Xen project Mailing List

[Xen-devel] [qemu-upstream-4.3-testing baseline-only test] 66487: trouble: blocked/broken

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>, <osstest-admin@xxxxxxxxxxxxxx>

From: Platform Team regression test user <citrix-osstest@xxxxxxxxxxxxxx>

Date: Fri, 1 Jul 2016 17:51:31 +0100

Delivery-date: Fri, 01 Jul 2016 16:51:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

This run is configured for baseline tests only. flight 66487 qemu-upstream-4.3-testing real [real] http://osstest.xs.citrite.net/~osstest/testlogs/logs/66487/ Failures and problems with tests :-( Tests which did not succeed and are blocking, including tests which could not be run: build-i386-pvops 3 host-install(3) broken REGR. vs. 38730 build-i386 3 host-install(3) broken REGR. vs. 38730 build-amd64-pvops 3 host-install(3) broken REGR. vs. 38730 build-amd64 3 host-install(3) broken REGR. vs. 38730 Tests which did not succeed, but are not blocking: build-amd64-libvirt 1 build-check(1) blocked n/a build-i386-libvirt 1 build-check(1) blocked n/a test-amd64-i386-xl-qemuu-ovmf-amd64 1 build-check(1) blocked n/a test-amd64-i386-xl-raw 1 build-check(1) blocked n/a test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 1 build-check(1) blocked n/a test-amd64-i386-qemuu-rhel6hvm-amd 1 build-check(1) blocked n/a test-amd64-i386-pv 1 build-check(1) blocked n/a test-amd64-i386-xl-qemuu-win7-amd64 1 build-check(1) blocked n/a test-amd64-i386-xl-qemuu-debianhvm-amd64 1 build-check(1) blocked n/a test-amd64-amd64-xl-qemuu-ovmf-amd64 1 build-check(1) blocked n/a test-amd64-amd64-xl-qemuu-debianhvm-amd64 1 build-check(1) blocked n/a test-amd64-i386-freebsd10-i386 1 build-check(1) blocked n/a test-amd64-i386-libvirt 1 build-check(1) blocked n/a test-amd64-amd64-xl-multivcpu 1 build-check(1) blocked n/a test-amd64-i386-qemuu-rhel6hvm-intel 1 build-check(1) blocked n/a test-amd64-i386-freebsd10-amd64 1 build-check(1) blocked n/a test-amd64-amd64-pair 1 build-check(1) blocked n/a test-amd64-amd64-xl-qemuu-win7-amd64 1 build-check(1) blocked n/a test-amd64-amd64-pygrub 1 build-check(1) blocked n/a test-amd64-amd64-xl-qemuu-winxpsp3 1 build-check(1) blocked n/a test-amd64-amd64-xl-qcow2 1 build-check(1) blocked n/a test-amd64-i386-xl 1 build-check(1) blocked n/a test-amd64-amd64-libvirt-vhd 1 build-check(1) blocked n/a test-amd64-amd64-xl-credit2 1 build-check(1) blocked n/a test-amd64-amd64-pv 1 build-check(1) blocked n/a test-amd64-amd64-xl 1 build-check(1) blocked n/a test-amd64-i386-pair 1 build-check(1) blocked n/a test-amd64-amd64-amd64-pvgrub 1 build-check(1) blocked n/a test-amd64-amd64-i386-pvgrub 1 build-check(1) blocked n/a test-amd64-amd64-libvirt 1 build-check(1) blocked n/a version targeted for testing: qemuu 12e8fccf5b5460be7aecddc71d27eceaba6e1f15 baseline version: qemuu 10c1b763c26feb645627a1639e722515f3e1e876 Last test of basis 38730 2016-02-07 19:50:19 Z 144 days Testing same since 66487 2016-07-01 10:50:18 Z 0 days 1 attempts ------------------------------------------------------------ People who touched revisions under test: Anthony PERARD <anthony.perard@xxxxxxxxxx> Gerd Hoffmann <kraxel@xxxxxxxxxx> Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Stefano Stabellini <sstabellini@xxxxxxxxxx> Wei Liu <wei.liu2@xxxxxxxxxx> jobs: build-amd64 broken build-i386 broken build-amd64-libvirt blocked build-i386-libvirt blocked build-amd64-pvops broken build-i386-pvops broken test-amd64-amd64-xl blocked test-amd64-i386-xl blocked test-amd64-i386-qemuu-rhel6hvm-amd blocked test-amd64-amd64-xl-qemuu-debianhvm-amd64 blocked test-amd64-i386-xl-qemuu-debianhvm-amd64 blocked test-amd64-i386-freebsd10-amd64 blocked test-amd64-amd64-xl-qemuu-ovmf-amd64 blocked test-amd64-i386-xl-qemuu-ovmf-amd64 blocked test-amd64-amd64-xl-qemuu-win7-amd64 blocked test-amd64-i386-xl-qemuu-win7-amd64 blocked test-amd64-amd64-xl-credit2 blocked test-amd64-i386-freebsd10-i386 blocked test-amd64-i386-qemuu-rhel6hvm-intel blocked test-amd64-amd64-libvirt blocked test-amd64-i386-libvirt blocked test-amd64-amd64-xl-multivcpu blocked test-amd64-amd64-pair blocked test-amd64-i386-pair blocked test-amd64-amd64-pv blocked test-amd64-i386-pv blocked test-amd64-amd64-amd64-pvgrub blocked test-amd64-amd64-i386-pvgrub blocked test-amd64-amd64-pygrub blocked test-amd64-amd64-xl-qcow2 blocked test-amd64-i386-xl-raw blocked test-amd64-i386-xl-qemuu-winxpsp3-vcpus1 blocked test-amd64-amd64-libvirt-vhd blocked test-amd64-amd64-xl-qemuu-winxpsp3 blocked ------------------------------------------------------------ sg-report-flight on osstest.xs.citrite.net logs: /home/osstest/logs images: /home/osstest/images Logs, config files, etc. are available at http://osstest.xs.citrite.net/~osstest/testlogs/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary broken-step build-i386-pvops host-install(3) broken-step build-i386 host-install(3) broken-step build-amd64-pvops host-install(3) broken-step build-amd64 host-install(3) Push not applicable. ------------------------------------------------------------ commit 12e8fccf5b5460be7aecddc71d27eceaba6e1f15 Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Date: Thu May 26 16:21:56 2016 +0100 main loop: Big hammer to fix logfile disk DoS in Xen setups Each time round the main loop, we now fstat stderr. If it is too big, we dup2 /dev/null onto it. This is not a very pretty patch but it is very simple, easy to see that it's correct, and has a low risk of collateral damage. There is no limit by default but can be adjusted by setting a new environment variable. This fixes CVE-2014-3672. Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Tested-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Set the default to 0 so that it won't affect non-xen installation. The limit will be set by Xen toolstack. Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> (cherry picked from commit 44a072f0de0d57c95c2212bbce02888832b7b74f) commit 0aabf85123a437e60e6cfb15f13bc559b75a21d5 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Tue May 17 10:54:54 2016 +0200 vga: add sr_vbe register set Commit "fd3c136 vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)." causes a regression. The win7 installer is unhappy because it can't freely modify vga registers any more while in vbe mode. This patch introduces a new sr_vbe register set. The vbe_update_vgaregs will fill sr_vbe[] instead of sr[]. Normal vga register reads and writes go to sr[]. Any sr register read access happens through a new sr() helper function which will read from sr_vbe[] with vbe active and from sr[] otherwise. This way we can allow guests update sr[] registers as they want, without allowing them disrupt vbe video modes that way. upstream-commit-id: 94ef4f337fb614f18b765a8e0e878a4c23cdedcd Cc: qemu-stable@xxxxxxxxxx Reported-by: Thomas Lamprecht <thomas@xxxxxxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Message-id: 1463475294-14119-1-git-send-email-kraxel@xxxxxxxxxx commit c97c20f71240a538a19cb6b0e598bc1bbd5168f1 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed May 4 17:43:36 2016 +0100 vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT registers, to make sure the vga registers will always have the values needed by vbe mode. This makes sure the sanity checks applied by vbe_fixup_regs() are effective. Without this guests can muck with shift_control, can turn on planar vga modes or text mode emulation while VBE is active, making qemu take code paths meant for CGA compatibility, but with the very large display widths and heigts settable using VBE registers. Which is good for one or another buffer overflow. Not that critical as they typically read overflows happening somewhere in the display code. So guests can DoS by crashing qemu with a segfault, but it is probably not possible to break out of the VM. upstream-commit-id: fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7 Fixes: CVE-2016-3712 Reported-by: Zuozhi Fzz <zuozhi.fzz@xxxxxxxxxxxxxxx> Reported-by: P J P <ppandit@xxxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> commit 5ee8a0795e9656b370e9f67b6acea2f2690a1aca Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed May 4 17:42:59 2016 +0100 vga: update vga register setup on vbe changes Call the new vbe_update_vgaregs() function on vbe configuration changes, to make sure vga registers are up-to-date. upstream-commit-id: 2068192dcccd8a80dddfcc8df6164cf9c26e0fc4 Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> commit 7073ff0127babd7d8b35326cf50753b337b23bb0 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed May 4 17:42:24 2016 +0100 vga: factor out vga register setup When enabling vbe mode qemu will setup a bunch of vga registers to make sure the vga emulation operates in correct mode for a linear framebuffer. Move that code to a separate function so we can call it from other places too. upstream-commit-id: 7fa5c2c5dc9f9bf878c1e8669eb9644d70a71e71 Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> commit 856e1ebb1fcc44856ef682e31295310a29e66ffd Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed May 4 17:41:39 2016 +0100 vga: add vbe_enabled() helper Makes code a bit easier to read. upstream-commit-id: bfa0f151a564a83b5a26f3e917da98674bf3cf62 Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> commit cae20a4a923c292158080bf538d7583fc2e1b455 Author: Gerd Hoffmann <kraxel@xxxxxxxxxx> Date: Wed May 4 17:40:58 2016 +0100 vga: fix banked access bounds checking (CVE-2016-3710) vga allows banked access to video memory using the window at 0xa00000 and it supports a different access modes with different address calculations. The VBE bochs extentions support banked access too, using the VBE_DISPI_INDEX_BANK register. The code tries to take the different address calculations into account and applies different limits to VBE_DISPI_INDEX_BANK depending on the current access mode. Which is probably effective in stopping misprogramming by accident. But from a security point of view completely useless as an attacker can easily change access modes after setting the bank register. Drop the bogus check, add range checks to vga_mem_{readb,writeb} instead. upstream-commit-id: 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e Fixes: CVE-2016-3710 Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx> Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.