Commits on Jul 1, 2016
  1. @melloc

    OS-5486 QEMU DHCP server should reply to ARP requests

    Reviewed by: Robert Mustacchi <rm@joyent.com>
    melloc committed Jun 27, 2016
Commits on Apr 12, 2016
  1. @rmustacc

    HVM-846 enable preadv/pwritev again

    Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
    Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
    Reviewed by: Joshua M. Clulow <josh@sysmgr.org>
    rmustacc committed Apr 8, 2016
Commits on Feb 6, 2016
  1. @jclulow
  2. @jclulow
  3. @jclulow
Commits on Feb 5, 2016
  1. @jclulow
  2. @jclulow
Commits on Nov 19, 2015
  1. @jclulow

    OS-4975 ship iPXE ROM for PXE boot of VirtIO NICs in KVM guests

    Reviewed by: Robert Mustacchi <rm@joyent.com>
    jclulow committed Nov 19, 2015
Commits on Sep 4, 2015
  1. @rmustacc

    rtl8139: check TCP Data Offset field

    The TCP Data Offset field contains the length of the header.  Make sure
    it is valid and does not exceed the IP data length.
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Jul 15, 2015
  2. @rmustacc

    rtl8139: skip offload on short TCP header

    TCP Large Segment Offload accesses the TCP header in the packet.  If the
    packet is too short we must not attempt to access header fields:
    
      tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
      int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Sep 4, 2015
  3. @rmustacc

    rtl8139: check IP Total Length field

    The IP Total Length field includes the IP header and data.  Make sure it
    is valid and does not exceed the Ethernet payload size.
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Jul 15, 2015
  4. @rmustacc

    rtl8139: check IP Header Length field

    The IP Header Length field was only checked in the IP checksum case, but
    is used in other cases too.
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Jul 15, 2015
  5. @rmustacc

    rtl8139: skip offload on short Ethernet/IP header

    Transmit offload features access Ethernet and IP headers the packet.  If
    the packet is too short we must not attempt to access header fields:
    
      int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
      ...
      eth_payload_data = saved_buffer + ETH_HLEN;
      ...
      ip = (ip_header*)eth_payload_data;
      if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Sep 4, 2015
  6. @rmustacc

    rtl8139: drop tautologous if (ip) {...} statement

    The previous patch stopped using the ip pointer as an indicator that the
    IP header is present.  When we reach the if (ip) {...} statement we know
    ip is always non-NULL.
    
    Remove the if statement to reduce nesting.
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    
    Note, this was further modified to handle the case that we don't have
    the VLAN offload.
    Stefan Hajnoczi committed with rmustacc Sep 4, 2015
  7. @rmustacc

    rtl8139: avoid nested ifs in IP header parsing

    Transmit offload needs to parse packet headers.  If header fields have
    unexpected values the offload processing is skipped.
    
    The code currently uses nested ifs because there is relatively little
    input validation.  The next patches will add missing input validation
    and a goto label is more appropriate to avoid deep if statement nesting.
    
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Stefan Hajnoczi committed with rmustacc Jul 15, 2015
  8. @rmustacc
  9. @rmustacc

    e1000: Avoid infinite loop in processing transmit descriptor

    While processing transmit descriptors, it could lead to an infinite
    loop if 'bytes' was to become zero; Add a check to avoid it.
    
    [The guest can force 'bytes' to 0 by setting the hdr_len and mss
    descriptor fields to 0.
    --Stefan]
    
    Signed-off-by: P J P <ppandit@redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    P J P committed with rmustacc Sep 4, 2015
Commits on Jul 27, 2015
  1. @rmustacc

    ide: Clear DRQ after handling all expected accesses

    This is additional hardening against an end_transfer_func that fails to
    clear the DRQ status bit. The bit must be unset as soon as the PIO
    transfer has completed, so it's better to do this in a central place
    instead of duplicating the code in all commands (and forgetting it in
    some).
    
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>
    Kevin Wolf committed with rmustacc Jun 3, 2015
  2. @rmustacc

    ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

    If the end_transfer_func of a command is called because enough data has
    been read or written for the current PIO transfer, and it fails to
    correctly call the command completion functions, the DRQ bit in the
    status register and s->end_transfer_func may remain set. This allows the
    guest to access further bytes in s->io_buffer beyond s->data_end, and
    eventually overflowing the io_buffer.
    
    One case where this currently happens is emulation of the ATAPI command
    START STOP UNIT.
    
    This patch fixes the problem by adding explicit array bounds checks
    before accessing the buffer instead of relying on end_transfer_func to
    function correctly.
    Kevin Wolf committed with rmustacc Jul 27, 2015
Commits on Jul 9, 2015
  1. @rmustacc

    HVM-824 vnic_receive_iov mishandles case where iovcnt equals FRAMEIO_…

    …NVECS_MAX
    
    Reviewed by: Joshua M. Clulow <jmc@joyent.com>
    Reviewed by: Bryan Cantrill <bryan@joyent.com>
    rmustacc committed Jul 7, 2015
Commits on Jun 10, 2015
  1. @rmustacc

    pcnet: force the buffer access to be in bounds during tx

    4096 is the maximum length per TMD and it is also currently the size of
    the relay buffer pcnet driver uses for sending the packet data to QEMU
    for further processing. With packet spanning multiple TMDs it can
    happen that the overall packet size will be bigger than sizeof(buffer),
    which results in memory corruption.
    
    Fix this by only allowing to queue maximum sizeof(buffer) bytes.
    
    This is CVE-2015-3209.
    
    Signed-off-by: Petr Matousek <pmatouse@redhat.com>
    Reported-by: Matt Tait <matttait@google.com>
    Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
    Petr Matousek committed with rmustacc May 24, 2015
  2. @gongleiarei @rmustacc

    pcnet: fix Negative array index read

    s->xmit_pos maybe assigned to a negative value (-1),
    but in this branch variable s->xmit_pos as an index to
    array s->buffer. Let's add a check for s->xmit_pos.
    
    upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b
    
    Signed-off-by: Gonglei <arei.gonglei@huawei.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Reviewed-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    gongleiarei committed with rmustacc Jun 10, 2015
Commits on May 12, 2015
  1. @danmcd @rmustacc
Commits on Apr 24, 2015
  1. @jclulow
Commits on Jan 23, 2015
  1. @rmustacc
Commits on Dec 11, 2014
  1. @rmustacc

    HVM-813 Disable eventfd support

    rmustacc committed Dec 11, 2014
Commits on Aug 13, 2014
  1. @rmustacc

    HVM-807 qemu_recieve_iov fails on pathologically large iovecs

    Reviewed by: Keith M Wesolowski <wesolows@foobazco.org>
    rmustacc committed Jul 31, 2014
Commits on Apr 16, 2014
  1. @rmustacc
Commits on Mar 24, 2014
  1. @rmustacc
Commits on Mar 20, 2014
  1. @rmustacc
Commits on Oct 25, 2013
  1. @jclulow
Commits on Sep 9, 2013
  1. @rmustacc
Commits on Jun 26, 2013
  1. @rmustacc

    HVM-778 ship qemu mdb module

    rmustacc committed Jun 26, 2013
Commits on Apr 27, 2013
  1. @rmustacc
Commits on Jan 10, 2013
  1. @rmustacc

    HVM-763 uhci timer does not properly set expire time

    HVM-765 qemu needs -msave-args
    HVM-767 qemu e1000g shouldn't botch popts
    rmustacc committed Jan 10, 2013