[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [qemu-upstream-4.3-testing test] 80730: regressions - FAIL
flight 80730 qemu-upstream-4.3-testing real [real] http://logs.test-lab.xenproject.org/osstest/logs/80730/ Regressions :-( Tests which did not succeed and are blocking, including tests which could not be run: test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 15 guest-localmigrate/x10 fail REGR. vs. 77983 Regressions which are regarded as allowable (not blocking): test-amd64-i386-xl-qemuu-win7-amd64 16 guest-stop fail like 77983 test-amd64-amd64-xl-qemuu-win7-amd64 16 guest-stop fail like 77983 Tests which did not succeed, but are not blocking: test-amd64-amd64-xl-qemuu-ovmf-amd64 9 debian-hvm-install fail never pass test-amd64-i386-xl-qemuu-ovmf-amd64 9 debian-hvm-install fail never pass test-amd64-amd64-libvirt 12 migrate-support-check fail never pass test-amd64-i386-libvirt 12 migrate-support-check fail never pass test-amd64-amd64-libvirt-vhd 11 migrate-support-check fail never pass version targeted for testing: qemuu 10c1b763c26feb645627a1639e722515f3e1e876 baseline version: qemuu 6e184363e64a0610c35ca231bfc73cea56eb02f3 Last test of basis 77983 2016-01-13 12:21:53 Z 24 days Testing same since 80730 2016-02-05 15:13:13 Z 0 days 1 attempts ------------------------------------------------------------ People who touched revisions under test: Gerd Hoffmann <kraxel@xxxxxxxxxx> Jason Wang <jasowang@xxxxxxxxxx> John Snow <jsnow@xxxxxxxxxx> Laszlo Ersek <lersek@xxxxxxxxxx> P J P <ppandit@xxxxxxxxxx> Paolo Bonzini <pbonzini@xxxxxxxxxx> Peter Maydell <peter.maydell@xxxxxxxxxx> Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Roger Pau Monne <roger.pau@xxxxxxxxxx> Roger Pau Monné <roger.pau@xxxxxxxxxx> Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> jobs: build-amd64 pass build-i386 pass build-amd64-libvirt pass build-i386-libvirt pass build-amd64-pvops pass build-i386-pvops pass test-amd64-amd64-xl pass test-amd64-i386-xl pass test-amd64-i386-qemuu-rhel6hvm-amd pass test-amd64-amd64-xl-qemuu-debianhvm-amd64 pass test-amd64-i386-xl-qemuu-debianhvm-amd64 pass test-amd64-i386-freebsd10-amd64 pass test-amd64-amd64-xl-qemuu-ovmf-amd64 fail test-amd64-i386-xl-qemuu-ovmf-amd64 fail test-amd64-amd64-xl-qemuu-win7-amd64 fail test-amd64-i386-xl-qemuu-win7-amd64 fail test-amd64-amd64-xl-credit2 pass test-amd64-i386-freebsd10-i386 pass test-amd64-i386-qemuu-rhel6hvm-intel pass test-amd64-amd64-libvirt pass test-amd64-i386-libvirt pass test-amd64-amd64-xl-multivcpu pass test-amd64-amd64-pair pass test-amd64-i386-pair pass test-amd64-amd64-pv pass test-amd64-i386-pv pass test-amd64-amd64-amd64-pvgrub pass test-amd64-amd64-i386-pvgrub pass test-amd64-amd64-pygrub pass test-amd64-amd64-xl-qcow2 pass test-amd64-i386-xl-raw pass test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 fail test-amd64-amd64-libvirt-vhd pass test-amd64-amd64-xl-qemuu-winxpsp3 pass ------------------------------------------------------------ sg-report-flight on osstest.test-lab.xenproject.org logs: /home/logs/logs images: /home/logs/images Logs, config files, etc. are available at http://logs.test-lab.xenproject.org/osstest/logs Explanation of these reports, and of osstest in general, is at http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master Test harness code can be found at http://xenbits.xen.org/gitweb?p=osstest.git;a=summary Not pushing. ------------------------------------------------------------ commit 10c1b763c26feb645627a1639e722515f3e1e876 Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Fri Nov 20 11:50:31 2015 +0530 net: pcnet: add check to validate receive data size(CVE-2015-7504) In loopback mode, pcnet_receive routine appends CRC code to the receive buffer. If the data size given is same as the buffer size, the appended CRC code overwrites 4 bytes after s->buffer. Added a check to avoid that. Reported by: Qinghao Tang <luodalongde@xxxxxxxxx> Cc: qemu-stable@xxxxxxxxxx Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> commit fc857bbe30c58b627423c58004d8d6e75df74846 Author: Jason Wang <jasowang@xxxxxxxxxx> Date: Mon Nov 30 15:00:06 2015 +0800 pcnet: fix rx buffer overflow(CVE-2015-7512) Backends could provide a packet whose length is greater than buffer size. Check for this and truncate the packet to avoid rx buffer overflow in this case. Cc: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Cc: qemu-stable@xxxxxxxxxx Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> commit 36b4f8a6fe38e1bd3c8ec51d4f6e168d05282713 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Mon Dec 14 09:21:23 2015 +0100 ehci: make idt processing more robust Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. This is CVE-2015-8558. Cc: qemu-stable@xxxxxxxxxx Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx> Tested-by: P J P <ppandit@xxxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> commit 921412688e6e0373097e3ab808e08fdacb20bac9 Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Wed Jan 20 01:26:46 2016 +0530 usb: check page select value while processing iTD While processing isochronous transfer descriptors(iTD), the page select(PG) field value could lead to an OOB read access. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Message-id: 1453233406-12165-1-git-send-email-ppandit@xxxxxxxxxx Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> commit e0f5252ed1ba0e1634e282a953a456da1ae637d6 Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Fri Jan 15 12:30:40 2016 +0530 net: cadence_gem: check packet size in gem_recieve While receiving packets in 'gem_receive' routine, if Frame Check Sequence(FCS) is enabled, it copies the packet into a local buffer without checking its size. Add check to validate packet length against the buffer size to avoid buffer overflow. Reported-by: Ling Liu <liuling-it@xxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> commit 4c32a1d125c7a541a0a4a95186e2af3b6d0a9004 Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Fri Feb 5 13:58:20 2016 +0000 ide: ahci: reset ncq object to unused on error When processing NCQ commands, AHCI device emulation prepares a NCQ transfer object; To which an aio control block(aiocb) object is assigned in 'execute_ncq_command'. In case, when the NCQ command is invalid, the 'aiocb' object is not assigned, and NCQ transfer object is left as 'used'. This leads to a use after free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. Reset NCQ transfer object to 'unused' to avoid it. [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Reviewed-by: John Snow <jsnow@xxxxxxxxxx> Message-id: 1452282511-4116-1-git-send-email-ppandit@xxxxxxxxxx Signed-off-by: John Snow <jsnow@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> commit 240814db3ec94b6bc2947f5a5b256acb890fdf81 Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Thu Dec 31 17:05:27 2015 +0530 net: ne2000: fix bounds check in ioport operations While doing ioport r/w operations, ne2000 device emulation suffers from OOB r/w errors. Update respective array bounds check to avoid OOB access. Reported-by: Ling Liu <liuling-it@xxxxxx> Cc: qemu-stable@xxxxxxxxxx Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> commit dc3e0649dfa63bf63254057c9cbe2050cb73c26f Author: P J P <ppandit@xxxxxxxxxx> Date: Mon Dec 21 15:13:13 2015 +0530 scsi: initialise info object with appropriate size While processing controller 'CTRL_GET_INFO' command, the routine 'megasas_ctrl_get_info' overflows the '&info' object size. Use its appropriate size to null initialise it. Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> Cc: qemu-stable@xxxxxxxxxx Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Signed-off-by: P J P <ppandit@xxxxxxxxxx> commit ed858e4fafbb950761dd408ed9b2185ce4a3b38a Author: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Date: Thu Dec 3 18:54:17 2015 +0530 ui: vnc: avoid floating point exception While sending 'SetPixelFormat' messages to a VNC server, the client could set the 'red-max', 'green-max' and 'blue-max' values to be zero. This leads to a floating point exception in write_png_palette while doing frame buffer updates. Reported-by: Lian Yihan <lianyihan@xxxxxx> Signed-off-by: Prasad J Pandit <pjp@xxxxxxxxxxxxxxxxx> Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx> commit fbdaad6d9ff47f6ef5677d5e94f2b55d08f3545c Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Tue Jan 19 14:17:20 2016 +0100 e1000: eliminate infinite loops on out-of-bounds transfer start The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / rx descriptors) into the area where the transfer is supposed to start. Each time a descriptor is processed, the TDH and RDH register is bumped (as appropriate for the transfer direction). QEMU already contains logic to deal with bogus transfers submitted by the guest: - Normally, the transmit case wants to increase TDH from its initial value to TDT. (TDT is allowed to be numerically smaller than the initial TDH value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe that QEMU currently has here is a check against reaching the original TDH value again -- a complete wraparound, which should never happen. - In the receive case RDH is increased from its initial value until "total_size" bytes have been received; preferably in a single step, or in "s->rxbuf_size" byte steps, if the latter is smaller. However, null RX descriptors are skipped without receiving data, while RDH is incremented just the same. QEMU tries to prevent an infinite loop (processing only null RX descriptors) by detecting whether RDH assumes its original value during the loop. (Again, wrapping from RDLEN to 0 is normal.) What both directions miss is that the guest could program TDLEN and RDLEN so low, and the initial TDH and RDH so high, that these registers will immediately be truncated to zero, and then never reassume their initial values in the loop -- a full wraparound will never occur. The condition that expresses this is: xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) i.e., TDH or RDH start out after the last whole rx or tx descriptor that fits into the TDLEN or RDLEN sized area. This condition could be checked before we enter the loops, but pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for bogus DMA addresses, so we just extend the existing failsafes with the above condition. This is CVE-2016-1981. upstream-commit-id: dd793a74882477ca38d49e191110c17dfee51dcc Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx> Cc: Petr Matousek <pmatouse@xxxxxxxxxx> Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> Cc: Prasad Pandit <ppandit@xxxxxxxxxx> Cc: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx> Cc: Jason Wang <jasowang@xxxxxxxxxx> Cc: qemu-stable@xxxxxxxxxx RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> commit dfa931206ef90f27c4998399e03233501d7e8705 Author: Roger Pau Monne <roger.pau@xxxxxxxxxx> Date: Fri Nov 13 17:38:06 2015 +0000 xen: fix usage of xc_domain_create in domain builder Due to the addition of HVMlite and the requirement to always provide a valid xc_domain_configuration_t, xc_domain_create now always takes an arch domain config, which can be NULL in order to mimic previous behaviour. Add a small stub called xen_domain_create that encapsulates the correct call to xc_domain_create depending on the libxc version detected. Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> _______________________________________________ osstest-output mailing list osstest-output@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/osstest-output
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |