Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: 3559e90146d87980a4ea554dd781cf81242bbe80
https://github.com/qemu/qemu/commit/3559e90146d87980a4ea554dd781cf81242bbe80
Author: Peter Maydell <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M target/arm/sme_helper.c
Log Message:
-----------
target/arm: arm_reset_sve_state() should set FPSR, not FPCR
The pseudocode ResetSVEState() does:
FPSR = ZeroExtend(0x0800009f<31:0>, 64);
but QEMU's arm_reset_sve_state() called vfp_set_fpcr() by accident.
Before the advent of FEAT_AFP, this was only setting a collection of
RES0 bits, which vfp_set_fpsr() would then ignore, so the only effect
was that we didn't actually set the FPSR the way we are supposed to
do. Once FEAT_AFP is implemented, setting the bottom bits of FPSR
will change the floating point behaviour.
Call vfp_set_fpsr(), as we ought to.
(Note for stable backports: commit 7f2a01e7368f9 moved this function
from sme_helper.c to helper.c, but it had the same bug before the
move too.)
Cc: [email protected]
Fixes: f84734b87461 ("target/arm: Implement SMSTART, SMSTOP")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 1edc3d43f20df0d04f8d00b906ba19fed37512a5)
Signed-off-by: Michael Tokarev <[email protected]>
(it is in sme_helper.c in 7.2, not in helper.c)
Commit: 026168232681037ad2168210ffcbf6f74d0e7365
https://github.com/qemu/qemu/commit/026168232681037ad2168210ffcbf6f74d0e7365
Author: Hongren Zheng <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M hw/usb/canokey.c
M hw/usb/canokey.h
Log Message:
-----------
hw/usb/canokey: Fix buffer overflow for OUT packet
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.
It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.
This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.
Cc: [email protected]
Fixes: d7d34918551dc48 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <[email protected]>
Signed-off-by: Hongren Zheng <[email protected]>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 664280abddcb3cacc9c6204706bb739fcc1316f7)
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/19bee15f892f...026168232681
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
