640d2552895d967214e90e23e005d6657b145 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 16 Oct 2017 14:21:59 +0200
+Subject: [PATCH 22/23] 9pfs: use g_malloc0 to allocate space for xattr
+
+9p back-end first queries the size of an extended attribute,
+allocates space for it via g_malloc() and then retrieves its
+value into allocated buffer. Race between querying attribute
+size and retrieving its could lead to memory bytes disclosure.
+Use g_malloc0() to avoid it.
+
+Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index c80ba67389..aaf9935ef4 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+ xattr_fidp->fid_type = P9_FID_XATTR;
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
+ if (size) {
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
+ xattr_fidp->fs.xattr.value,
+ xattr_fidp->fs.xattr.len);
+@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+ xattr_fidp->fid_type = P9_FID_XATTR;
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
+ if (size) {
+- xattr_fidp->fs.xattr.value = g_malloc(size);
++ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
+ &name, xattr_fidp->fs.xattr.value,
+ xattr_fidp->fs.xattr.len);
+--
+2.11.0
+
--- /dev/null
+From b162e22e5f0c1081efeec646999616ce1a7e3875 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 11 Oct 2017 10:43:14 +0200
+Subject: [PATCH 23/23] cirrus: fix oob access in mode4and5 write functions
+
+Move dst calculation into the loop, so we apply the mask on each
+interation and will not overflow vga memory.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171011084314.21752-1-kraxel@redhat.com
+---
+ hw/display/cirrus_vga.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index afc290ab91..077a8cb74f 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
+ unsigned val = mem_value;
+ uint8_t *dst;
+
+- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+ for (x = 0; x < 8; x++) {
++ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
+ if (val & 0x80) {
+ *dst = s->cirrus_shadow_gr1;
+ } else if (mode == 5) {
+ *dst = s->cirrus_shadow_gr0;
+ }
+ val <<= 1;
+- dst++;
+ }
+ memory_region_set_dirty(&s->vga.vram, offset, 8);
+ }
+@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+ unsigned val = mem_value;
+ uint8_t *dst;
+
+- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+ for (x = 0; x < 8; x++) {
++ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
+ if (val & 0x80) {
+ *dst = s->cirrus_shadow_gr1;
+ *(dst + 1) = s->vga.gr[0x11];
+@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+ *(dst + 1) = s->vga.gr[0x10];
+ }
+ val <<= 1;
+- dst += 2;
+ }
+ memory_region_set_dirty(&s->vga.vram, offset, 16);
+ }
+--
+2.11.0
+
extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch
extra/0013-multiboot-validate-multiboot-header-address-values.patch
extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch
+extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch
+extra/0016-vga-migration-Update-memory-map-in-post_load.patch
+extra/0017-vga-drop-line_offset-variable.patch
+extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch
+extra/0019-vga-add-ram_addr_t-cast.patch
+extra/0020-vga-fix-region-checks-in-wraparound-case.patch
+extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch
+extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch
+extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch