[Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices.

[Qemu-devel] [PATCH 0/3] RfC: add support for deprecated devices.

[Gerd Hoffmann]

Works simliar to machine types, by adding a deprecation_reason field
(using the same name for easy grepping).  Also deprecate two devices:
adlib and cirrus.

This is tagged as RfC because the deprecation notice is not added to
introspecction yet.

Gerd Hoffmann (3):
  qdev: add deprecation_reason to DeviceClass
  adlib: mark as insecure and deprecated.
  cirrus: mark as deprecated

 hw/audio/adlib.c            | 1 +
 hw/core/qdev.c              | 9 ++++++++-
 hw/display/cirrus_vga.c     | 2 ++
 hw/display/cirrus_vga_isa.c | 2 ++
 include/hw/qdev-core.h      | 1 +
 qdev-monitor.c              | 7 +++++++
 qemu-deprecated.texi        | 8 ++++++++
 7 files changed, 29 insertions(+), 1 deletion(-)

-- 
2.9.3

[Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass

[Gerd Hoffmann]

Simliar to deprecated machine types.
Print a warning when creating a deprecated device.
Add deprecation notice to -device help.

TODO: add to intospection.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/core/qdev.c         | 9 ++++++++-
 include/hw/qdev-core.h | 1 +
 qdev-monitor.c         | 7 +++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 046d8f1..3b27a74 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name)
 
 DeviceState *qdev_try_create(BusState *bus, const char *type)
 {
+    DeviceClass *dc;
     DeviceState *dev;
 
-    if (object_class_by_name(type) == NULL) {
+    dc = DEVICE_CLASS(object_class_by_name(type));
+    if (dc == NULL) {
         return NULL;
     }
+    if (dc->deprecation_reason) {
+        warn_report("device %s is deprecated (%s)",
+                    type, dc->deprecation_reason);
+    }
+
     dev = DEVICE(object_new(type));
     if (!dev) {
         return NULL;
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index a24d0dd..a352eaa 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -105,6 +105,7 @@ typedef struct DeviceClass {
      */
     bool user_creatable;
     bool hotpluggable;
+    const char *deprecation_reason;
 
     /* callbacks */
     DeviceReset reset;
diff --git a/qdev-monitor.c b/qdev-monitor.c
index 802c18a..bbba2bc 100644
--- a/qdev-monitor.c
+++ b/qdev-monitor.c
@@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc)
     if (!dc->user_creatable) {
         out_printf(", no-user");
     }
+    if (!dc->deprecation_reason) {
+        out_printf(", deprecated");
+    }
     out_printf("\n");
 }
 
@@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
     if (!dc) {
         return NULL;
     }
+    if (dc->deprecation_reason) {
+        warn_report("device %s is deprecated (%s)",
+                    driver, dc->deprecation_reason);
+    }
 
     /* find bus */
     path = qemu_opt_get(opts, "bus");
-- 
2.9.3

[Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Gerd Hoffmann]

We have a lovely, guest-triggerable buffer overflow in opl2 emulation.

Reproducer:
    outw(0xff60, 0x220);
    outw(0x1020, 0x220);
    outw(0xffb0, 0x220);
Result:
    Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])

The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf)
are rather sparse, possibly incomplete (looks like scanned fax with a
scrambled page at the end) and not really helpful in identifying which
of the register writes sets some illegal value.

So, go tag the device as deprecated with a warning messge, to notify
users and schedule it for removal according to our deprecation policy.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/audio/adlib.c     | 1 +
 qemu-deprecated.texi | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
index 97b876c..fb4a29c 100644
--- a/hw/audio/adlib.c
+++ b/hw/audio/adlib.c
@@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
     set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
     dc->desc = ADLIB_DESC;
     dc->props = adlib_properties;
+    dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
 }
 
 static const TypeInfo adlib_info = {
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 11b870c..7951a4f 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
 The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
 or ``ivshmem-doorbell`` device types.
 
+@subsection adlib (since 3.1)
+
+Has known buffer overflow.
+
 @section System emulator machines
 
 @subsection pc-0.10 and pc-0.11 (since 3.0)
-- 
2.9.3

[Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Gerd Hoffmann]

While being at it deprecate cirrus too.

Reason (short version): use stdvga instead.
Verbose version:
    https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/cirrus_vga.c     | 2 ++
 hw/display/cirrus_vga_isa.c | 2 ++
 qemu-deprecated.texi        | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index d9b854d..2f16ba9 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data)
     dc->vmsd = &vmstate_pci_cirrus_vga;
     dc->props = pci_vga_cirrus_properties;
     dc->hotpluggable = false;
+    dc->deprecation_reason =
+        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
 }
 
 static const TypeInfo cirrus_vga_info = {
diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
index fa10b74..c2d853c 100644
--- a/hw/display/cirrus_vga_isa.c
+++ b/hw/display/cirrus_vga_isa.c
@@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data)
     dc->realize = isa_cirrus_vga_realizefn;
     dc->props = isa_cirrus_vga_properties;
     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
+    dc->deprecation_reason =
+        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
 }
 
 static const TypeInfo isa_cirrus_vga_info = {
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 7951a4f..1b1d434 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types.
 
 Has known buffer overflow.
 
+@subsection cirrus (since 3.1)
+
+Use stdvga instead (-vga std or -device VGA).
+
 @section System emulator machines
 
 @subsection pc-0.10 and pc-0.11 (since 3.0)
-- 
2.9.3

Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass

[P J P]

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| Simliar to deprecated machine types.
| Print a warning when creating a deprecated device.
| Add deprecation notice to -device help.
| 
| TODO: add to intospection.

 s/intospection/introspection ..?

| diff --git a/hw/core/qdev.c b/hw/core/qdev.c
| index 046d8f1..3b27a74 100644
| --- a/hw/core/qdev.c
| +++ b/hw/core/qdev.c
| @@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name)
|  
|  DeviceState *qdev_try_create(BusState *bus, const char *type)
|  {
| +    DeviceClass *dc;
|      DeviceState *dev;
|  
| -    if (object_class_by_name(type) == NULL) {
| +    dc = DEVICE_CLASS(object_class_by_name(type));
| +    if (dc == NULL) {
|          return NULL;
|      }
| +    if (dc->deprecation_reason) {
| +        warn_report("device %s is deprecated (%s)",
| +                    type, dc->deprecation_reason);
| +    }
| +
|      dev = DEVICE(object_new(type));
|      if (!dev) {
|          return NULL;
| diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
| index a24d0dd..a352eaa 100644
| --- a/include/hw/qdev-core.h
| +++ b/include/hw/qdev-core.h
| @@ -105,6 +105,7 @@ typedef struct DeviceClass {
|       */
|      bool user_creatable;
|      bool hotpluggable;
| +    const char *deprecation_reason;
|  
|      /* callbacks */
|      DeviceReset reset;
| diff --git a/qdev-monitor.c b/qdev-monitor.c
| index 802c18a..bbba2bc 100644
| --- a/qdev-monitor.c
| +++ b/qdev-monitor.c
| @@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc)
|      if (!dc->user_creatable) {
|          out_printf(", no-user");
|      }
| +    if (!dc->deprecation_reason) {
| +        out_printf(", deprecated");
| +    }
|      out_printf("\n");
|  }
|  
| @@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
|      if (!dc) {
|          return NULL;
|      }
| +    if (dc->deprecation_reason) {
| +        warn_report("device %s is deprecated (%s)",
| +                    driver, dc->deprecation_reason);
| +    }
|  
|      /* find bus */
|      path = qemu_opt_get(opts, "bus");
| 

Looks good. Should 'deprecation_reason' be listed in qdev_device_help()?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[P J P]

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
| 
| Reproducer:
|     outw(0xff60, 0x220);
|     outw(0x1020, 0x220);
|     outw(0xffb0, 0x220);
| Result:
|     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])

+ Reported-by: Wangjunqing <wangjunqing@huawei.com>


| diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
| index 97b876c..fb4a29c 100644
| --- a/hw/audio/adlib.c
| +++ b/hw/audio/adlib.c
| @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
|      set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
|      dc->desc = ADLIB_DESC;
|      dc->props = adlib_properties;
| +    dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
|  }
|  
|  static const TypeInfo adlib_info = {
| diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
| index 11b870c..7951a4f 100644
| --- a/qemu-deprecated.texi
| +++ b/qemu-deprecated.texi
| @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
|  The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
|  or ``ivshmem-doorbell`` device types.
|  
| +@subsection adlib (since 3.1)
| +
| +Has known buffer overflow.
| +
|  @section System emulator machines
|  
|  @subsection pc-0.10 and pc-0.11 (since 3.0)

Okay.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[P J P]

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| While being at it deprecate cirrus too.
| 
| Reason (short version): use stdvga instead.
| Verbose version:
|     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
| 
| Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
| ---
|  hw/display/cirrus_vga.c     | 2 ++
|  hw/display/cirrus_vga_isa.c | 2 ++
|  qemu-deprecated.texi        | 4 ++++
|  3 files changed, 8 insertions(+)
| 
| diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
| index d9b854d..2f16ba9 100644
| --- a/hw/display/cirrus_vga.c
| +++ b/hw/display/cirrus_vga.c
| @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data)
|      dc->vmsd = &vmstate_pci_cirrus_vga;
|      dc->props = pci_vga_cirrus_properties;
|      dc->hotpluggable = false;
| +    dc->deprecation_reason =
| +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
|  }
|  
|  static const TypeInfo cirrus_vga_info = {
| diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
| index fa10b74..c2d853c 100644
| --- a/hw/display/cirrus_vga_isa.c
| +++ b/hw/display/cirrus_vga_isa.c
| @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data)
|      dc->realize = isa_cirrus_vga_realizefn;
|      dc->props = isa_cirrus_vga_properties;
|      set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
| +    dc->deprecation_reason =
| +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
|  }
|  
|  static const TypeInfo isa_cirrus_vga_info = {
| diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
| index 7951a4f..1b1d434 100644
| --- a/qemu-deprecated.texi
| +++ b/qemu-deprecated.texi
| @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types.
|  
|  Has known buffer overflow.
|  
| +@subsection cirrus (since 3.1)
| +
| +Use stdvga instead (-vga std or -device VGA).
| +
|  @section System emulator machines
|  
|  @subsection pc-0.10 and pc-0.11 (since 3.0)
| 

Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass

[Philippe Mathieu-Daudé]

Hi Gerd,

On 25/10/18 10:52, Gerd Hoffmann wrote:
> Simliar to deprecated machine types.

"Similar"

> Print a warning when creating a deprecated device.
> Add deprecation notice to -device help.
> 
> TODO: add to intospection.

"introspection"

Do we want the TODO in the git history?

> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/core/qdev.c         | 9 ++++++++-
>   include/hw/qdev-core.h | 1 +
>   qdev-monitor.c         | 7 +++++++
>   3 files changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index 046d8f1..3b27a74 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -133,11 +133,18 @@ DeviceState *qdev_create(BusState *bus, const char *name)
>   
>   DeviceState *qdev_try_create(BusState *bus, const char *type)
>   {
> +    DeviceClass *dc;
>       DeviceState *dev;
>   
> -    if (object_class_by_name(type) == NULL) {
> +    dc = DEVICE_CLASS(object_class_by_name(type));
> +    if (dc == NULL) {
>           return NULL;
>       }
> +    if (dc->deprecation_reason) {
> +        warn_report("device %s is deprecated (%s)",
> +                    type, dc->deprecation_reason);
> +    }
> +
>       dev = DEVICE(object_new(type));
>       if (!dev) {
>           return NULL;
> diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
> index a24d0dd..a352eaa 100644
> --- a/include/hw/qdev-core.h
> +++ b/include/hw/qdev-core.h
> @@ -105,6 +105,7 @@ typedef struct DeviceClass {
>        */
>       bool user_creatable;
>       bool hotpluggable;
> +    const char *deprecation_reason;
>   
>       /* callbacks */
>       DeviceReset reset;
> diff --git a/qdev-monitor.c b/qdev-monitor.c
> index 802c18a..bbba2bc 100644
> --- a/qdev-monitor.c
> +++ b/qdev-monitor.c
> @@ -128,6 +128,9 @@ static void qdev_print_devinfo(DeviceClass *dc)
>       if (!dc->user_creatable) {
>           out_printf(", no-user");
>       }
> +    if (!dc->deprecation_reason) {

This is the opposite condition:

        if (dc->deprecation_reason) {
            out_printf(", deprecated");

With it fixed:
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

> +        out_printf(", deprecated");
> +    }
>       out_printf("\n");
>   }
>   
> @@ -579,6 +582,10 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
>       if (!dc) {
>           return NULL;
>       }
> +    if (dc->deprecation_reason) {
> +        warn_report("device %s is deprecated (%s)",
> +                    driver, dc->deprecation_reason);
> +    }
>   
>       /* find bus */
>       path = qemu_opt_get(opts, "bus");
> 

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Philippe Mathieu-Daudé]

On 25/10/18 10:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> 
> Reproducer:
>      outw(0xff60, 0x220);
>      outw(0x1020, 0x220);
>      outw(0xffb0, 0x220);
> Result:
>      Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
> 
> The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf)
> are rather sparse, possibly incomplete (looks like scanned fax with a
> scrambled page at the end) and not really helpful in identifying which
> of the register writes sets some illegal value.
> 
> So, go tag the device as deprecated with a warning messge, to notify

"warning message"

> users and schedule it for removal according to our deprecation policy.
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/audio/adlib.c     | 1 +
>   qemu-deprecated.texi | 4 ++++
>   2 files changed, 5 insertions(+)
> 
> diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
> index 97b876c..fb4a29c 100644
> --- a/hw/audio/adlib.c
> +++ b/hw/audio/adlib.c
> @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
>       set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
>       dc->desc = ADLIB_DESC;
>       dc->props = adlib_properties;
> +    dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
>   }
>   
>   static const TypeInfo adlib_info = {
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 11b870c..7951a4f 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
>   The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
>   or ``ivshmem-doorbell`` device types.
>   
> +@subsection adlib (since 3.1)
> +
> +Has known buffer overflow.
> +
>   @section System emulator machines
>   
>   @subsection pc-0.10 and pc-0.11 (since 3.0)
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Philippe Mathieu-Daudé]

On 25/10/18 10:52, Gerd Hoffmann wrote:
> While being at it deprecate cirrus too.
> 
> Reason (short version): use stdvga instead.
> Verbose version:
>      https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/display/cirrus_vga.c     | 2 ++
>   hw/display/cirrus_vga_isa.c | 2 ++
>   qemu-deprecated.texi        | 4 ++++
>   3 files changed, 8 insertions(+)
> 
> diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
> index d9b854d..2f16ba9 100644
> --- a/hw/display/cirrus_vga.c
> +++ b/hw/display/cirrus_vga.c
> @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data)
>       dc->vmsd = &vmstate_pci_cirrus_vga;
>       dc->props = pci_vga_cirrus_properties;
>       dc->hotpluggable = false;
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";

We should propably add an archived copy of this post to www.qemu.org.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

>   }
>   
>   static const TypeInfo cirrus_vga_info = {
> diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
> index fa10b74..c2d853c 100644
> --- a/hw/display/cirrus_vga_isa.c
> +++ b/hw/display/cirrus_vga_isa.c
> @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data)
>       dc->realize = isa_cirrus_vga_realizefn;
>       dc->props = isa_cirrus_vga_properties;
>       set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
>   }
>   
>   static const TypeInfo isa_cirrus_vga_info = {
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 7951a4f..1b1d434 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types.
>   
>   Has known buffer overflow.
>   
> +@subsection cirrus (since 3.1)
> +
> +Use stdvga instead (-vga std or -device VGA).
> +
>   @section System emulator machines
>   
>   @subsection pc-0.10 and pc-0.11 (since 3.0)
> 

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Thomas Huth]

On 2018-10-25 09:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> 
> Reproducer:
>     outw(0xff60, 0x220);
>     outw(0x1020, 0x220);
>     outw(0xffb0, 0x220);
> Result:
>     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
> 
> The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf)
> are rather sparse, possibly incomplete (looks like scanned fax with a
> scrambled page at the end) and not really helpful in identifying which
> of the register writes sets some illegal value.
> 
> So, go tag the device as deprecated with a warning messge, to notify
> users and schedule it for removal according to our deprecation policy.
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/audio/adlib.c     | 1 +
>  qemu-deprecated.texi | 4 ++++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
> index 97b876c..fb4a29c 100644
> --- a/hw/audio/adlib.c
> +++ b/hw/audio/adlib.c
> @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
>      set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
>      dc->desc = ADLIB_DESC;
>      dc->props = adlib_properties;
> +    dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
>  }
>  
>  static const TypeInfo adlib_info = {
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 11b870c..7951a4f 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
>  The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
>  or ``ivshmem-doorbell`` device types.
>  
> +@subsection adlib (since 3.1)
> +
> +Has known buffer overflow.
> +
>  @section System emulator machines
>  
>  @subsection pc-0.10 and pc-0.11 (since 3.0)
> 

Any chance you could maybe at least add an assert() to the affected code
so that it crashes instead of silently overflowing the buffer?

Anyway, with the "messge" typo fixed:

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Thomas Huth]

On 2018-10-25 09:52, Gerd Hoffmann wrote:
> While being at it deprecate cirrus too.
> 
> Reason (short version): use stdvga instead.
> Verbose version:
>     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/cirrus_vga.c     | 2 ++
>  hw/display/cirrus_vga_isa.c | 2 ++
>  qemu-deprecated.texi        | 4 ++++
>  3 files changed, 8 insertions(+)
> 
> diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
> index d9b854d..2f16ba9 100644
> --- a/hw/display/cirrus_vga.c
> +++ b/hw/display/cirrus_vga.c
> @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data)
>      dc->vmsd = &vmstate_pci_cirrus_vga;
>      dc->props = pci_vga_cirrus_properties;
>      dc->hotpluggable = false;
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
>  }
>  
>  static const TypeInfo cirrus_vga_info = {
> diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
> index fa10b74..c2d853c 100644
> --- a/hw/display/cirrus_vga_isa.c
> +++ b/hw/display/cirrus_vga_isa.c
> @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data)
>      dc->realize = isa_cirrus_vga_realizefn;
>      dc->props = isa_cirrus_vga_properties;
>      set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
>  }
>  
>  static const TypeInfo isa_cirrus_vga_info = {
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 7951a4f..1b1d434 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types.
>  
>  Has known buffer overflow.
>  
> +@subsection cirrus (since 3.1)
> +
> +Use stdvga instead (-vga std or -device VGA).
> +
>  @section System emulator machines
>  
>  @subsection pc-0.10 and pc-0.11 (since 3.0)
> 

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> While being at it deprecate cirrus too.
> 
> Reason (short version): use stdvga instead.
> Verbose version:
>     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful

Every single one of my guests is using cirrus. This wasn't an explicit
choice on my part, so I believe it is being used as the default in
virt-install.

I don't debate the points in the blog post above that stdvga is a
better choice, but I don't think that's enough to justify deprecating
cirrus at this point in time, because when it then gets deleted it
will break way too many existing deployments.

We need to socialize info in that blog post above more widely and
especially ensure that apps are not using that by default. I don't
see it being viable to formally deprecate it in QEMU any time soon
though given existing usage.

> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/cirrus_vga.c     | 2 ++
>  hw/display/cirrus_vga_isa.c | 2 ++
>  qemu-deprecated.texi        | 4 ++++
>  3 files changed, 8 insertions(+)
> 
> diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
> index d9b854d..2f16ba9 100644
> --- a/hw/display/cirrus_vga.c
> +++ b/hw/display/cirrus_vga.c
> @@ -3024,6 +3024,8 @@ static void cirrus_vga_class_init(ObjectClass *klass, void *data)
>      dc->vmsd = &vmstate_pci_cirrus_vga;
>      dc->props = pci_vga_cirrus_properties;
>      dc->hotpluggable = false;
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
>  }
>  
>  static const TypeInfo cirrus_vga_info = {
> diff --git a/hw/display/cirrus_vga_isa.c b/hw/display/cirrus_vga_isa.c
> index fa10b74..c2d853c 100644
> --- a/hw/display/cirrus_vga_isa.c
> +++ b/hw/display/cirrus_vga_isa.c
> @@ -81,6 +81,8 @@ static void isa_cirrus_vga_class_init(ObjectClass *klass, void *data)
>      dc->realize = isa_cirrus_vga_realizefn;
>      dc->props = isa_cirrus_vga_properties;
>      set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
> +    dc->deprecation_reason =
> +        "https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful";
>  }
>  
>  static const TypeInfo isa_cirrus_vga_info = {
> diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> index 7951a4f..1b1d434 100644
> --- a/qemu-deprecated.texi
> +++ b/qemu-deprecated.texi
> @@ -120,6 +120,10 @@ or ``ivshmem-doorbell`` device types.
>  
>  Has known buffer overflow.
>  
> +@subsection cirrus (since 3.1)
> +
> +Use stdvga instead (-vga std or -device VGA).
> +
>  @section System emulator machines
>  
>  @subsection pc-0.10 and pc-0.11 (since 3.0)
> -- 
> 2.9.3
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Daniel P. Berrangé]

On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
> +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
> | We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> | 
> | Reproducer:
> |     outw(0xff60, 0x220);
> |     outw(0x1020, 0x220);
> |     outw(0xffb0, 0x220);
> | Result:
> |     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
> 
> + Reported-by: Wangjunqing <wangjunqing@huawei.com>

So you have a CVE number for this ?

If so, it should be referenced in the commit message too, even if
we can't fix the problem.

> | diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
> | index 97b876c..fb4a29c 100644
> | --- a/hw/audio/adlib.c
> | +++ b/hw/audio/adlib.c
> | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
> |      set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
> |      dc->desc = ADLIB_DESC;
> |      dc->props = adlib_properties;
> | +    dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
> |  }
> |  
> |  static const TypeInfo adlib_info = {
> | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> | index 11b870c..7951a4f 100644
> | --- a/qemu-deprecated.texi
> | +++ b/qemu-deprecated.texi
> | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
> |  The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
> |  or ``ivshmem-doorbell`` device types.
> |  
> | +@subsection adlib (since 3.1)
> | +
> | +Has known buffer overflow.

It would be good to give a recommendation to a better choice to
replace its usage

> | +
> |  @section System emulator machines
> |  
> |  @subsection pc-0.10 and pc-0.11 (since 3.0)

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[P J P]

  Hello Dan, all

+-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
| On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
| > While being at it deprecate cirrus too.
| > 
| > Reason (short version): use stdvga instead.
| > Verbose version:
| >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
| 
| 
| I don't debate the points in the blog post above that stdvga is a
| better choice, but I don't think that's enough to justify deprecating
| cirrus at this point in time, because when it then gets deleted it
| will break way too many existing deployments.
| 
| We need to socialize info in that blog post above more widely and
| especially ensure that apps are not using that by default. I don't
| see it being viable to formally deprecate it in QEMU any time soon
| though given existing usage.

To note, IMO there are other devices/sources in QEMU which are potential 
candidates for deprecation, similar to adlib etc. It'll help if we could 
device a process to deprecate/remove such code base. Other than maintenance it 
invariably also becomes source of security issues.

Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and 
after review over a period of say a month, candidate will be 
deprecated/expunged. (thinking aloud)

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

[P J P]

+-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
| On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
| > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
| > | 
| > | Reproducer:
| > |     outw(0xff60, 0x220);
| > |     outw(0x1020, 0x220);
| > |     outw(0xffb0, 0x220);
| > | Result:
| > |     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
| > 
| > + Reported-by: Wangjunqing <wangjunqing@huawei.com>
| 
| So you have a CVE number for this ?

No, since the adlib device is not used as much and is being deprecated, I'm 
not inclined to get one.

--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Paolo Bonzini]

On 25/10/2018 10:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> 
> Reproducer:
>     outw(0xff60, 0x220);
>     outw(0x1020, 0x220);
>     outw(0xffb0, 0x220);
> Result:
>     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])

I am dumb and I don't understand.  In set_ar_dr you get

	v = 0xff
	ar = 15
	dr = 15

and OPL->AR_TABLE[60] is accessed.  The size of the array is 75, which
seems to be actually 14 more than required.  Likewise OPL->DR_TABLE[60]
is accessed.

The next accesses use SLOT->ksr which is 0 so it's fine too.

Paolo

Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated

[Cole Robinson]

On 10/25/2018 09:37 PM, Daniel P. Berrangé wrote:
> On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
>> While being at it deprecate cirrus too.
>>
>> Reason (short version): use stdvga instead.
>> Verbose version:
>>      https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> 
> Every single one of my guests is using cirrus. This wasn't an explicit
> choice on my part, so I believe it is being used as the default in
> virt-install.
> 

virt-manager/virt-install 2.0.0 will never explicitly set cirrus, but 
that release is quite new. The previous release's default for x86 was 
roughly:

if using spice graphics:
     use qxl
elif guest os is windows:
     use vga
else:
     use cirrus

It was definitely sub optimal. Maybe your virt-install commands were 
explicitly setting --graphics vnc which would trigger cirrus in that case.

> I don't debate the points in the blog post above that stdvga is a
> better choice, but I don't think that's enough to justify deprecating
> cirrus at this point in time, because when it then gets deleted it
> will break way too many existing deployments.
> 
> We need to socialize info in that blog post above more widely and
> especially ensure that apps are not using that by default. I don't
> see it being viable to formally deprecate it in QEMU any time soon
> though given existing usage.

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[P J P]

+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| I am dumb and I don't understand.  In set_ar_dr you get
| 
| 	v = 0xff
| 	ar = 15
| 	dr = 15
| 
| and OPL->AR_TABLE[60] is accessed.  The size of the array is 75, which
| seems to be actually 14 more than required.  Likewise OPL->DR_TABLE[60]
| is accessed.
| 
| The next accesses use SLOT->ksr which is 0 so it's fine too.

In set_ar_dr

  SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0;

SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to 
15, in CALC_FCSLOT()

  SLOT->evsa = SLOT->AR[ksr];  <= accesses OPL->AR_TABLE[60 + 15];

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote:
>   Hello Dan, all
> 
> +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
> | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> | > While being at it deprecate cirrus too.
> | > 
> | > Reason (short version): use stdvga instead.
> | > Verbose version:
> | >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> | 
> | 
> | I don't debate the points in the blog post above that stdvga is a
> | better choice, but I don't think that's enough to justify deprecating
> | cirrus at this point in time, because when it then gets deleted it
> | will break way too many existing deployments.
> | 
> | We need to socialize info in that blog post above more widely and
> | especially ensure that apps are not using that by default. I don't
> | see it being viable to formally deprecate it in QEMU any time soon
> | though given existing usage.
> 
> To note, IMO there are other devices/sources in QEMU which are potential 
> candidates for deprecation, similar to adlib etc. It'll help if we could 
> device a process to deprecate/remove such code base. Other than maintenance it 
> invariably also becomes source of security issues.
> 
> Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and 
> after review over a period of say a month, candidate will be
> deprecated/expunged. (thinking aloud)

QEMU has a deprecation process:

  https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features

Most of the stuff deprecated is CLI args / monitor commands, etc where
mgmt apps just adjust the way they are calling QEMU, so end user's VMs
are largely not impacted.

Deprecating a device type that is widely used is not desirable because
that will cause breakage of existing guests.  Distros are free to disable
devices in their builds if they want to reduce the scope for CVEs in
packages they maintain, but again they should think carefully about how
many users they are going to break by doing so.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Fri, Oct 26, 2018 at 09:48:35AM +0100, Cole Robinson wrote:
> On 10/25/2018 09:37 PM, Daniel P. Berrangé wrote:
> > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> > > While being at it deprecate cirrus too.
> > > 
> > > Reason (short version): use stdvga instead.
> > > Verbose version:
> > >      https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> > 
> > Every single one of my guests is using cirrus. This wasn't an explicit
> > choice on my part, so I believe it is being used as the default in
> > virt-install.
> > 
> 
> virt-manager/virt-install 2.0.0 will never explicitly set cirrus, but that
> release is quite new. The previous release's default for x86 was roughly:
> 
> if using spice graphics:
>     use qxl
> elif guest os is windows:
>     use vga
> else:
>     use cirrus
> 
> It was definitely sub optimal. Maybe your virt-install commands were
> explicitly setting --graphics vnc which would trigger cirrus in that case.

Yep, I've always tended to use vnc, since QXL has historically been a
pretty buggy & unreliable device model with guests often breaking.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Daniel P. Berrangé]

On Fri, Oct 26, 2018 at 12:38:53PM +0530, P J P wrote:
> +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
> | On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
> | > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
> | > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> | > | 
> | > | Reproducer:
> | > |     outw(0xff60, 0x220);
> | > |     outw(0x1020, 0x220);
> | > |     outw(0xffb0, 0x220);
> | > | Result:
> | > |     Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
> | > 
> | > + Reported-by: Wangjunqing <wangjunqing@huawei.com>
> | 
> | So you have a CVE number for this ?
> 
> No, since the adlib device is not used as much and is being deprecated, I'm 
> not inclined to get one.

Any security issue that affects code in QEMU that is currently being
shipped by distros should have a CVE.

Whether we intend to deprecate & delete it later should not be a factor
because we are free to cancel the deprecation process at any time if we
find a reason to keep the feature around.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Fri, Oct 26, 2018 at 10:42:08AM +0100, Daniel P. Berrangé wrote:
> On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote:
> >   Hello Dan, all
> > 
> > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
> > | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> > | > While being at it deprecate cirrus too.
> > | > 
> > | > Reason (short version): use stdvga instead.
> > | > Verbose version:
> > | >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> > | 
> > | 
> > | I don't debate the points in the blog post above that stdvga is a
> > | better choice, but I don't think that's enough to justify deprecating
> > | cirrus at this point in time, because when it then gets deleted it
> > | will break way too many existing deployments.
> > | 
> > | We need to socialize info in that blog post above more widely and
> > | especially ensure that apps are not using that by default. I don't
> > | see it being viable to formally deprecate it in QEMU any time soon
> > | though given existing usage.
> > 
> > To note, IMO there are other devices/sources in QEMU which are potential 
> > candidates for deprecation, similar to adlib etc. It'll help if we could 
> > device a process to deprecate/remove such code base. Other than maintenance it 
> > invariably also becomes source of security issues.
> > 
> > Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and 
> > after review over a period of say a month, candidate will be
> > deprecated/expunged. (thinking aloud)
> 
> QEMU has a deprecation process:
> 
>   https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features
> 
> Most of the stuff deprecated is CLI args / monitor commands, etc where
> mgmt apps just adjust the way they are calling QEMU, so end user's VMs
> are largely not impacted.
> 
> Deprecating a device type that is widely used is not desirable because
> that will cause breakage of existing guests.  Distros are free to disable
> devices in their builds if they want to reduce the scope for CVEs in
> packages they maintain, but again they should think carefully about how
> many users they are going to break by doing so.

I should also say that QEMU as an upstream project has multiple goals.
Running KVM guests with modern PV hardware is only one of them, albeit
a widely used one. Being able to run old legacy OS with old hardware,
and running arbitrary embedded boards/devices with emulation are both
use cases that QEMU project aims to address. To eliminate all the old
"crufty" device emulation in name of improving security for KVM, would
be to eliminate core use cases of the project. THis is why we're trying
to persue the direction of making it easier for vendors to disable
features and devices they don't wish to support & thus limit their
downstream CVE exposure.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Paolo Bonzini]

On 26/10/2018 11:34, P J P wrote:
> +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
> | I am dumb and I don't understand.  In set_ar_dr you get
> | 
> | 	v = 0xff
> | 	ar = 15
> | 	dr = 15
> | 
> | and OPL->AR_TABLE[60] is accessed.  The size of the array is 75, which
> | seems to be actually 14 more than required.  Likewise OPL->DR_TABLE[60]
> | is accessed.
> | 
> | The next accesses use SLOT->ksr which is 0 so it's fine too.
> 
> In set_ar_dr
> 
>   SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0;
> 
> SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to 
> 15, in CALC_FCSLOT()
> 
>   SLOT->evsa = SLOT->AR[ksr];  <= accesses OPL->AR_TABLE[60 + 15];

Oh, thanks!  I said I was dumb. :)  So the fix is just this:

diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
index e7e578a48e..7199afaa3c 100644
--- a/hw/audio/fmopl.h
+++ b/hw/audio/fmopl.h
@@ -72,8 +72,8 @@ typedef struct fm_opl_f {
 	/* Rhythm sention */
 	uint8_t rhythm;		/* Rhythm mode , key flag */
 	/* time tables */
-	int32_t AR_TABLE[75];	/* atttack rate tables */
-	int32_t DR_TABLE[75];	/* decay rate tables   */
+	int32_t AR_TABLE[76];	/* atttack rate tables */
+	int32_t DR_TABLE[76];	/* decay rate tables   */
 	uint32_t FN_TABLE[1024];  /* fnumber -> increment counter */
 	/* LFO */
 	int32_t *ams_table;

and init_timetables will just fill it with the right value?  (I checked
against another implementation at http://opl3.cozendey.com/).

Thanks,

Paolo

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Paolo Bonzini]

On 26/10/2018 11:59, Daniel P. Berrangé wrote:
> I should also say that QEMU as an upstream project has multiple goals.
> Running KVM guests with modern PV hardware is only one of them, albeit
> a widely used one. Being able to run old legacy OS with old hardware,
> and running arbitrary embedded boards/devices with emulation are both
> use cases that QEMU project aims to address. To eliminate all the old
> "crufty" device emulation in name of improving security for KVM, would
> be to eliminate core use cases of the project. THis is why we're trying
> to persue the direction of making it easier for vendors to disable
> features and devices they don't wish to support & thus limit their
> downstream CVE exposure.

Indeed.  If we had to deprecate a feature just because it had an
off-by-one bug, no C program would grow beyond 1000 lines of code...

Paolo

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Dr. David Alan Gilbert]

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote:
> >   Hello Dan, all
> > 
> > +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
> > | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> > | > While being at it deprecate cirrus too.
> > | > 
> > | > Reason (short version): use stdvga instead.
> > | > Verbose version:
> > | >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> > | 
> > | 
> > | I don't debate the points in the blog post above that stdvga is a
> > | better choice, but I don't think that's enough to justify deprecating
> > | cirrus at this point in time, because when it then gets deleted it
> > | will break way too many existing deployments.
> > | 
> > | We need to socialize info in that blog post above more widely and
> > | especially ensure that apps are not using that by default. I don't
> > | see it being viable to formally deprecate it in QEMU any time soon
> > | though given existing usage.
> > 
> > To note, IMO there are other devices/sources in QEMU which are potential 
> > candidates for deprecation, similar to adlib etc. It'll help if we could 
> > device a process to deprecate/remove such code base. Other than maintenance it 
> > invariably also becomes source of security issues.
> > 
> > Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and 
> > after review over a period of say a month, candidate will be
> > deprecated/expunged. (thinking aloud)
> 
> QEMU has a deprecation process:
> 
>   https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features
> 
> Most of the stuff deprecated is CLI args / monitor commands, etc where
> mgmt apps just adjust the way they are calling QEMU, so end user's VMs
> are largely not impacted.
> 
> Deprecating a device type that is widely used is not desirable because
> that will cause breakage of existing guests.  Distros are free to disable
> devices in their builds if they want to reduce the scope for CVEs in
> packages they maintain, but again they should think carefully about how
> many users they are going to break by doing so.

I'm a bit mixed here;  until recent guest kernels I've always treated
Cirrus as the 'safe' one that's likely to work on anything - so losing
it worries me.  Having said that, I understand why we want to deprecate
it;  but we should give a much longer deprecation warning - a few years?
I don't see any harm warning that it's deprecated and you really should
try not to use it.

Dave

> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[P J P]

+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| Oh, thanks!  I said I was dumb. :)  So the fix is just this:
| 
| diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
| index e7e578a48e..7199afaa3c 100644
| --- a/hw/audio/fmopl.h
| +++ b/hw/audio/fmopl.h
| @@ -72,8 +72,8 @@ typedef struct fm_opl_f {
|  	/* Rhythm sention */
|  	uint8_t rhythm;		/* Rhythm mode , key flag */
|  	/* time tables */
| -	int32_t AR_TABLE[75];	/* atttack rate tables */
| -	int32_t DR_TABLE[75];	/* decay rate tables   */
| +	int32_t AR_TABLE[76];	/* atttack rate tables */
| +	int32_t DR_TABLE[76];	/* decay rate tables   */
|  	uint32_t FN_TABLE[1024];  /* fnumber -> increment counter */
|  	/* LFO */
|  	int32_t *ams_table;
| 
| and init_timetables will just fill it with the right value?  (I checked
| against another implementation at http://opl3.cozendey.com/).

Gerd has proposed to a patch to deprecate adlib, as it's not used as much. IMO 
deprecation is better option. But if that is not happening, above seems good.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

[P J P]

+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+
| > No, since the adlib device is not used as much and is being deprecated, I'm 
| > not inclined to get one.
| 
| Any security issue that affects code in QEMU that is currently being
| shipped by distros should have a CVE.
| 
| Whether we intend to deprecate & delete it later should not be a factor
| because we are free to cancel the deprecation process at any time if we
| find a reason to keep the feature around.

Okay, will follow up with a CVE process. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated

[Christian Borntraeger]

On 10/26/2018 11:42 AM, Daniel P. Berrangé wrote:
> On Fri, Oct 26, 2018 at 12:33:55PM +0530, P J P wrote:
>>   Hello Dan, all
>>
>> +-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
>> | On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
>> | > While being at it deprecate cirrus too.
>> | > 
>> | > Reason (short version): use stdvga instead.
>> | > Verbose version:
>> | >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
>> | 
>> | 
>> | I don't debate the points in the blog post above that stdvga is a
>> | better choice, but I don't think that's enough to justify deprecating
>> | cirrus at this point in time, because when it then gets deleted it
>> | will break way too many existing deployments.
>> | 
>> | We need to socialize info in that blog post above more widely and
>> | especially ensure that apps are not using that by default. I don't
>> | see it being viable to formally deprecate it in QEMU any time soon
>> | though given existing usage.
>>
>> To note, IMO there are other devices/sources in QEMU which are potential 
>> candidates for deprecation, similar to adlib etc. It'll help if we could 
>> device a process to deprecate/remove such code base. Other than maintenance it 
>> invariably also becomes source of security issues.
>>
>> Ex.(similar to Fedora) we could announce such candidate on qemu-devel list and 
>> after review over a period of say a month, candidate will be
>> deprecated/expunged. (thinking aloud)
> 
> QEMU has a deprecation process:
> 
>   https://qemu.weilnetz.de/doc/qemu-doc.html#Deprecated-features
> 
> Most of the stuff deprecated is CLI args / monitor commands, etc where
> mgmt apps just adjust the way they are calling QEMU, so end user's VMs
> are largely not impacted.
> 
> Deprecating a device type that is widely used is not desirable because
> that will cause breakage of existing guests.  Distros are free to disable
> devices in their builds if they want to reduce the scope for CVEs in
> packages they maintain, but again they should think carefully about how
> many users they are going to break by doing so.

I agree with what Daniel said. Deprecating something that is in heavy use 
by users just because we have trouble maintaining it not going to help the
QEMU project - quite the opposite. 

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Fri, Oct 26, 2018 at 12:03:35PM +0200, Paolo Bonzini wrote:
> On 26/10/2018 11:59, Daniel P. Berrangé wrote:
> > I should also say that QEMU as an upstream project has multiple goals.
> > Running KVM guests with modern PV hardware is only one of them, albeit
> > a widely used one. Being able to run old legacy OS with old hardware,
> > and running arbitrary embedded boards/devices with emulation are both
> > use cases that QEMU project aims to address. To eliminate all the old
> > "crufty" device emulation in name of improving security for KVM, would
> > be to eliminate core use cases of the project. THis is why we're trying
> > to persue the direction of making it easier for vendors to disable
> > features and devices they don't wish to support & thus limit their
> > downstream CVE exposure.
> 
> Indeed.  If we had to deprecate a feature just because it had an
> off-by-one bug, no C program would grow beyond 1000 lines of code...

One thing we should do, however, is to make it clear which of the
device models we consider secure, and which we consider only usable
in a friendly guest environment, as we have very different code
maintainership & quality standards for different parts of QEMU.

Essentially virtio devices, and then only a handful of the emulated
devices are things we consider suitable for usage in secure envs.
Likewise for machine types probably.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[P J P]

+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+
| ... 
| One thing we should do, however, is to make it clear which of the
| device models we consider secure, and which we consider only usable
| in a friendly guest environment, as we have very different code
| maintainership & quality standards for different parts of QEMU.
| 
| Essentially virtio devices, and then only a handful of the emulated
| devices are things we consider suitable for usage in secure envs.
| Likewise for machine types probably.

True, +1.

It did come up in another thread. It'll surely be helpful to list these 
professional and friendly components. 'Professional' being production ready 
and thus security relevant. And 'Friendly' being experimental or not suitable 
for production usage. Maybe like staging drivers in the kernel tree. They are 
available for use but not considered production ready and thus are not 
security relevant.

To be clear, irrespective of professional or friendly, we strive to fix every 
single issue that is found and/or reported. Only difference is, professional 
ones are tracked by a CVE ID and friendly ones are fixed as bug fixes, not 
tracked by CVE ID.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.

[Gerd Hoffmann]

On Fri, Oct 26, 2018 at 05:23:37PM +0530, P J P wrote:
> +-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
> | Oh, thanks!  I said I was dumb. :)  So the fix is just this:
> | 
> | diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
> | index e7e578a48e..7199afaa3c 100644
> | --- a/hw/audio/fmopl.h
> | +++ b/hw/audio/fmopl.h
> | @@ -72,8 +72,8 @@ typedef struct fm_opl_f {
> |  	/* Rhythm sention */
> |  	uint8_t rhythm;		/* Rhythm mode , key flag */
> |  	/* time tables */
> | -	int32_t AR_TABLE[75];	/* atttack rate tables */
> | -	int32_t DR_TABLE[75];	/* decay rate tables   */
> | +	int32_t AR_TABLE[76];	/* atttack rate tables */
> | +	int32_t DR_TABLE[76];	/* decay rate tables   */
> |  	uint32_t FN_TABLE[1024];  /* fnumber -> increment counter */
> |  	/* LFO */
> |  	int32_t *ams_table;
> | 
> | and init_timetables will just fill it with the right value?  (I checked
> | against another implementation at http://opl3.cozendey.com/).
> 
> Gerd has proposed to a patch to deprecate adlib, as it's not used as much. IMO 
> deprecation is better option. But if that is not happening, above seems good.

I think we can actually do both.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Gerd Hoffmann]

On Thu, Oct 25, 2018 at 09:37:58PM +0100, Daniel P. Berrangé wrote:
> On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> > While being at it deprecate cirrus too.
> > 
> > Reason (short version): use stdvga instead.
> > Verbose version:
> >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> 
> Every single one of my guests is using cirrus. This wasn't an explicit
> choice on my part, so I believe it is being used as the default in
> virt-install.
> 
> I don't debate the points in the blog post above that stdvga is a
> better choice, but I don't think that's enough to justify deprecating
> cirrus at this point in time, because when it then gets deleted it
> will break way too many existing deployments.
> 
> We need to socialize info in that blog post above more widely and
> especially ensure that apps are not using that by default. I don't
> see it being viable to formally deprecate it in QEMU any time soon
> though given existing usage.

Well, getting that message to the users is the point of deprecating it.
I think in this specific case we'll need a longer (maybe much longer)
deprecation period than only two releases.  But I think it still makes
sense to deprecate it now.

In qemu it isn't the default any more since release 2.2.
libvirt switched the default not too long after that.
Not fully sure how things look like higher up the stack.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass

[Gerd Hoffmann]

On Thu, Oct 25, 2018 at 01:12:15PM +0200, Philippe Mathieu-Daudé wrote:
> Hi Gerd,
> 
> On 25/10/18 10:52, Gerd Hoffmann wrote:
> > Simliar to deprecated machine types.
> 
> "Similar"
> 
> > Print a warning when creating a deprecated device.
> > Add deprecation notice to -device help.
> > 
> > TODO: add to intospection.
> 
> "introspection"
> 
> Do we want the TODO in the git history?

No.  It's RfC because of the missing introspection bits ;)

cheers,
  Gerd

Re: [Qemu-devel] [PATCH 3/3] cirrus: mark as deprecated

[Daniel P. Berrangé]

On Mon, Oct 29, 2018 at 10:12:44AM +0100, Gerd Hoffmann wrote:
> On Thu, Oct 25, 2018 at 09:37:58PM +0100, Daniel P. Berrangé wrote:
> > On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
> > > While being at it deprecate cirrus too.
> > > 
> > > Reason (short version): use stdvga instead.
> > > Verbose version:
> > >     https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
> > 
> > Every single one of my guests is using cirrus. This wasn't an explicit
> > choice on my part, so I believe it is being used as the default in
> > virt-install.
> > 
> > I don't debate the points in the blog post above that stdvga is a
> > better choice, but I don't think that's enough to justify deprecating
> > cirrus at this point in time, because when it then gets deleted it
> > will break way too many existing deployments.
> > 
> > We need to socialize info in that blog post above more widely and
> > especially ensure that apps are not using that by default. I don't
> > see it being viable to formally deprecate it in QEMU any time soon
> > though given existing usage.
> 
> Well, getting that message to the users is the point of deprecating it.
> I think in this specific case we'll need a longer (maybe much longer)
> deprecation period than only two releases.  But I think it still makes
> sense to deprecate it now.

As mentioned elsewhere in this thread, I think it is important that
QEMU distinction between devices that are best practice / recommended
for use with KVM virt, vs devices that exist solely for sake of
emulating hardware for use with old platforms.

I agree that cirrus doesn't have a place in a KVM guest for future,
but I don't thjink that means it should be deprecated & removed from
QEMU entirely, as its still relevant from POV of QEMU's goal to
emulate old hardware platforms.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|