|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [qemu-upstream-4.5-testing test] 36492: trouble: pass/preparing
flight 36492 qemu-upstream-4.5-testing running [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/36492/ Failures and problems with tests :-( Tests which did not succeed and are blocking, including tests which could not be run: test-amd64-i386-xl-qemuu-win7-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-qemut-rhel6hvm-amd 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemut-debianhvm-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-freebsd10-amd64 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemut-debianhvm-amd64 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-pcipt-intel 2 hosts-allocate running [st=running!] test-amd64-i386-libvirt 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-pvh-amd 2 hosts-allocate running [st=running!] test-armhf-armhf-xl-multivcpu 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-sedf 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-sedf-pin 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-credit2 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemut-win7-amd64 2 hosts-allocate running [st=running!] test-armhf-armhf-xl 2 hosts-allocate running [st=running!] test-armhf-armhf-xl-credit2 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemuu-debianhvm-amd64 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-multivcpu 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemuu-ovmf-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-pair 2 hosts-allocate running [st=running!] test-amd64-amd64-libvirt 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemuu-win7-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-qemuu-rhel6hvm-amd 2 hosts-allocate running [st=running!] test-amd64-i386-xl-winxpsp3 2 hosts-allocate running [st=running!] test-armhf-armhf-xl-midway 2 hosts-allocate running [st=running!] test-amd64-i386-rhel6hvm-amd 2 hosts-allocate running [st=running!] test-armhf-armhf-xl-sedf-pin 2 hosts-allocate running [st=running!] test-amd64-amd64-xl 2 hosts-allocate running [st=running!] test-amd64-i386-rhel6hvm-intel 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemut-winxpsp3 2 hosts-allocate running [st=running!] test-amd64-i386-freebsd10-i386 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-winxpsp3 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemut-winxpsp3-vcpus1 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemut-win7-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemuu-winxpsp3 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemut-winxpsp3 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-win7-amd64 2 hosts-allocate running [st=running!] test-armhf-armhf-libvirt 2 hosts-allocate running [st=running!] test-amd64-amd64-pair 2 hosts-allocate running [st=running!] test-amd64-i386-xl 2 hosts-allocate running [st=running!] test-amd64-i386-qemuu-rhel6hvm-intel 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemuu-ovmf-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-xl-win7-amd64 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-pvh-intel 2 hosts-allocate running [st=running!] test-armhf-armhf-xl-sedf 2 hosts-allocate running [st=running!] test-amd64-i386-qemut-rhel6hvm-intel 2 hosts-allocate running [st=running!] test-amd64-i386-xl-qemuu-debianhvm-amd64 2 hosts-allocate running [st=running!] test-amd64-i386-xl-winxpsp3-vcpus1 2 hosts-allocate running [st=running!] test-amd64-amd64-xl-qemuu-winxpsp3 2 hosts-allocate running [st=running!] version targeted for testing: qemuu 0b8fb1ec3d666d1eb8bbff56c76c5e6daa2789e4 baseline version: qemuu 1ebb75b1fee779621b63e84fefa7b07354c43a99 ------------------------------------------------------------ People who touched revisions under test: Gerd Hoffmann <kraxel@xxxxxxxxxx> Gonglei <arei.gonglei@xxxxxxxxxx> Juan Quintela <quintela@xxxxxxxxxx> Michael S. Tsirkin <mst@xxxxxxxxxx> Paolo Bonzini <pbonzini@xxxxxxxxxx> Peter Maydell <peter.maydell@xxxxxxxxxx> Petr Matousek <pmatouse@xxxxxxxxxx> Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> ------------------------------------------------------------ jobs: build-amd64 pass build-armhf pass build-i386 pass build-amd64-libvirt pass build-armhf-libvirt pass build-i386-libvirt pass build-amd64-pvops pass build-armhf-pvops pass build-i386-pvops pass test-amd64-amd64-xl preparing test-armhf-armhf-xl preparing test-amd64-i386-xl preparing test-amd64-amd64-xl-pvh-amd preparing test-amd64-i386-rhel6hvm-amd preparing test-amd64-i386-qemut-rhel6hvm-amd preparing test-amd64-i386-qemuu-rhel6hvm-amd preparing test-amd64-amd64-xl-qemut-debianhvm-amd64 preparing test-amd64-i386-xl-qemut-debianhvm-amd64 preparing test-amd64-amd64-xl-qemuu-debianhvm-amd64 preparing test-amd64-i386-xl-qemuu-debianhvm-amd64 preparing test-amd64-i386-freebsd10-amd64 preparing test-amd64-amd64-xl-qemuu-ovmf-amd64 preparing test-amd64-i386-xl-qemuu-ovmf-amd64 preparing test-amd64-amd64-xl-qemut-win7-amd64 preparing test-amd64-i386-xl-qemut-win7-amd64 preparing test-amd64-amd64-xl-qemuu-win7-amd64 preparing test-amd64-i386-xl-qemuu-win7-amd64 preparing test-amd64-amd64-xl-win7-amd64 preparing test-amd64-i386-xl-win7-amd64 preparing test-amd64-amd64-xl-credit2 preparing test-armhf-armhf-xl-credit2 preparing test-amd64-i386-freebsd10-i386 preparing test-amd64-amd64-xl-pcipt-intel preparing test-amd64-amd64-xl-pvh-intel preparing test-amd64-i386-rhel6hvm-intel preparing test-amd64-i386-qemut-rhel6hvm-intel preparing test-amd64-i386-qemuu-rhel6hvm-intel preparing test-amd64-amd64-libvirt preparing test-armhf-armhf-libvirt preparing test-amd64-i386-libvirt preparing test-armhf-armhf-xl-midway preparing test-amd64-amd64-xl-multivcpu preparing test-armhf-armhf-xl-multivcpu preparing test-amd64-amd64-pair preparing test-amd64-i386-pair preparing test-amd64-amd64-xl-sedf-pin preparing test-armhf-armhf-xl-sedf-pin preparing test-amd64-amd64-xl-sedf preparing test-armhf-armhf-xl-sedf preparing test-amd64-i386-xl-qemut-winxpsp3-vcpus1 preparing test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 preparing test-amd64-i386-xl-winxpsp3-vcpus1 preparing test-amd64-amd64-xl-qemut-winxpsp3 preparing test-amd64-i386-xl-qemut-winxpsp3 preparing test-amd64-amd64-xl-qemuu-winxpsp3 preparing test-amd64-i386-xl-qemuu-winxpsp3 preparing test-amd64-amd64-xl-winxpsp3 preparing test-amd64-i386-xl-winxpsp3 preparing ------------------------------------------------------------ sg-report-flight on osstest.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary broken test-amd64-i386-xl-qemuu-win7-amd64 hosts-allocate running broken test-amd64-i386-qemut-rhel6hvm-amd hosts-allocate running broken test-amd64-i386-xl-qemut-debianhvm-amd64 hosts-allocate running broken test-amd64-i386-freebsd10-amd64 hosts-allocate running broken test-amd64-amd64-xl-qemut-debianhvm-amd64 hosts-allocate running broken test-amd64-amd64-xl-pcipt-intel hosts-allocate running broken test-amd64-i386-libvirt hosts-allocate running broken test-amd64-amd64-xl-pvh-amd hosts-allocate running broken test-armhf-armhf-xl-multivcpu hosts-allocate running broken test-amd64-amd64-xl-sedf hosts-allocate running broken test-amd64-amd64-xl-sedf-pin hosts-allocate running broken test-amd64-amd64-xl-credit2 hosts-allocate running broken test-amd64-amd64-xl-qemut-win7-amd64 hosts-allocate running broken test-armhf-armhf-xl hosts-allocate running broken test-armhf-armhf-xl-credit2 hosts-allocate running broken test-amd64-amd64-xl-qemuu-debianhvm-amd64 hosts-allocate running broken test-amd64-amd64-xl-multivcpu hosts-allocate running broken test-amd64-i386-xl-qemuu-ovmf-amd64 hosts-allocate running broken test-amd64-i386-pair hosts-allocate running broken test-amd64-amd64-libvirt hosts-allocate running broken test-amd64-amd64-xl-qemuu-win7-amd64 hosts-allocate running broken test-amd64-i386-qemuu-rhel6hvm-amd hosts-allocate running broken test-amd64-i386-xl-winxpsp3 hosts-allocate running broken test-armhf-armhf-xl-midway hosts-allocate running broken test-amd64-i386-rhel6hvm-amd hosts-allocate running broken test-armhf-armhf-xl-sedf-pin hosts-allocate running broken test-amd64-amd64-xl hosts-allocate running broken test-amd64-i386-rhel6hvm-intel hosts-allocate running broken test-amd64-i386-xl-qemut-winxpsp3 hosts-allocate running broken test-amd64-i386-freebsd10-i386 hosts-allocate running broken test-amd64-amd64-xl-winxpsp3 hosts-allocate running broken test-amd64-i386-xl-qemut-winxpsp3-vcpus1 hosts-allocate running broken test-amd64-i386-xl-qemut-win7-amd64 hosts-allocate running broken test-amd64-i386-xl-qemuu-winxpsp3 hosts-allocate running broken test-amd64-amd64-xl-qemut-winxpsp3 hosts-allocate running broken test-amd64-amd64-xl-win7-amd64 hosts-allocate running broken test-armhf-armhf-libvirt hosts-allocate running broken test-amd64-amd64-pair hosts-allocate running broken test-amd64-i386-xl hosts-allocate running broken test-amd64-i386-qemuu-rhel6hvm-intel hosts-allocate running broken test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 hosts-allocate running broken test-amd64-amd64-xl-qemuu-ovmf-amd64 hosts-allocate running broken test-amd64-i386-xl-win7-amd64 hosts-allocate running broken test-amd64-amd64-xl-pvh-intel hosts-allocate running broken test-armhf-armhf-xl-sedf hosts-allocate running broken test-amd64-i386-qemut-rhel6hvm-intel hosts-allocate running broken test-amd64-i386-xl-qemuu-debianhvm-amd64 hosts-allocate running broken test-amd64-i386-xl-winxpsp3-vcpus1 hosts-allocate running broken test-amd64-amd64-xl-qemuu-winxpsp3 hosts-allocate running Not pushing. ------------------------------------------------------------ commit 0b8fb1ec3d666d1eb8bbff56c76c5e6daa2789e4 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed Nov 19 13:27:28 2014 +0100 cirrus: don't overflow CirrusVGAState->cirrus_bltbuf This is CVE-2014-8106. Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> commit f49151814120538bac6c6f12109968544027cc20 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed Nov 19 11:37:42 2014 +0100 cirrus: fix blit region check Issues: * Doesn't check pitches correctly in case it is negative. * Doesn't check width at all. Turn macro into functions while being at it, also factor out the check for one region which we then can simply call twice for src + dst. This is CVE-2014-8106. Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> commit 99aa8a7e0a05cec2eb7562ab7107b27c6b042b08 Author: Petr Matousek <pmatouse@xxxxxxxxxx> Date: Mon Oct 27 12:41:44 2014 +0100 vnc: sanitize bits_per_pixel from the client bits_per_pixel that are less than 8 could result in accessing non-initialized buffers later in the code due to the expectation that bytes_per_pixel value that is used to initialize these buffers is never zero. To fix this check that bits_per_pixel from the client is one of the values that the rfb protocol specification allows. This is CVE-2014-7815. Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx> [ kraxel: apply codestyle fix ] Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> commit 94d09f22b790648493038f964d2fc171b26f52f5 Author: Gonglei <arei.gonglei@xxxxxxxxxx> Date: Wed Aug 20 13:52:30 2014 +0800 pcihp: fix possible array out of bounds Prevent out-of-bounds array access on acpi_pcihp_pci_status. Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx> Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx> Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Cc: qemu-stable@xxxxxxxxxx Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx> commit 07fcd79289717c076b39d36ec666653422ee0646 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Mon Oct 6 11:42:34 2014 +0200 vmware-vga: CVE-2014-3689: turn off hw accel Quick & easy stopgap for CVE-2014-3689: We just compile out the hardware acceleration functions which lack sanity checks. Thankfully we have capability bits for them (SVGA_CAP_RECT_COPY and SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory. Subsequent patches will add the missing checks and re-enable the hardware acceleration emulation. Cc: qemu-stable@xxxxxxxxxx Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Reviewed-by: Don Koch <dkoch@xxxxxxxxxxx> commit 979e4eaa94f9d9be285183e65a8d70522848cb91 Author: Petr Matousek <pmatouse@xxxxxxxxxx> Date: Thu Sep 18 08:35:37 2014 +0200 slirp: udp: fix NULL pointer dereference because of uninitialized socket When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@xxxxxxxxxx> Reported-by: Stephane Duverger <stephane.duverger@xxxxxxxx> Reviewed-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx> Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx> Message-id: 20140918063537.GX9321@xxxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx> commit 5c3402816aaddb15156c69df73c54abe4e1c76aa Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed Sep 3 15:50:08 2014 +0200 spice: make sure we don't overflow ssd->buf Related spice-only bug. We have a fixed 16 MB buffer here, being presented to the spice-server as qxl video memory in case spice is used with a non-qxl card. It's also used with qxl in vga mode. When using display resolutions requiring more than 16 MB of memory we are going to overflow that buffer. In theory the guest can write, indirectly via spice-server. The spice-server clears the memory after setting a new video mode though, triggering a segfault in the overflow case, so qemu crashes before the guest has a chance to do something evil. Fix that by switching to dynamic allocation for the buffer. CVE-2014-3615 Cc: qemu-stable@xxxxxxxxxx Cc: secalert@xxxxxxxxxx Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx> commit 7154fba0e51ec985ef621965d1b7120ad424fcbf Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Tue Aug 26 15:35:23 2014 +0200 vbe: rework sanity checks Plug a bunch of holes in the bochs dispi interface parameter checking. Add a function doing verification on all registers. Call that unconditionally on every register write. That way we should catch everything, even changing one register affecting the valid range of another register. Some of the holes have been added by commit e9c6149f6ae6873f14a12eea554925b6aa4c4dec. Before that commit the maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES * 32 bpp) has been smaller than the qemu vga memory (8MB) and the checking for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok. Some of the holes have been there forever, such as VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes lacking any verification. Security impact: (1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga frame buffer as source -> host memory leak. Memory isn't leaked to the guest but to the vnc client though. (2) Qemu will segfault in case the memory range happens to include unmapped areas -> Guest can DoS itself. The guest can not modify host memory, so I don't think this can be used by the guest to escape. CVE-2014-3615 Cc: qemu-stable@xxxxxxxxxx Cc: secalert@xxxxxxxxxx Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> Conflicts: hw/display/vga.c commit bedbc31c141f712716ddc8933bd0a52abd0b1c8a Author: Michael S. Tsirkin <mst@xxxxxxxxxx> Date: Tue May 13 12:33:16 2014 +0300 usb: fix up post load checks Correct post load checks: 1. dev->setup_len == sizeof(dev->data_buf) seems fine, no need to fail migration 2. When state is DATA, passing index > len will cause memcpy with negative length, resulting in heap overflow First of the issues was reported by dgilbert. Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx> Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx> commit c2757fed63ffa97bbf72c11983f22176227e9df0 Author: Paolo Bonzini <pbonzini@xxxxxxxxxx> Date: Fri Jul 4 11:43:49 2014 +0200 virtio-pci: fix MSI memory region use after free After memory region QOMification QEMU is stricter in detecting wrong usage of the memory region API. Here it detected a memory_region_destroy done before the corresponding memory_region_del_subregion; the memory_region_destroy is done by msix_uninit_exclusive_bar, the memory_region_del_subregion is done by the PCI core's pci_unregister_io_regions before pc->exit is called. The problem was introduced by commit 06a1307379fcd6c551185ad87679cd7ed896b9ea virtio-pci: add device_unplugged callback As noted in that commit log, virtio device kick callbacks need to be stopped before generic virtio is cleaned up. This is because these are notifications from pci proxy to the generic virtio device so they need to be stopped in the unplug call before the virtio device is unrealized. However interrupts are notifications from the virtio device to the pci proxy so they need to stay around while the device is realized. The memory API misuse caused an assertion when hot-unplugging virtio devices. Using the API correctly fixes the assertion. Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |