| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Format auto-probing of writable images is a security hole. The last
known remaining instance is monitor command change. Disable probing
there and use raw. This breaks change for images in all other
formats.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
| |
|
|
|
|
|
| |
which permits to easily compile mini-os in various flavors. Also clean
some parts of stubdom build.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
| |
does not really belong to hw/, but to /, like sdl.c and vnc.c.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Bring the DisplayState dpy_resize interface back to how it is in qemu
mainstream, thus making the code easier to merge.
In order to support sharing the framebuffer, I am adding a new resize
interface called dpy_resize_shared that also has a depth and a pixels
parameters. As a consequence I could remove the dpy_colourdepth
callback and make the code cleaner and easier to read.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
|
| |
|
|
|
|
|
| |
into stubdom/ as possible. That also permits to build all of
ioemu, c and caml stubdoms at the same time.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
| |
Fixes specifying fda/fdb image names in domain configs.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add S3 suspend logic in PM1A control register. when guest write
specific value to this register,
QEMU will trigger S3 sleep by
* reset all qemu device
* set CMOS shutdown status as S3 resume, so that rombios will do
S3 resume later
* request Xen to S3-suspend the guest
Signed-off-by: Yu Ke <ke.yu@intel.com>
Signed-off-by: Liping Ke <liping.ke@intel.com?
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changeset 17289:d97e61001d81: introduced vfb configuration parameter
videoram, defaulting to zero. Value zero was interpreted as
unlimited. Changeset 17630:53195719f762 accidentally dropped the
special case for zero, which broke guests that don't specify videoram,
or specify videoram=0. Restore the old behavior.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
| |
|
|
|
| |
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes several bugs in serial.c
(1) A typo in serial_save() where qemu_get_8s is called (should be
qemu_put_8s)
(2) No support provided in serial_load() for version_id == 1 (should
unmarshal a 1 byte s->divider and should provide a default value
for s->fcr)
(3) Call serial_ioport_write() to initialize s->fcr. It is not
sufficient to load its value; other hidden values (such as
s->recv_fifo.itl) must be re-initialized.
Signed-off-by: Ben Guthro <bguthro@virtualiron.com>
Signed-off-by: Robert Phillips <rphillips@virtualiron.com>
|
| |
|
|
| |
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is related to Changeset 15635:7bdc9f6407d3
<http://xenbits.xensource.com/staging/xen-unstable.hg?rev/7bdc9f6407d3>
[PVFB] Fix shift key for graphical vnc display.
With above patch, if a user presses shift-insert, qemu sends shift
down, shift up, insert down and then another shift key down (see trace
below). This makes it impossible to do shift insert pasting or use
guest hot shifted-Fkeys.
Shift Insert trace:
do_key_event():1135 keycode:2a shift down
kbd_put_keycode():539 keycode:2a send shift down
do_key_event():1135 keycode:d2 insert down
kbd_put_keycode():539 keycode:aa send shift up
kbd_put_keycode():539 keycode:e0 send insert down
kbd_put_keycode():539 keycode:52
do_key_event():1135 keycode:d2 insert up
kbd_put_keycode():539 keycode:e0 send insert up
kbd_put_keycode():539 keycode:d2
kbd_put_keycode():539 keycode:2a send shift down
do_key_event():1135 keycode:2a shift up
kbd_put_keycode():539 keycode:aa send shift up
This patch adds a check for the keycode being shiftable, something
other than a keypad key, f1-12 , insert, del , etc. before allowing
the press_shift_up() operation.
Signed-off-by: Pat Campbell <plc@novell.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Patch sends a UNIT_ATTENTION(6), MEDIUM_MAY_HAVE_CHANGED(0x28) sense
when cdrom transitions from not ready to ready.
ATA Packet interface for CD-ROMS, SFF8020i.pdf. See state diagram
Figure 12, page 82 and Table 44 -recommended Sense Key, ASC
With patch in place HVM win2008 server guest sees the CD/DVD contents
have changed when the media is switched.
Signed-off-by: Pat Campbell <plc@novell.com>
|
| |
|
|
|
|
|
| |
Patch puts 0xe0 prefix before putting right alt or right cntrl
keycodes. Also adds keysm definition for ISO_Left_Tab.
Signed-off-by: Pat Campbell <plc@novell.com>
|
| |
|
|
| |
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A buggy or malicious frontend can describe its shared framebuffer to
the backend in a way that makes the backend map an arbitrary amount of
guest memory, malloc an arbitrarily large internal buffer, copy
arbitrary memory to that buffer, even beyond its end. A domU running
a malicious frontend can abuse the former two for denial of service
attacks against dom0. It can abuse the third to write arbitrary
backend memory. It can abuse all three to terminate or crash the
backend. Arbitrary code execution looks quite feasible.
In more detail (ignoring #ifdef CONFIG_STUBDOM code):
The frame buffer is described by the following parameters:
* fb_len (size of shared framebuffer)
* width, height, depth
* row_stride, offset
fb_len is fixed on startup. The frontend can modify the other
parameters by sending a XENFB_TYPE_RESIZE event.
xenfb_read_frontend_fb_config() limits fb_len according to backend
configuration parameter videoram (from xenstore), if present. I
believe videoram is not present by default.
xenfb_map_fb() uses fb_len to map the frontend's framebuffer.
The frontend can make it map arbitrarily much, unless limited by the
videoram configuration parameter. This flaw always existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw always
existed.
xenfb_register_console() and xenfb_on_fb_event() pass width, height,
depth and rowstride to QEMU's DisplayState object. The object sets
itself up to work directly on the framebuffer (shared_buf true) if
parameters allow that. Else it allocates an internal buffer of size
height * width * depth / 8 (shared_buf false).
The frontend can make it allocate arbitrarily much. This flaw was
introduced by the move of PVFB into QEMU (xen-unstable cset 16220
ff).
xenfb_on_fb_event() uses width and height to clip the area of an
update event. It then passes that area to xenfb_guest_copy().
xenfb_invalidate() passes the complete screen area to
xenfb_guest_copy(). xenfb_guest_copy() copies the argument area (x,
y, w, h) into the internal buffer, unless shared_buf is true. This
copies h blocks of memory. The i-th copy (counting from zero) copies
w * depth / 8 bytes
from
shared framebuffer + offset + (y + i) * row_stride + x * depth / 8
to
internal buffer + (y + i) * ds->linesize + x * ds->depth / 8
where ds->linesize and ds->depth are parameters of the internal buffer
chosen by the backend.
This copy can be made to read from the shared framebuffer and write to
the internal buffer out of bounds. I believe the frontend can abuse
this to write arbitrary backend memory.
The flaw in its current form was introduced by the move of PVFB into
QEMU (xen-unstable cset 16220 ff). Before, the framebuffer was always
shared.
From: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
| |
which permits the frontend to avoid useless polls.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* make the xenstore reader in qemu-dm's startup determine which
of qemu's block drivers to use according to the xenstore
backend `type' field. This `type' field typically comes from
the front of the drive mapping string in ioemu. The
supported cases are:
xm config file string `type' image format qemu driver
phy:[/dev/]<device> phy raw image bdrv_raw
file:<filename> file raw image bdrv_raw
tap:aio:<filename> tap raw image bdrv_raw
tap:qcow:<image> tap not raw autoprobe
tap:<cow-fmt>:<image> tap named format bdrv_<cow-fmt>
It is still necessary to autoprobe when the image is specified as
`tap:qcow:<image>', because qemu distinguishes `qcow' and `qcow2'
whereas blktap doesn't; `qcow' in xenstore typically means what
qemu calls qcow2. This is OK because qemu can safely distinguish
the different cow formats provided we know it's not a raw image.
* Make the format autoprobing machinery never return `raw'. This has
two purposes: firstly, it arranges that the `tap:qcow:...' case
above can be handled without accidentally falling back to raw
format. Secondly it prevents accidents in case the code changes in
future: autoprobing will now always fail on supposed cow files which
actually contain junk, rather than giving the guest access to the
underlying file.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Shan Haitao <Haitao.shan@intel.com>
|
| |
|
|
|
|
|
|
|
|
| |
This adds a new HVM op that enables tracking dirty bits of a range of
video RAM. The idea is to optimize just for the most common case
(only one guest mapping, with sometimes some temporary other
mappings), which permits to keep the overhead on shadow as low as
possible.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
| |
by not calling get_bpp() (which only makes sense in graphical mode)
and always use 0 instead.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When sdl_resize resizes the SDL window, some window manager send back
a ConfigureNotify event, which triggers a SDL_VIDEORESIZE event. That
event, however, is seen only much later, on the next VGA refresh
round. If the guest quickly switches to another resolution in between,
the SDL_VIDEORESIZE event makes us erroneously rescale that new
resolution into the old one.
This patch makes us pump that window manager event, so that no
SDL_VIDEORESIZE event is generated.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
| |
Currently it only inercept access to MSI config space, no MSI-x support.
Signed-off-by: Jiang Yunhong <yunhong.jiang@intel.com>
Signed-off-by: Shan Haitao <haitao.shan@intel.com>
|
| |
|
|
|
| |
Signed-off-by: Jiang Yunhong <yunhong.jiang@intel.com>
Signed-off-by: Shan Haitao <haitao.shan@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, ioemu can be out of sync with the hypervisor after
restoring guest state, if INTx lines were asserted when the state was
saved. This prevents ioemu from setting the line to zero in Xen
(because it thinks the line is already zero). This can allow th eguest
to enter an endless IRQ loop and hang.
Signed-off-by: Kazuhiro Suzuki <kaz@jp.fujitsu.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
| |
When a domain wants to use a tap:ioemu disk but has no device model,
start a tapdisk-ioemu instance as provider. Also, move the creation
and removal of communication pipes to xend so that qemu-dm doesn't
need the unwanted SIGHUP handler anymore.
Signed-off-by: Kevin Wolf <kwolf@suse.de>
|
| |
|
|
|
|
| |
Breaks HVM guest creation (bugzilla #1221).
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
| |
When a domain wants to use a tap:ioemu disk but has no device model,
start a tapdisk-ioemu instance as provider. Also, move the creation
and removal of communication pipes to xend so that qemu-dm doesn't
need the unwanted SIGHUP handler anymore.
Signed-off-by: Kevin Wolf <kwolf@suse.de>
|
| |
|
|
|
|
|
|
| |
changeset e1962ac0fb1c breaks cross-builds because it assumes the
system strip tool applies to the generated binaries. This assumption
isn't made anywhere else in the xen tools build.
Signed-off-by: Aron Griffis <aron@hp.com>
|
| |
|
|
|
|
|
|
| |
which with the offset support also permits to expose the VGA vram and
non-shared vram throught PVFB at the same time, switching between both
as appropriate.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Rescheduling the call to handle_buffered_io costs the system call to
qemu_get_clock(), which is very expensive considering the the latency
we would like to achieve for I/O reqs, so we should avoid it.
That means that handle_buffered_io may be called as often as every
0.1s, but that's not so costly.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
| |
markers at its beginning and end, and then link with mini-os.
That permits to stick a bit more to upstream qemu.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
| |
instead of dom0.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
| |
ioemu doesn't need to do it.
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
Windows VMs. Return an error if the guest OS tries to transmit a
packet with the transmitter disabled, so that it doesn't spin forever
waiting for it to complete.
Signed-off-by: Steven Smith <Steven.Smith@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, tap:ioemu can only be used for domains which have a device
model running. This isn't the case for all domains. The most important
of the missing domains is Dom0 which needs acces e.g. to extract the
kernel from the domain's image.
tapdisk-ioemu is a tool compiled from ioemu source plus a small
wrapper which handles tap:ioemu access for domains without device
model (currently Dom0). You must start tapdisk-ioemu manually before
trying to attach a tap:ioemu disk to Dom0 at the moment. A patch to
blktapctrl will follow to automatically start tapdisk-ioemu when
needed.
Signed-off-by: Kevin Wolf <kwolf@suse.de>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
