From ea985d235b868047cb4d8cb5657bcd8ad98c6ba2 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 15 Sep 2023 13:57:11 +0200 Subject: pc_piix: remove pc-i440fx-1.4 up to pc-i440fx-1.7 These are the last users of the 128K SeaBIOS blob in the i440FX family. Removing them allows us to drop PCI support from the 128K blob, thus making it easier to update SeaBIOS to newer versions. Reviewed-by: Thomas Huth Signed-off-by: Paolo Bonzini --- hw/i386/pc.c | 60 +++------------------------------------------ hw/i386/pc_piix.c | 73 ------------------------------------------------------- 2 files changed, 3 insertions(+), 130 deletions(-) (limited to 'hw') diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 3db0743..5d399b6 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -359,60 +359,6 @@ GlobalProperty pc_compat_2_0[] = { }; const size_t pc_compat_2_0_len = G_N_ELEMENTS(pc_compat_2_0); -GlobalProperty pc_compat_1_7[] = { - PC_CPU_MODEL_IDS("1.7.0") - { TYPE_USB_DEVICE, "msos-desc", "no" }, - { "PIIX4_PM", ACPI_PM_PROP_ACPI_PCIHP_BRIDGE, "off" }, - { "hpet", HPET_INTCAP, "4" }, -}; -const size_t pc_compat_1_7_len = G_N_ELEMENTS(pc_compat_1_7); - -GlobalProperty pc_compat_1_6[] = { - PC_CPU_MODEL_IDS("1.6.0") - { "e1000", "mitigation", "off" }, - { "qemu64-" TYPE_X86_CPU, "model", "2" }, - { "qemu32-" TYPE_X86_CPU, "model", "3" }, - { "i440FX-pcihost", "short_root_bus", "1" }, - { "q35-pcihost", "short_root_bus", "1" }, -}; -const size_t pc_compat_1_6_len = G_N_ELEMENTS(pc_compat_1_6); - -GlobalProperty pc_compat_1_5[] = { - PC_CPU_MODEL_IDS("1.5.0") - { "Conroe-" TYPE_X86_CPU, "model", "2" }, - { "Conroe-" TYPE_X86_CPU, "min-level", "2" }, - { "Penryn-" TYPE_X86_CPU, "model", "2" }, - { "Penryn-" TYPE_X86_CPU, "min-level", "2" }, - { "Nehalem-" TYPE_X86_CPU, "model", "2" }, - { "Nehalem-" TYPE_X86_CPU, "min-level", "2" }, - { "virtio-net-pci", "any_layout", "off" }, - { TYPE_X86_CPU, "pmu", "on" }, - { "i440FX-pcihost", "short_root_bus", "0" }, - { "q35-pcihost", "short_root_bus", "0" }, -}; -const size_t pc_compat_1_5_len = G_N_ELEMENTS(pc_compat_1_5); - -GlobalProperty pc_compat_1_4[] = { - PC_CPU_MODEL_IDS("1.4.0") - { "scsi-hd", "discard_granularity", "0" }, - { "scsi-cd", "discard_granularity", "0" }, - { "ide-hd", "discard_granularity", "0" }, - { "ide-cd", "discard_granularity", "0" }, - { "virtio-blk-pci", "discard_granularity", "0" }, - /* DEV_NVECTORS_UNSPECIFIED as a uint32_t string: */ - { "virtio-serial-pci", "vectors", "0xFFFFFFFF" }, - { "virtio-net-pci", "ctrl_guest_offloads", "off" }, - { "e1000", "romfile", "pxe-e1000.rom" }, - { "ne2k_pci", "romfile", "pxe-ne2k_pci.rom" }, - { "pcnet", "romfile", "pxe-pcnet.rom" }, - { "rtl8139", "romfile", "pxe-rtl8139.rom" }, - { "virtio-net-pci", "romfile", "pxe-virtio.rom" }, - { "486-" TYPE_X86_CPU, "model", "0" }, - { "n270" "-" TYPE_X86_CPU, "movbe", "off" }, - { "Westmere" "-" TYPE_X86_CPU, "pclmulqdq", "off" }, -}; -const size_t pc_compat_1_4_len = G_N_ELEMENTS(pc_compat_1_4); - GSIState *pc_gsi_create(qemu_irq **irqs, bool pci_enabled) { GSIState *s; @@ -1293,9 +1239,9 @@ void pc_basic_device_init(struct PCMachineState *pcms, exit(1); } /* - * For pc-piix-*, hpet's intcap is always IRQ2. For pc-q35-1.7 and - * earlier, use IRQ2 for compat. Otherwise, use IRQ16~23, IRQ8 and - * IRQ2. + * For pc-piix-*, hpet's intcap is always IRQ2. For pc-q35-*, + * use IRQ16~23, IRQ8 and IRQ2. If the user has already set + * the property, use whatever mask they specified. */ uint8_t compat = object_property_get_uint(OBJECT(hpet), HPET_INTCAP, NULL); diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index 8321f36..ff8654e 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -423,27 +423,6 @@ static void pc_compat_2_0_fn(MachineState *machine) pc_compat_2_1_fn(machine); } -static void pc_compat_1_7_fn(MachineState *machine) -{ - pc_compat_2_0_fn(machine); - x86_cpu_change_kvm_default("x2apic", NULL); -} - -static void pc_compat_1_6_fn(MachineState *machine) -{ - pc_compat_1_7_fn(machine); -} - -static void pc_compat_1_5_fn(MachineState *machine) -{ - pc_compat_1_6_fn(machine); -} - -static void pc_compat_1_4_fn(MachineState *machine) -{ - pc_compat_1_5_fn(machine); -} - #ifdef CONFIG_ISAPC static void pc_init_isa(MachineState *machine) { @@ -876,58 +855,6 @@ static void pc_i440fx_2_0_machine_options(MachineClass *m) DEFINE_I440FX_MACHINE(v2_0, "pc-i440fx-2.0", pc_compat_2_0_fn, pc_i440fx_2_0_machine_options); -static void pc_i440fx_1_7_machine_options(MachineClass *m) -{ - PCMachineClass *pcmc = PC_MACHINE_CLASS(m); - - pc_i440fx_2_0_machine_options(m); - m->hw_version = "1.7.0"; - m->default_machine_opts = NULL; - m->option_rom_has_mr = true; - m->deprecation_reason = "old and unattended - use a newer version instead"; - compat_props_add(m->compat_props, pc_compat_1_7, pc_compat_1_7_len); - pcmc->smbios_defaults = false; - pcmc->gigabyte_align = false; - pcmc->legacy_acpi_table_size = 6414; -} - -DEFINE_I440FX_MACHINE(v1_7, "pc-i440fx-1.7", pc_compat_1_7_fn, - pc_i440fx_1_7_machine_options); - -static void pc_i440fx_1_6_machine_options(MachineClass *m) -{ - PCMachineClass *pcmc = PC_MACHINE_CLASS(m); - - pc_i440fx_1_7_machine_options(m); - m->hw_version = "1.6.0"; - m->rom_file_has_mr = false; - compat_props_add(m->compat_props, pc_compat_1_6, pc_compat_1_6_len); - pcmc->has_acpi_build = false; -} - -DEFINE_I440FX_MACHINE(v1_6, "pc-i440fx-1.6", pc_compat_1_6_fn, - pc_i440fx_1_6_machine_options); - -static void pc_i440fx_1_5_machine_options(MachineClass *m) -{ - pc_i440fx_1_6_machine_options(m); - m->hw_version = "1.5.0"; - compat_props_add(m->compat_props, pc_compat_1_5, pc_compat_1_5_len); -} - -DEFINE_I440FX_MACHINE(v1_5, "pc-i440fx-1.5", pc_compat_1_5_fn, - pc_i440fx_1_5_machine_options); - -static void pc_i440fx_1_4_machine_options(MachineClass *m) -{ - pc_i440fx_1_5_machine_options(m); - m->hw_version = "1.4.0"; - compat_props_add(m->compat_props, pc_compat_1_4, pc_compat_1_4_len); -} - -DEFINE_I440FX_MACHINE(v1_4, "pc-i440fx-1.4", pc_compat_1_4_fn, - pc_i440fx_1_4_machine_options); - #ifdef CONFIG_ISAPC static void isapc_machine_options(MachineClass *m) { -- cgit v1.1 From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Mon, 25 Sep 2023 11:18:54 +0200 Subject: hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] We are doing things like nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes with a division by 0 exception. Thus disallow block sizes of 256 bytes to avoid this situation. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 CVE: 2023-42467 Signed-off-by: Thomas Huth Message-ID: <20230925091854.49198-1-thuth@redhat.com> Signed-off-by: Paolo Bonzini --- hw/scsi/scsi-disk.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index e0d79c7..477ee2b 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) * Since the existing code only checks/updates bits 8-15 of the block * size, restrict ourselves to the same requirement for now to ensure * that a block size set by a block descriptor and then read back by - * a subsequent SCSI command will be the same + * a subsequent SCSI command will be the same. Also disallow a block + * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. */ - if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { + if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { s->qdev.blocksize = bs; trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); } -- cgit v1.1 From 4c186847ee0080a76dfef874322d634c429d43ad Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 25 Sep 2023 12:05:37 +0200 Subject: mptsas: avoid shadowed local variables Rename the argument so that "addr" is only used inside the for loop. Signed-off-by: Paolo Bonzini --- hw/scsi/mptsas.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'hw') diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c index 3de288b..75d3ab8 100644 --- a/hw/scsi/mptsas.c +++ b/hw/scsi/mptsas.c @@ -192,7 +192,7 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, return addr; } -static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) +static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr req_addr) { PCIDevice *pci = (PCIDevice *) s; hwaddr next_chain_addr; @@ -201,8 +201,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) uint32_t chain_offset; chain_offset = req->scsi_io.ChainOffset; - next_chain_addr = addr + chain_offset * sizeof(uint32_t); - sgaddr = addr + sizeof(MPIMsgSCSIIORequest); + next_chain_addr = req_addr + chain_offset * sizeof(uint32_t); + sgaddr = req_addr + sizeof(MPIMsgSCSIIORequest); pci_dma_sglist_init(&req->qsg, pci, 4); left = req->scsi_io.DataLength; -- cgit v1.1 From 973d3ea5a1c0573149b7004108276ca01cb05fd2 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 25 Sep 2023 12:21:29 +0200 Subject: pm_smbus: rename variable to avoid shadowing Acked-by: Corey Minyard Signed-off-by: Paolo Bonzini --- hw/i2c/pm_smbus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hw') diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c index 9ad6a47..4e1b8a5 100644 --- a/hw/i2c/pm_smbus.c +++ b/hw/i2c/pm_smbus.c @@ -279,7 +279,7 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val, if (!read && s->smb_index == s->smb_data0) { uint8_t prot = (s->smb_ctl >> 2) & 0x07; uint8_t cmd = s->smb_cmd; - uint8_t addr = s->smb_addr >> 1; + uint8_t smb_addr = s->smb_addr >> 1; int ret; if (prot == PROT_I2C_BLOCK_READ) { @@ -287,7 +287,7 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val, goto out; } - ret = smbus_write_block(s->smbus, addr, cmd, s->smb_data, + ret = smbus_write_block(s->smbus, smb_addr, cmd, s->smb_data, s->smb_data0, !s->i2c_enable); if (ret < 0) { s->smb_stat |= STS_DEV_ERR; -- cgit v1.1