* [qemu-upstream-4.5-testing test] 36492: trouble: pass/preparing
@ 2015-03-17 14:29 xen.org
0 siblings, 0 replies; only message in thread
From: xen.org @ 2015-03-17 14:29 UTC (permalink / raw)
To: xen-devel; +Cc: ian.jackson
flight 36492 qemu-upstream-4.5-testing running [real]
http://www.chiark.greenend.org.uk/~xensrcts/logs/36492/
Failures and problems with tests :-(
Tests which did not succeed and are blocking,
including tests which could not be run:
test-amd64-i386-xl-qemuu-win7-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-qemut-rhel6hvm-amd 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemut-debianhvm-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-freebsd10-amd64 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemut-debianhvm-amd64 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-pcipt-intel 2 hosts-allocate running [st=running!]
test-amd64-i386-libvirt 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-pvh-amd 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl-multivcpu 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-sedf 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-sedf-pin 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-credit2 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemut-win7-amd64 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl-credit2 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemuu-debianhvm-amd64 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-multivcpu 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemuu-ovmf-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-pair 2 hosts-allocate running [st=running!]
test-amd64-amd64-libvirt 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemuu-win7-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-qemuu-rhel6hvm-amd 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-winxpsp3 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl-midway 2 hosts-allocate running [st=running!]
test-amd64-i386-rhel6hvm-amd 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl-sedf-pin 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl 2 hosts-allocate running [st=running!]
test-amd64-i386-rhel6hvm-intel 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemut-winxpsp3 2 hosts-allocate running [st=running!]
test-amd64-i386-freebsd10-i386 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-winxpsp3 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemut-winxpsp3-vcpus1 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemut-win7-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemuu-winxpsp3 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemut-winxpsp3 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-win7-amd64 2 hosts-allocate running [st=running!]
test-armhf-armhf-libvirt 2 hosts-allocate running [st=running!]
test-amd64-amd64-pair 2 hosts-allocate running [st=running!]
test-amd64-i386-xl 2 hosts-allocate running [st=running!]
test-amd64-i386-qemuu-rhel6hvm-intel 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemuu-ovmf-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-win7-amd64 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-pvh-intel 2 hosts-allocate running [st=running!]
test-armhf-armhf-xl-sedf 2 hosts-allocate running [st=running!]
test-amd64-i386-qemut-rhel6hvm-intel 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-qemuu-debianhvm-amd64 2 hosts-allocate running [st=running!]
test-amd64-i386-xl-winxpsp3-vcpus1 2 hosts-allocate running [st=running!]
test-amd64-amd64-xl-qemuu-winxpsp3 2 hosts-allocate running [st=running!]
version targeted for testing:
qemuu 0b8fb1ec3d666d1eb8bbff56c76c5e6daa2789e4
baseline version:
qemuu 1ebb75b1fee779621b63e84fefa7b07354c43a99
------------------------------------------------------------
People who touched revisions under test:
Gerd Hoffmann <kraxel@redhat.com>
Gonglei <arei.gonglei@huawei.com>
Juan Quintela <quintela@redhat.com>
Michael S. Tsirkin <mst@redhat.com>
Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell <peter.maydell@linaro.org>
Petr Matousek <pmatouse@redhat.com>
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
------------------------------------------------------------
jobs:
build-amd64 pass
build-armhf pass
build-i386 pass
build-amd64-libvirt pass
build-armhf-libvirt pass
build-i386-libvirt pass
build-amd64-pvops pass
build-armhf-pvops pass
build-i386-pvops pass
test-amd64-amd64-xl preparing
test-armhf-armhf-xl preparing
test-amd64-i386-xl preparing
test-amd64-amd64-xl-pvh-amd preparing
test-amd64-i386-rhel6hvm-amd preparing
test-amd64-i386-qemut-rhel6hvm-amd preparing
test-amd64-i386-qemuu-rhel6hvm-amd preparing
test-amd64-amd64-xl-qemut-debianhvm-amd64 preparing
test-amd64-i386-xl-qemut-debianhvm-amd64 preparing
test-amd64-amd64-xl-qemuu-debianhvm-amd64 preparing
test-amd64-i386-xl-qemuu-debianhvm-amd64 preparing
test-amd64-i386-freebsd10-amd64 preparing
test-amd64-amd64-xl-qemuu-ovmf-amd64 preparing
test-amd64-i386-xl-qemuu-ovmf-amd64 preparing
test-amd64-amd64-xl-qemut-win7-amd64 preparing
test-amd64-i386-xl-qemut-win7-amd64 preparing
test-amd64-amd64-xl-qemuu-win7-amd64 preparing
test-amd64-i386-xl-qemuu-win7-amd64 preparing
test-amd64-amd64-xl-win7-amd64 preparing
test-amd64-i386-xl-win7-amd64 preparing
test-amd64-amd64-xl-credit2 preparing
test-armhf-armhf-xl-credit2 preparing
test-amd64-i386-freebsd10-i386 preparing
test-amd64-amd64-xl-pcipt-intel preparing
test-amd64-amd64-xl-pvh-intel preparing
test-amd64-i386-rhel6hvm-intel preparing
test-amd64-i386-qemut-rhel6hvm-intel preparing
test-amd64-i386-qemuu-rhel6hvm-intel preparing
test-amd64-amd64-libvirt preparing
test-armhf-armhf-libvirt preparing
test-amd64-i386-libvirt preparing
test-armhf-armhf-xl-midway preparing
test-amd64-amd64-xl-multivcpu preparing
test-armhf-armhf-xl-multivcpu preparing
test-amd64-amd64-pair preparing
test-amd64-i386-pair preparing
test-amd64-amd64-xl-sedf-pin preparing
test-armhf-armhf-xl-sedf-pin preparing
test-amd64-amd64-xl-sedf preparing
test-armhf-armhf-xl-sedf preparing
test-amd64-i386-xl-qemut-winxpsp3-vcpus1 preparing
test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 preparing
test-amd64-i386-xl-winxpsp3-vcpus1 preparing
test-amd64-amd64-xl-qemut-winxpsp3 preparing
test-amd64-i386-xl-qemut-winxpsp3 preparing
test-amd64-amd64-xl-qemuu-winxpsp3 preparing
test-amd64-i386-xl-qemuu-winxpsp3 preparing
test-amd64-amd64-xl-winxpsp3 preparing
test-amd64-i386-xl-winxpsp3 preparing
------------------------------------------------------------
sg-report-flight on osstest.cam.xci-test.com
logs: /home/xc_osstest/logs
images: /home/xc_osstest/images
Logs, config files, etc. are available at
http://www.chiark.greenend.org.uk/~xensrcts/logs
Test harness code can be found at
http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary
broken test-amd64-i386-xl-qemuu-win7-amd64 hosts-allocate running
broken test-amd64-i386-qemut-rhel6hvm-amd hosts-allocate running
broken test-amd64-i386-xl-qemut-debianhvm-amd64 hosts-allocate running
broken test-amd64-i386-freebsd10-amd64 hosts-allocate running
broken test-amd64-amd64-xl-qemut-debianhvm-amd64 hosts-allocate running
broken test-amd64-amd64-xl-pcipt-intel hosts-allocate running
broken test-amd64-i386-libvirt hosts-allocate running
broken test-amd64-amd64-xl-pvh-amd hosts-allocate running
broken test-armhf-armhf-xl-multivcpu hosts-allocate running
broken test-amd64-amd64-xl-sedf hosts-allocate running
broken test-amd64-amd64-xl-sedf-pin hosts-allocate running
broken test-amd64-amd64-xl-credit2 hosts-allocate running
broken test-amd64-amd64-xl-qemut-win7-amd64 hosts-allocate running
broken test-armhf-armhf-xl hosts-allocate running
broken test-armhf-armhf-xl-credit2 hosts-allocate running
broken test-amd64-amd64-xl-qemuu-debianhvm-amd64 hosts-allocate running
broken test-amd64-amd64-xl-multivcpu hosts-allocate running
broken test-amd64-i386-xl-qemuu-ovmf-amd64 hosts-allocate running
broken test-amd64-i386-pair hosts-allocate running
broken test-amd64-amd64-libvirt hosts-allocate running
broken test-amd64-amd64-xl-qemuu-win7-amd64 hosts-allocate running
broken test-amd64-i386-qemuu-rhel6hvm-amd hosts-allocate running
broken test-amd64-i386-xl-winxpsp3 hosts-allocate running
broken test-armhf-armhf-xl-midway hosts-allocate running
broken test-amd64-i386-rhel6hvm-amd hosts-allocate running
broken test-armhf-armhf-xl-sedf-pin hosts-allocate running
broken test-amd64-amd64-xl hosts-allocate running
broken test-amd64-i386-rhel6hvm-intel hosts-allocate running
broken test-amd64-i386-xl-qemut-winxpsp3 hosts-allocate running
broken test-amd64-i386-freebsd10-i386 hosts-allocate running
broken test-amd64-amd64-xl-winxpsp3 hosts-allocate running
broken test-amd64-i386-xl-qemut-winxpsp3-vcpus1 hosts-allocate running
broken test-amd64-i386-xl-qemut-win7-amd64 hosts-allocate running
broken test-amd64-i386-xl-qemuu-winxpsp3 hosts-allocate running
broken test-amd64-amd64-xl-qemut-winxpsp3 hosts-allocate running
broken test-amd64-amd64-xl-win7-amd64 hosts-allocate running
broken test-armhf-armhf-libvirt hosts-allocate running
broken test-amd64-amd64-pair hosts-allocate running
broken test-amd64-i386-xl hosts-allocate running
broken test-amd64-i386-qemuu-rhel6hvm-intel hosts-allocate running
broken test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 hosts-allocate running
broken test-amd64-amd64-xl-qemuu-ovmf-amd64 hosts-allocate running
broken test-amd64-i386-xl-win7-amd64 hosts-allocate running
broken test-amd64-amd64-xl-pvh-intel hosts-allocate running
broken test-armhf-armhf-xl-sedf hosts-allocate running
broken test-amd64-i386-qemut-rhel6hvm-intel hosts-allocate running
broken test-amd64-i386-xl-qemuu-debianhvm-amd64 hosts-allocate running
broken test-amd64-i386-xl-winxpsp3-vcpus1 hosts-allocate running
broken test-amd64-amd64-xl-qemuu-winxpsp3 hosts-allocate running
Not pushing.
------------------------------------------------------------
commit 0b8fb1ec3d666d1eb8bbff56c76c5e6daa2789e4
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed Nov 19 13:27:28 2014 +0100
cirrus: don't overflow CirrusVGAState->cirrus_bltbuf
This is CVE-2014-8106.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
commit f49151814120538bac6c6f12109968544027cc20
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed Nov 19 11:37:42 2014 +0100
cirrus: fix blit region check
Issues:
* Doesn't check pitches correctly in case it is negative.
* Doesn't check width at all.
Turn macro into functions while being at it, also factor out the check
for one region which we then can simply call twice for src + dst.
This is CVE-2014-8106.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
commit 99aa8a7e0a05cec2eb7562ab7107b27c6b042b08
Author: Petr Matousek <pmatouse@redhat.com>
Date: Mon Oct 27 12:41:44 2014 +0100
vnc: sanitize bits_per_pixel from the client
bits_per_pixel that are less than 8 could result in accessing
non-initialized buffers later in the code due to the expectation
that bytes_per_pixel value that is used to initialize these buffers is
never zero.
To fix this check that bits_per_pixel from the client is one of the
values that the rfb protocol specification allows.
This is CVE-2014-7815.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
[ kraxel: apply codestyle fix ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
commit 94d09f22b790648493038f964d2fc171b26f52f5
Author: Gonglei <arei.gonglei@huawei.com>
Date: Wed Aug 20 13:52:30 2014 +0800
pcihp: fix possible array out of bounds
Prevent out-of-bounds array access on
acpi_pcihp_pci_status.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
commit 07fcd79289717c076b39d36ec666653422ee0646
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon Oct 6 11:42:34 2014 +0200
vmware-vga: CVE-2014-3689: turn off hw accel
Quick & easy stopgap for CVE-2014-3689: We just compile out the
hardware acceleration functions which lack sanity checks. Thankfully
we have capability bits for them (SVGA_CAP_RECT_COPY and
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
Subsequent patches will add the missing checks and re-enable the
hardware acceleration emulation.
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Don Koch <dkoch@verizon.com>
commit 979e4eaa94f9d9be285183e65a8d70522848cb91
Author: Petr Matousek <pmatouse@redhat.com>
Date: Thu Sep 18 08:35:37 2014 +0200
slirp: udp: fix NULL pointer dereference because of uninitialized socket
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Fix this by checking that the socket is not just a socket stub.
This is CVE-2014-3640.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
commit 5c3402816aaddb15156c69df73c54abe4e1c76aa
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed Sep 3 15:50:08 2014 +0200
spice: make sure we don't overflow ssd->buf
Related spice-only bug. We have a fixed 16 MB buffer here, being
presented to the spice-server as qxl video memory in case spice is
used with a non-qxl card. It's also used with qxl in vga mode.
When using display resolutions requiring more than 16 MB of memory we
are going to overflow that buffer. In theory the guest can write,
indirectly via spice-server. The spice-server clears the memory after
setting a new video mode though, triggering a segfault in the overflow
case, so qemu crashes before the guest has a chance to do something
evil.
Fix that by switching to dynamic allocation for the buffer.
CVE-2014-3615
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
commit 7154fba0e51ec985ef621965d1b7120ad424fcbf
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue Aug 26 15:35:23 2014 +0200
vbe: rework sanity checks
Plug a bunch of holes in the bochs dispi interface parameter checking.
Add a function doing verification on all registers. Call that
unconditionally on every register write. That way we should catch
everything, even changing one register affecting the valid range of
another register.
Some of the holes have been added by commit
e9c6149f6ae6873f14a12eea554925b6aa4c4dec. Before that commit the
maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES *
32 bpp) has been smaller than the qemu vga memory (8MB) and the checking
for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok.
Some of the holes have been there forever, such as
VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes
lacking any verification.
Security impact:
(1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga
frame buffer as source -> host memory leak. Memory isn't leaked to
the guest but to the vnc client though.
(2) Qemu will segfault in case the memory range happens to include
unmapped areas -> Guest can DoS itself.
The guest can not modify host memory, so I don't think this can be used
by the guest to escape.
CVE-2014-3615
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Conflicts:
hw/display/vga.c
commit bedbc31c141f712716ddc8933bd0a52abd0b1c8a
Author: Michael S. Tsirkin <mst@redhat.com>
Date: Tue May 13 12:33:16 2014 +0300
usb: fix up post load checks
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
seems fine, no need to fail migration
2. When state is DATA, passing index > len
will cause memcpy with negative length,
resulting in heap overflow
First of the issues was reported by dgilbert.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
commit c2757fed63ffa97bbf72c11983f22176227e9df0
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri Jul 4 11:43:49 2014 +0200
virtio-pci: fix MSI memory region use after free
After memory region QOMification QEMU is stricter in detecting
wrong usage of the memory region API. Here it detected a
memory_region_destroy done before the corresponding
memory_region_del_subregion; the memory_region_destroy is
done by msix_uninit_exclusive_bar, the memory_region_del_subregion
is done by the PCI core's pci_unregister_io_regions before
pc->exit is called.
The problem was introduced by
commit 06a1307379fcd6c551185ad87679cd7ed896b9ea
virtio-pci: add device_unplugged callback
As noted in that commit log, virtio device kick callbacks need to be
stopped before generic virtio is cleaned up. This is because these are
notifications from pci proxy to the generic virtio device so they need
to be stopped in the unplug call before the virtio device is unrealized.
However interrupts are notifications from the virtio device to
the pci proxy so they need to stay around while the device
is realized.
The memory API misuse caused an assertion when hot-unplugging virtio
devices. Using the API correctly fixes the assertion.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-03-17 14:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-17 14:29 [qemu-upstream-4.5-testing test] 36492: trouble: pass/preparing xen.org
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.