bump version to 2.9.1-3

Makefile

@@ -1,6 +1,6 @@
 # also update debian/changelog
 KVMVER=2.9.1
-KVMPKGREL=2
+KVMPKGREL=3
 
 KVMPACKAGE = pve-qemu-kvm
 KVMSRC = qemu

debian/changelog

@@ -1,3 +1,20 @@
+pve-qemu-kvm (2.9.1-3) stable; urgency=medium
+
+  * fix CVE-2017-15119: reject large nbd option requests
+
+  * fix CVE-2017-13672: vga: handle cirrus vbe mode wraparounds
+
+  * fix CVE-2017-15268: websocket issue with slow VNC clients
+
+  * fix CVE-2017-15289: cirrus: OOB access issue in mode4and5 write functions
+
+  * fix CVE-2017-15038: 9p: virtfs: information disclosure when reading
+    extended attributes
+
+  * various other vga stable fixes
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 29 Nov 2017 09:56:39 +0100
+
 pve-qemu-kvm (2.9.1-2) stable; urgency=medium
 
   * fix #1107: fix an issue where virtio devices would error on valid commands

debian/patches/extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch

@@ -1,7 +1,7 @@
-From b143eba39dd462833093ee1c9660bb157e72ce54 Mon Sep 17 00:00:00 2001
+From c2835302a557437ef22944902da17686247edd35 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Mon, 4 Jul 2016 15:02:26 +0200
-Subject: [PATCH 01/13] Revert "target-i386: disable LINT0 after reset"
+Subject: [PATCH 01/23] Revert "target-i386: disable LINT0 after reset"
 
 This reverts commit b8eb5512fd8a115f164edbbe897cdf8884920ccb.
 ---

debian/patches/extra/0002-virtio-serial-fix-segfault-on-disconnect.patch

@@ -1,7 +1,7 @@
-From aec6bba73f7d7692de2c4196ee80e4d753b45604 Mon Sep 17 00:00:00 2001
+From 7ea086a97a09774c9ac8f0df236a0acb01dfc1ef Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Fri, 2 Jun 2017 10:54:24 +0100
-Subject: [PATCH 02/13] virtio-serial: fix segfault on disconnect
+Subject: [PATCH 02/23] virtio-serial: fix segfault on disconnect
 
 Since commit d4c19cdeeb2f1e474bc426a6da261f1d7346eb5b ("virtio-serial:
 add missing virtio_detach_element() call") the following commands may

debian/patches/extra/0003-megasas-always-store-SCSIRequest-into-MegasasCmd.patch

@@ -1,7 +1,7 @@
-From 3884a6e250302f5f3d002ed03c20fb9678ea85e7 Mon Sep 17 00:00:00 2001
+From 8a6382046bb0a71f1deb7b7ca3954662353f3f65 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Thu, 1 Jun 2017 17:26:14 +0200
-Subject: [PATCH 03/13] megasas: always store SCSIRequest* into MegasasCmd
+Subject: [PATCH 03/23] megasas: always store SCSIRequest* into MegasasCmd
 
 This ensures that the request is unref'ed properly, and avoids a
 segmentation fault in the new qtest testcase that is added.

debian/patches/extra/0004-slirp-check-len-against-dhcp-options-array-end.patch

@@ -1,7 +1,7 @@
-From 918e23903f5712274830bb20e2d5603bf5794af7 Mon Sep 17 00:00:00 2001
+From 76d3fb511849efb8bcd8690cd008a46408fac6dd Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Mon, 17 Jul 2017 17:33:26 +0530
-Subject: [PATCH 04/13] slirp: check len against dhcp options array end
+Subject: [PATCH 04/23] slirp: check len against dhcp options array end
 
 While parsing dhcp options string in 'dhcp_decode', if an options'
 length 'len' appeared towards the end of 'bp_vend' array, ensuing

debian/patches/extra/0005-IDE-Do-not-flush-empty-CDROM-drives.patch

@@ -1,7 +1,7 @@
-From f635d03bc56b8d56589f8f962f893de1e8126c06 Mon Sep 17 00:00:00 2001
+From 1c0ba3702859ca6affc1a3f9cad3d35ccc4773ed Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Wed, 9 Aug 2017 17:02:11 +0100
-Subject: [PATCH 05/13] IDE: Do not flush empty CDROM drives
+Subject: [PATCH 05/23] IDE: Do not flush empty CDROM drives
 
 The block backend changed in a way that flushing empty CDROM drives now
 crashes.  Amend IDE to avoid doing so until the root problem can be

debian/patches/extra/0006-bitmap-add-bitmap_copy_and_clear_atomic.patch

@@ -1,7 +1,7 @@
-From 9d6486413e60b1d973f7ec2ac006fc9b8e210ddd Mon Sep 17 00:00:00 2001
+From 14a318bd04ab27f0f8f5dbe5aba53a817f85e016 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 21 Apr 2017 11:16:24 +0200
-Subject: [PATCH 06/13] bitmap: add bitmap_copy_and_clear_atomic
+Subject: [PATCH 06/23] bitmap: add bitmap_copy_and_clear_atomic
 
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Message-id: 20170421091632.30900-2-kraxel@redhat.com

debian/patches/extra/0007-memory-add-support-getting-and-using-a-dirty-bitmap-.patch

@@ -1,7 +1,7 @@
-From a89da93a2d3ffd3ba9516da89ecfbb0dd5fd51ad Mon Sep 17 00:00:00 2001
+From 2628973e5f8a50f3b308395fa8a33b8f4fdc9024 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 21 Apr 2017 11:16:25 +0200
-Subject: [PATCH 07/13] memory: add support getting and using a dirty bitmap
+Subject: [PATCH 07/23] memory: add support getting and using a dirty bitmap
  copy.
 
 This patch adds support for getting and using a local copy of the dirty

debian/patches/extra/0008-vga-add-vga_scanline_invalidated-helper.patch

@@ -1,7 +1,7 @@
-From cef8fb2b8ea711b6686032f86b1caf1815786aaa Mon Sep 17 00:00:00 2001
+From 248536e4a93b254fc38aa369f76e828c9ce9b45e Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 21 Apr 2017 11:16:26 +0200
-Subject: [PATCH 08/13] vga: add vga_scanline_invalidated helper
+Subject: [PATCH 08/23] vga: add vga_scanline_invalidated helper
 
 Add vga_scanline_invalidated helper to check whenever a scanline was
 invalidated.  Add a sanity check to fix OOB read access for display

debian/patches/extra/0009-vga-make-display-updates-thread-safe.patch

@@ -1,7 +1,7 @@
-From f7f03687246e62d8efed10ee5ce8c571fc3debc4 Mon Sep 17 00:00:00 2001
+From 54b1106d9a24dadae42c4f4c25b4fa2560183f5b Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 21 Apr 2017 11:16:27 +0200
-Subject: [PATCH 09/13] vga: make display updates thread safe.
+Subject: [PATCH 09/23] vga: make display updates thread safe.
 
 The vga code clears the dirty bits *after* reading the framebuffer
 memory.  So if the guest framebuffer updates hits the race window

debian/patches/extra/0010-vga-fix-display-update-region-calculation.patch

@@ -1,7 +1,7 @@
-From 616f285a074869fd79bc26509a0bd50e6e04e39d Mon Sep 17 00:00:00 2001
+From acd029e2a9b9ea93997fcb19c6cd71d6dd6c9cb6 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Tue, 9 May 2017 12:48:39 +0200
-Subject: [PATCH 10/13] vga: fix display update region calculation
+Subject: [PATCH 10/23] vga: fix display update region calculation
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

debian/patches/extra/0011-vga-fix-display-update-region-calculation-split-scre.patch

@@ -1,7 +1,7 @@
-From c93a020a1c6a37398d124f063af23d6acb3eb5cb Mon Sep 17 00:00:00 2001
+From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 1 Sep 2017 14:57:38 +0200
-Subject: [PATCH 11/13] vga: fix display update region calculation (split
+Subject: [PATCH 11/23] vga: fix display update region calculation (split
  screen)
 
 vga display update mis-calculated the region for the dirty bitmap

debian/patches/extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch

@@ -1,7 +1,7 @@
-From 15c2b7e06a85dd78c7d45b3703639735eee09c01 Mon Sep 17 00:00:00 2001
+From 51b08381408f248b1149c0177a90f61f703b8432 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 1 Sep 2017 14:57:39 +0200
-Subject: [PATCH 12/13] vga: stop passing pointers to vga_draw_line* functions
+Subject: [PATCH 12/23] vga: stop passing pointers to vga_draw_line* functions
 
 Instead pass around the address (aka offset into vga memory).
 Add vga_read_* helper functions which apply vbe_size_mask to

debian/patches/extra/0013-multiboot-validate-multiboot-header-address-values.patch

@@ -1,7 +1,7 @@
-From fff4299fb7be857e93ff5c6ea0f871c62d159c1d Mon Sep 17 00:00:00 2001
+From 158e47c5a3ebe4b67d35b7c1e8fecad258e735db Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 7 Sep 2017 12:02:56 +0530
-Subject: [PATCH 13/13] multiboot: validate multiboot header address values
+Subject: [PATCH 13/23] multiboot: validate multiboot header address values
 
 While loading kernel via multiboot-v1 image, (flags & 0x00010000)
 indicates that multiboot header contains valid addresses to load

debian/patches/extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch

@@ -1,7 +1,7 @@
-From 3474ad551f5ff8c550d388251c9555882d9beb5d Mon Sep 17 00:00:00 2001
+From 5cd576814744853a855ab64400e2d8d9c0b7bb0e Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 19 Sep 2017 14:20:28 +0200
+Date: Wed, 20 Sep 2017 08:09:33 +0200
-Subject: [PATCH 14/14] virtio: fix descriptor counting in virtqueue_pop
+Subject: [PATCH 14/23] virtio: fix descriptor counting in virtqueue_pop
 
 While changing the s/g list allocation, commit 3b3b0628
 also changed the descriptor counting to count iovec entries
@@ -15,6 +15,8 @@ Reported-by: Hans Middelhoek <h.middelhoek@ospito.nl>
 Link: https://forum.proxmox.com/threads/vm-crash-with-memory-hotplug.35904/
 Fixes: 3b3b0628217e ("virtio: slim down allocation of VirtQueueElements")
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 ---
  hw/virtio/virtio.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

debian/patches/extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch

@@ -0,0 +1,31 @@
+From 93b7498c9e8adcd51c70f8df88b9228658b43595 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 29 Nov 2017 09:39:55 +0100
+Subject: [PATCH 15/23] nbd/server: CVE-2017-15119 Reject options larger than
+ 32M
+
+Backported-from: fdad35ef6c58
+---
+ nbd/server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index a98bb21a0a..4d6da8ac06 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -489,6 +489,12 @@ static int nbd_negotiate_options(NBDClient *client)
+         }
+         length = be32_to_cpu(length);
+ 
++        if (length > NBD_MAX_BUFFER_SIZE) {
++            LOG("len (%" PRIu32" ) is larger than max len (%u)",
++                length, NBD_MAX_BUFFER_SIZE);
++            return -EINVAL;
++        }
++
+         TRACE("Checking option 0x%" PRIx32, clientflags);
+         if (client->tlscreds &&
+             client->ioc == (QIOChannel *)client->sioc) {
+-- 
+2.11.0
+

debian/patches/extra/0016-vga-migration-Update-memory-map-in-post_load.patch

@@ -0,0 +1,32 @@
+From 8b2be8e3f9c1ca9f78b1c87ead13f54fbd98198a Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Fri, 4 Aug 2017 12:33:29 +0100
+Subject: [PATCH 16/23] vga/migration: Update memory map in post_load
+
+After migration the chain4 alias mapping added by 80763888 (in 2011)
+might be missing, since there's no call to vga_update_memory_access
+in the post_load after the registers are updated.  Add it back.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Message-id: 20170804113329.13609-1-dgilbert@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vga.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 13e4a5d55d..a99d831e04 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -2050,6 +2050,7 @@ static int vga_common_post_load(void *opaque, int version_id)
+     /* force refresh */
+     s->graphic_mode = -1;
+     vbe_update_vgaregs(s);
++    vga_update_memory_access(s);
+     return 0;
+ }
+ 
+-- 
+2.11.0
+

debian/patches/extra/0017-vga-drop-line_offset-variable.patch

@@ -0,0 +1,52 @@
+From 3a1728b97f64e3ed4efc827bce7ff917ea5b6dd1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:21 +0200
+Subject: [PATCH 17/23] vga: drop line_offset variable
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index a99d831e04..77af807a51 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1464,7 +1464,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ {
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int y1, y, update, linesize, y_start, double_scan, mask, depth;
+-    int width, height, shift_control, line_offset, bwidth, bits;
++    int width, height, shift_control, bwidth, bits;
+     ram_addr_t page0, page1;
+     DirtyBitmapSnapshot *snap = NULL;
+     int disp_width, multi_scan, multi_run;
+@@ -1614,7 +1614,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+         s->cursor_invalidate(s);
+     }
+ 
+-    line_offset = s->line_offset;
+ #if 0
+     printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
+            width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
+@@ -1629,7 +1628,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ 
+     if (!full_update) {
+         ram_addr_t region_start = addr1;
+-        ram_addr_t region_end = addr1 + line_offset * height;
++        ram_addr_t region_end = addr1 + s->line_offset * height;
+         vga_sync_dirty_bitmap(s);
+         if (s->line_compare < height) {
+             /* split screen mode */
+@@ -1681,7 +1680,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+         if (!multi_run) {
+             mask = (s->cr[VGA_CRTC_MODE] & 3) ^ 3;
+             if ((y1 & mask) == mask)
+-                addr1 += line_offset;
++                addr1 += s->line_offset;
+             y1++;
+             multi_run = multi_scan;
+         } else {
+-- 
+2.11.0
+

debian/patches/extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch

@@ -0,0 +1,103 @@
+From b63830cd6f59a87ef9bdb4f466ce8f4bd2ff5315 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:22 +0200
+Subject: [PATCH 18/23] vga: handle cirrus vbe mode wraparounds.
+
+Commit "3d90c62548 vga: stop passing pointers to vga_draw_line*
+functions" is incomplete.  It doesn't handle the case that the vga
+rendering code tries to create a shared surface, i.e. a pixman image
+backed by vga video memory.  That can not work in case the guest display
+wraps from end of video memory to the start.  So force shadowing in that
+case.  Also adjust the snapshot region calculation.
+
+Can trigger with cirrus only, when programming vbe modes using the bochs
+api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds
+can't happen.
+
+Fixes: CVE-2017-13672
+Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681
+Cc: P J P <ppandit@redhat.com>
+Reported-by: David Buchanan <d@vidbuchanan.co.uk>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-3-kraxel@redhat.com
+---
+ hw/display/vga.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 77af807a51..7bdbf7441e 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1465,13 +1465,13 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     DisplaySurface *surface = qemu_console_surface(s->con);
+     int y1, y, update, linesize, y_start, double_scan, mask, depth;
+     int width, height, shift_control, bwidth, bits;
+-    ram_addr_t page0, page1;
++    ram_addr_t page0, page1, region_start, region_end;
+     DirtyBitmapSnapshot *snap = NULL;
+     int disp_width, multi_scan, multi_run;
+     uint8_t *d;
+     uint32_t v, addr1, addr;
+     vga_draw_line_func *vga_draw_line = NULL;
+-    bool share_surface;
++    bool share_surface, force_shadow = false;
+     pixman_format_code_t format;
+ #ifdef HOST_WORDS_BIGENDIAN
+     bool byteswap = !s->big_endian_fb;
+@@ -1484,6 +1484,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     s->get_resolution(s, &width, &height);
+     disp_width = width;
+ 
++    region_start = (s->start_addr * 4);
++    region_end = region_start + s->line_offset * height;
++    if (region_end > s->vbe_size) {
++        /* wraps around (can happen with cirrus vbe modes) */
++        region_start = 0;
++        region_end = s->vbe_size;
++        force_shadow = true;
++    }
++
+     shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;
+     double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7);
+     if (shift_control != 1) {
+@@ -1523,7 +1532,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     format = qemu_default_pixman_format(depth, !byteswap);
+     if (format) {
+         share_surface = dpy_gfx_check_format(s->con, format)
+-            && !s->force_shadow;
++            && !s->force_shadow && !force_shadow;
+     } else {
+         share_surface = false;
+     }
+@@ -1627,8 +1636,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     y1 = 0;
+ 
+     if (!full_update) {
+-        ram_addr_t region_start = addr1;
+-        ram_addr_t region_end = addr1 + s->line_offset * height;
+         vga_sync_dirty_bitmap(s);
+         if (s->line_compare < height) {
+             /* split screen mode */
+@@ -1651,10 +1658,17 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+             addr = (addr & ~0x8000) | ((y1 & 2) << 14);
+         }
+         update = full_update;
+-        page0 = addr;
+-        page1 = addr + bwidth - 1;
++        page0 = addr & s->vbe_size_mask;
++        page1 = (addr + bwidth - 1) & s->vbe_size_mask;
+         if (full_update) {
+             update = 1;
++        } else if (page1 < page0) {
++            /* scanline wraps from end of video memory to the start */
++            assert(force_shadow);
++            update = memory_region_snapshot_get_dirty(&s->vram, snap,
++                                                      page0, 0);
++            update |= memory_region_snapshot_get_dirty(&s->vram, snap,
++                                                       page1, 0);
+         } else {
+             update = memory_region_snapshot_get_dirty(&s->vram, snap,
+                                                       page0, page1 - page0);
+-- 
+2.11.0
+

debian/patches/extra/0019-vga-add-ram_addr_t-cast.patch

@@ -0,0 +1,30 @@
+From 918868b77c7a04d3e2aa7bbc7f9255dafe75f709 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 10 Oct 2017 16:13:23 +0200
+Subject: [PATCH 19/23] vga: add ram_addr_t cast
+
+Reported by Coverity.
+
+Fixes: CID 1381409
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-4-kraxel@redhat.com
+---
+ hw/display/vga.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 7bdbf7441e..63ba404ef2 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1485,7 +1485,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     disp_width = width;
+ 
+     region_start = (s->start_addr * 4);
+-    region_end = region_start + s->line_offset * height;
++    region_end = region_start + (ram_addr_t)s->line_offset * height;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
+-- 
+2.11.0
+

debian/patches/extra/0020-vga-fix-region-checks-in-wraparound-case.patch

@@ -0,0 +1,32 @@
+From 3c51ccd7bb43dd763a1ff3112b8a0cd7e145ca4f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 30 Oct 2017 11:28:30 +0100
+Subject: [PATCH 20/23] vga: fix region checks in wraparound case
+
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: 20171030102830.4469-1-kraxel@redhat.com
+---
+ hw/display/vga.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 63ba404ef2..a58d8bcd67 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1666,9 +1666,9 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+             /* scanline wraps from end of video memory to the start */
+             assert(force_shadow);
+             update = memory_region_snapshot_get_dirty(&s->vram, snap,
+-                                                      page0, 0);
++                                                      page0, s->vbe_size - page0);
+             update |= memory_region_snapshot_get_dirty(&s->vram, snap,
+-                                                       page1, 0);
++                                                       0, page1);
+         } else {
+             update = memory_region_snapshot_get_dirty(&s->vram, snap,
+                                                       page0, page1 - page0);
+-- 
+2.11.0
+

debian/patches/extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch

@@ -0,0 +1,55 @@
+From 89a1271a7687018cdbf2b7f92cf3d50d079e100e Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 9 Oct 2017 14:43:42 +0100
+Subject: [PATCH 21/23] io: monitor encoutput buffer size from websocket
+ GSource
+
+The websocket GSource is monitoring the size of the rawoutput
+buffer to determine if the channel can accepts more writes.
+The rawoutput buffer, however, is merely a temporary staging
+buffer before data is copied into the encoutput buffer. Thus
+its size will always be zero when the GSource runs.
+
+This flaw causes the encoutput buffer to grow without bound
+if the other end of the underlying data channel doesn't
+read data being sent. This can be seen with VNC if a client
+is on a slow WAN link and the guest OS is sending many screen
+updates. A malicious VNC client can act like it is on a slow
+link by playing a video in the guest and then reading data
+very slowly, causing QEMU host memory to expand arbitrarily.
+
+This issue is assigned CVE-2017-15268, publically reported in
+
+  https://bugs.launchpad.net/qemu/+bug/1718964
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ io/channel-websock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index 8fabadea2f..882bbb4cbc 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -26,7 +26,7 @@
+ #include "trace.h"
+ 
+ 
+-/* Max amount to allow in rawinput/rawoutput buffers */
++/* Max amount to allow in rawinput/encoutput buffers */
+ #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
+ 
+ #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
+@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
+     if (wsource->wioc->rawinput.offset) {
+         cond |= G_IO_IN;
+     }
+-    if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
++    if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+         cond |= G_IO_OUT;
+     }
+ 
+-- 
+2.11.0
+

debian/patches/extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch

@@ -0,0 +1,43 @@
+From 184640d2552895d967214e90e23e005d6657b145 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 16 Oct 2017 14:21:59 +0200
+Subject: [PATCH 22/23] 9pfs: use g_malloc0 to allocate space for xattr
+
+9p back-end first queries the size of an extended attribute,
+allocates space for it via g_malloc() and then retrieves its
+value into allocated buffer. Race between querying attribute
+size and retrieving its could lead to memory bytes disclosure.
+Use g_malloc0() to avoid it.
+
+Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index c80ba67389..aaf9935ef4 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
+                                      xattr_fidp->fs.xattr.value,
+                                      xattr_fidp->fs.xattr.len);
+@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
+         xattr_fidp->fid_type = P9_FID_XATTR;
+         xattr_fidp->fs.xattr.xattrwalk_fid = true;
+         if (size) {
+-            xattr_fidp->fs.xattr.value = g_malloc(size);
++            xattr_fidp->fs.xattr.value = g_malloc0(size);
+             err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
+                                     &name, xattr_fidp->fs.xattr.value,
+                                     xattr_fidp->fs.xattr.len);
+-- 
+2.11.0
+

debian/patches/extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch

@@ -0,0 +1,58 @@
+From b162e22e5f0c1081efeec646999616ce1a7e3875 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 11 Oct 2017 10:43:14 +0200
+Subject: [PATCH 23/23] cirrus: fix oob access in mode4and5 write functions
+
+Move dst calculation into the loop, so we apply the mask on each
+interation and will not overflow vga memory.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171011084314.21752-1-kraxel@redhat.com
+---
+ hw/display/cirrus_vga.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index afc290ab91..077a8cb74f 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
++        dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
+ 	if (val & 0x80) {
+ 	    *dst = s->cirrus_shadow_gr1;
+ 	} else if (mode == 5) {
+ 	    *dst = s->cirrus_shadow_gr0;
+ 	}
+ 	val <<= 1;
+-	dst++;
+     }
+     memory_region_set_dirty(&s->vga.vram, offset, 8);
+ }
+@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+     unsigned val = mem_value;
+     uint8_t *dst;
+ 
+-    dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
++        dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
+ 	if (val & 0x80) {
+ 	    *dst = s->cirrus_shadow_gr1;
+ 	    *(dst + 1) = s->vga.gr[0x11];
+@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
+ 	    *(dst + 1) = s->vga.gr[0x10];
+ 	}
+ 	val <<= 1;
+-	dst += 2;
+     }
+     memory_region_set_dirty(&s->vga.vram, offset, 16);
+ }
+-- 
+2.11.0
+

debian/patches/series

@@ -40,3 +40,12 @@ extra/0011-vga-fix-display-update-region-calculation-split-scre.patch
 extra/0012-vga-stop-passing-pointers-to-vga_draw_line-functions.patch
 extra/0013-multiboot-validate-multiboot-header-address-values.patch
 extra/0014-virtio-fix-descriptor-counting-in-virtqueue_pop.patch
+extra/0015-nbd-server-CVE-2017-15119-Reject-options-larger-than.patch
+extra/0016-vga-migration-Update-memory-map-in-post_load.patch
+extra/0017-vga-drop-line_offset-variable.patch
+extra/0018-vga-handle-cirrus-vbe-mode-wraparounds.patch
+extra/0019-vga-add-ram_addr_t-cast.patch
+extra/0020-vga-fix-region-checks-in-wraparound-case.patch
+extra/0021-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch
+extra/0022-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch
+extra/0023-cirrus-fix-oob-access-in-mode4and5-write-functions.patch