review.tizen.org Git - sdk/emulator/qemu.git/log

do not call g_thread_init() for glib >= 2.31

glib >= 2.31 always enables thread support and g_thread_supported()
is #defined to 1, there's no need to call g_thread_init() anymore,
and it definitely does not need to report error which never happens.
Keep code for old < 2.31 glibc anyway for now, just #ifdef it
differently.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-trivial@nongnu.org

hw/9pfs: Add include file for exported symbol

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

xen: remove unused global, xen_xcg

Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jim Meyering <meyering@redhat.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw: Add missing 'static' attributes

This fixes warnings from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

qemu-timer: Add missing 'static' attribute

This fixes a warning from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

ui: Add missing 'static' attribute

There was already a forward declaration using 'static',
but the attribute was missing in the implementation.

This fixes a warning from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

monitor: Add missing 'static' attribute

This fixes a warning from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw/s390x: Add missing 'static' attribute

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw/mips: Add missing 'static' and 'const' attributes

This fixes a warning from the static code analysis (smatch).

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Acked-by: Aurelien Jarno <aurelien@aurel32.net>

hw/9pfs: Add missing 'static' attributes

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()

When DPRINTF() has effect, the original author wants to print all
ram_load() calling results. So need use 'goto' instead of 'return'
within ram_load(), just like other areas have done.

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

tests/tcg: Fix compilation of test_path

The test_path binary is (unlike the other test binaries in tests/tcg)
actually intended to be compiled with the same compiler used to build
the main QEMU executables. It actually #includes a number of the
QEMU source files in an attempt to unit-test the util/path.c functions,
and so if it is not compiled with the same compiler used by configure
to set CONFIG_ settings then it is liable to fail to build.
Fix the makefile to build it with the default C compiler rules, not
CC_I386, and fix the test itself not to include a lot of unnecessary
trace related source files which cause the build to fail if the trace
backend is anything other than 'simple'.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

qga: Fix typo (plural) in comment

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

configure: remove bashism

Commit e26110cfc67d48 added a check for shacmd to create a hash
for modules. This check in configure is using bash construct &>
to redirect both stdout and stderr, which does fun things on some
shells. Get rid of it, use standard redirection instead.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Fam Zheng <famz@redhat.com>

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20140507' into staging

Some improvements for s390.

Two patches deal with address translation, one fixes a problem in the
channel subsystem code.

# gpg: Signature made Wed 07 May 2014 09:29:30 BST using RSA key ID C6F02FAF
# gpg: Can't check signature: public key not found

* remotes/cohuck/tags/s390x-20140507:
  s390x/css: Don't save orb in subchannel.
  s390x/helper: Added format control bit to MMU translation
  s390x/helper: Fixed real-to-absolute address translation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' into staging

migration/next for 20140505

# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found

* remotes/juanquintela/tags/migration/20140505: (36 commits)
  migration: expose xbzrle cache miss rate
  migration: expose the bitmap_sync_count to the end
  migration: Add counts of updating the dirty bitmap
  XBZRLE: Fix one XBZRLE corruption issues
  migration: remove duplicate code
  Coverity: Fix failure path for qemu_accept in migration
  Init the XBZRLE.lock in ram_mig_init
  Provide init function for ram migration
  Count used RAMBlock pages for migration_dirty_pages
  Make qemu_peek_buffer loop until it gets it's data
  Disallow outward migration while awaiting incoming migration
  virtio: validate config_len on load
  virtio-net: out-of-bounds buffer write on load
  openpic: avoid buffer overrun on incoming migration
  ssi-sd: fix buffer overrun on invalid state load
  savevm: Ignore minimum_version_id_old if there is no load_state_old
  usb: sanity check setup_index+setup_len in post_load
  vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
  virtio-scsi: fix buffer overrun on invalid state load
  zaurus: fix buffer overrun on invalid state load
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging

QOM/QTest infrastructure fixes and device conversions

* -device / device_add assertion fix
* QEMUMachine conversion to MachineClass
* Device error handling improvements
* QTest cleanups and test cases for some more PCI devices
* PortIO memory leak fixes

# gpg: Signature made Mon 05 May 2014 19:59:16 BST using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg:                 aka "Andreas Färber <afaerber@suse.com>"

* remotes/afaerber/tags/qom-devices-for-peter:
  PortioList: Store PortioList in device state
  tests: Add EHCI qtest
  tests: Add ioh3420 qtest
  tests: Add intel-hda qtests
  tests: Add es1370 qtest
  tests: Add ac97 qtest
  qtest: Be paranoid about accept() addrlen argument
  qtest: Add error reporting to socket_accept()
  qtest: Assure that init_socket()'s listen() does not fail
  MAINTAINERS: Document QOM
  arm: Clean up fragile use of error_is_set() in realize() methods
  qom: Clean up fragile use of error_is_set() in set() methods
  hw: Consistently name Error ** objects errp, and not err
  hw: Consistently name Error * objects err, and not errp
  machine: Remove QEMUMachine indirection from MachineClass
  machine: Replace QEMUMachine by MachineClass in accelerator configuration
  vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs
  machine: Copy QEMUMachine's fields to MachineClass
  machine: Remove obsoleted field from QEMUMachine
  qdev: Fix crash by validating the object type

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

s390x/css: Don't save orb in subchannel.

Current css code saves the operation request block (orb) in the
subchannel structure for later consumption by the start function
handler. This might make sense for asynchronous execution of the
start function (which qemu doesn't support), but not in our case;
it would even be wrong since orb contains a reference to a local
variable in the base ssch handler.

Let's just pass the orb through the start function call chain for
ssch; for rsch, we can pass NULL as the backend function does not
use any information passed via the orb there.

Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/helper: Added format control bit to MMU translation

With the EDAT-1 facility, the MMU translation can stop at the
segment table already, pointing to a 1 MB block. And while we're
at it, move the page table entry handling to a separate function,
too, as suggested by Alexander Graf.

Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

s390x/helper: Fixed real-to-absolute address translation

The real-to-absolute address translation in mmu_translate() was
missing the second part for translating the page at the prefix
address back to the 0 page. And while we're at it, also moved the
code into a separate helper function since this might come in
handy for other parts of the code, too.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-6' into staging

ohci live migration.
mtp bugfixes.

# gpg: Signature made Mon 05 May 2014 12:08:48 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-6:
  usb: mtp: reply INCOMPLETE_TRANSFER on read errors
  usb: mtp: fix possible buffer overflow
  usb: mtp: drop data-out hexdump
  usb: mtp: avoid empty description string
  usb: mtp: fix error path memory leak
  usb: mtp: fix serial (must be exact 32 chars)
  usb: mtp: fix version (is decimal not bcd)
  usb: mtp: fix usb_mtp_add_u64
  usb: mtp: replace debug printfs with trace points
  usb-ohci: Add vmstate descriptor

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-smbios-2' into staging

smbios: make qemu generate smbios tables.

# gpg: Signature made Mon 05 May 2014 12:20:27 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-smbios-2:
  SMBIOS: Build aggregate smbios tables and entry point
  SMBIOS: Use bitmaps to prevent incompatible comand line options
  SMBIOS: Use macro to set smbios defaults
  SMBIOS: Update header file definitions
  SMBIOS: Rename symbols to better reflect future use
  E820: Add interface for accessing e820 table
  pc: add 2.1 machine type

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/rth/tgt-axp' into staging

* remotes/rth/tgt-axp:
target-alpha: Fix RDUSP

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/riku/linux-user-for-upstream' into staging

* remotes/riku/linux-user-for-upstream:
  linux-user: fix getrusage and wait4 failures with invalid rusage struct
  linux-user/elfload.c: Support ARM HWCAP2 flags
  linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
  linux-user/elfload.c: Update ARM HWCAP bits
  linux-user/elfload.c: Fix incorrect ARM HWCAP bits
  linux-user: remove configure option for setting uname release
  linux-user: move uname functions to uname.c
  linux-user: rename cpu-uname -> uname
  linux-user/signal.c: Set fault address in AArch64 signal info
  linux-user: avoid using glibc internals in _syscall5 and in definition of target_sigevent struct
  linux-user: Handle arches with llseek instead of _llseek
  linux-user: Add support for SCM_CREDENTIALS.
  linux-user: Move if-elses to a switch statement.
  linux-user: Assert stack used for auxvec, envp, argv
  linux-user: Add /proc/self/exe open forwarding

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

migration: expose xbzrle cache miss rate

expose xbzrle cache miss rate

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

migration: expose the bitmap_sync_count to the end

expose the count that logs the times of updating the dirty bitmap to
end user.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

migration: Add counts of updating the dirty bitmap

Add counts to log the times of updating the dirty bitmap.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

XBZRLE: Fix one XBZRLE corruption issues

The page may not be inserted into cache after executing save_xbzrle_page.
In case of failure to insert, the original page should be sent rather
than the page in the cache.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

migration: remove duplicate code

version_id is checked twice in the ram_load.

Signed-off-by: ChenLiang <chenliang88@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Coverity: Fix failure path for qemu_accept in migration

Coverity defects 1005733 & 1005734 complain about passing a negative
value to closesocket in the error paths on incoming migration.

Stash the error value and print it in the message (previously we gave
no indication of the reason for the failure)

Use error_report

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Init the XBZRLE.lock in ram_mig_init

Initialising the XBZRLE.lock earlier simplifies the lock use.

Based on Markus's patch in:
http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Provide init function for ram migration

Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff
to do with ram migration (currently in arch_init.c).

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Count used RAMBlock pages for migration_dirty_pages

This is a fix for a bug* triggered by a migration after hot unplugging
a few virtio-net NICs, that caused migration never to converge, because
'migration_dirty_pages' is incorrectly initialised.

'migration_dirty_pages' is used as a tally of the number of outstanding
dirty pages, to give the migration code an idea of how much more data
will need to be transferred, and thus whether it can end the iterative
phase.

It was initialised to the total size of the RAMBlock address space,
however hotunplug can leave this space sparse, and hence
migration_dirty_pages ended up too large.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(* https://bugzilla.redhat.com/show_bug.cgi?id=1074913 )

Signed-off-by: Juan Quintela <quintela@redhat.com>

Make qemu_peek_buffer loop until it gets it's data

Make qemu_peek_buffer repeatedly call fill_buffer until it gets
all the data it requires, or until there is an error.

  At the moment, qemu_peek_buffer will try one qemu_fill_buffer if there
  isn't enough data waiting, however the kernel is entitled to return
  just a few bytes, and still leave qemu_peek_buffer with less bytes
  than it needed.  I've seen this fail in a dev world, and I think it
  could theoretically fail in the peeking of the subsection headers in
  the current world.

Comment qemu_peek_byte to point out it's not guaranteed to work for
  non-continuous peeks

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: ChenLiang <chenliang0016@icloud.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Disallow outward migration while awaiting incoming migration

QEMU will assert if you attempt to start an outgoing migration on
a QEMU that's sitting waiting for an incoming migration (started
with -incoming), so disallow it with a proper error.

(This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1086987 )

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio: validate config_len on load

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio-net: out-of-bounds buffer write on load

CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

>         } else if (n->mac_table.in_use) {
>             uint8_t *buf = g_malloc0(n->mac_table.in_use);

We are allocating buffer of size n->mac_table.in_use

>             qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);

and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.

If adversary controls state then memory written there is controlled
by adversary.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

openpic: avoid buffer overrun on incoming migration

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

ssi-sd: fix buffer overrun on invalid state load

CVE-2013-4537

s->arglen is taken from wire and used as idx
in ssi_sd_transfer().

Validate it before access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

savevm: Ignore minimum_version_id_old if there is no load_state_old

At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.

Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

usb: sanity check setup_index+setup_len in post_load

CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/

As the macro verifies the value is positive, rename it
to make the function clearer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio-scsi: fix buffer overrun on invalid state load

CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

zaurus: fix buffer overrun on invalid state load

CVE-2013-4540

Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.

Since prev_level comes from wire indirectly, this can
happen on invalid state load.

Similarly for gpio_level and gpio_dir.

To fix, limit to 16 bit.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

tsc210x: fix buffer overrun on invalid state load

CVE-2013-4539

s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.

Validate after load to avoid buffer overrun.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

ssd0323: fix buffer overun on invalid state load

CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>

pxa2xx: avoid buffer overrun on incoming migration

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio: validate num_sg when mapping

CVE-2013-4535
CVE-2013-4536

Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.

To fix, validate num_sg.

Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio: avoid buffer overrun on incoming migration

CVE-2013-6399

vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.

Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>

vmstate: fix buffer overflow in target-arm/machine.c

CVE-2013-4531

cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.

VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.

Fix this macro to valide the value appropriately.

The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

pl022: fix buffer overun on invalid state load

CVE-2013-4530

pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.

Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

hw/pci/pcie_aer.c: fix buffer overruns on invalid state load

4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large

There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.

Fix both issues.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

hpet: fix buffer overrun on invalid state load

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

ahci: fix buffer overrun on invalid state load

CVE-2013-4526

Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.

There's no reason to migrate ports - it never changes.
So just make sure it matches.

Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio: out-of-bounds buffer write on invalid state load

CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

PortioList: Store PortioList in device state

PortioList is an abstraction used for construction of MemoryRegionPortioList
from MemoryRegionPortio. It can be used later to unmap created memory regions.
It also requires proper cleanup because some of the memory inside is allocated
dynamically.

By moving PortioList ot device state we make it possible to cleanup later and
avoid leaking memory.

This change spans several target platforms.  The following testcases cover all
changed lines:
  qemu-system-ppc -M prep
  qemu-system-i386 -vga qxl
  qemu-system-i386 -M isapc -soundhw adlib -device ib700,id=watchdog0,bus=isa.0

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

tests: Add EHCI qtest

Signed-off-by: Andreas Färber <afaerber@suse.de>

tests: Add ioh3420 qtest

Signed-off-by: Andreas Färber <afaerber@suse.de>

tests: Add intel-hda qtests

Test both the ich6 and the ich9 version (cf. q35 config) and all the
codecs.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

tests: Add es1370 qtest

Signed-off-by: Andreas Färber <afaerber@suse.de>

tests: Add ac97 qtest

Signed-off-by: Andreas Färber <afaerber@suse.de>

qtest: Be paranoid about accept() addrlen argument

POSIX specifies that address_len shall on output specify the length of
the stored address; it does not however specify whether it may get
updated on failure as well to, e.g., zero.

In case EINTR occurs, re-initialize the variable to the desired value.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qtest: Add error reporting to socket_accept()

We're not using the GLib infrastructure here, to allow cleaning up the
sockets. Still, knowing why a certain test run failed can be valuable.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qtest: Assure that init_socket()'s listen() does not fail

In practice this seems very unlikely, so cleanup is neglected, as done
for bind().

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

MAINTAINERS: Document QOM

Invented by Anthony. Maintained through my qom-next tree lately.

Cc: Anthony Liguori <aliguori@amazon.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>

arm: Clean up fragile use of error_is_set() in realize() methods

Using error_is_set(ERRP) to find out whether a function failed is
either wrong, fragile, or unnecessarily opaque.  It's wrong when ERRP
may be null, because errors go undetected when it is.  It's fragile
when proving ERRP non-null involves a non-local argument.  Else, it's
unnecessarily opaque (see commit 84d18f0).

I guess the error_is_set(errp) in the DeviceClass realize() methods
are merely fragile right now, because I can't find a call chain that
passes a null errp argument.

Make the code more robust and more obviously correct: receive the
error in a local variable, then propagate it through the parameter.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qom: Clean up fragile use of error_is_set() in set() methods

Using error_is_set(ERRP) to find out whether a function failed is
either wrong, fragile, or unnecessarily opaque.  It's wrong when ERRP
may be null, because errors go undetected when it is.  It's fragile
when proving ERRP non-null involves a non-local argument.  Else, it's
unnecessarily opaque (see commit 84d18f0).

I guess the error_is_set(errp) in the ObjectProperty set() methods are
merely fragile right now, because I can't find a call chain that
passes a null errp argument.

Make the code more robust and more obviously correct: receive the
error in a local variable, then propagate it through the parameter.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

hw: Consistently name Error ** objects errp, and not err

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

hw: Consistently name Error * objects err, and not errp

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

machine: Remove QEMUMachine indirection from MachineClass

No need to go through qemu_machine field. Use
MachineClass fields directly.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

machine: Replace QEMUMachine by MachineClass in accelerator configuration

This minimizes QEMUMachine usage, as part of machine QOM-ification.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

vl.c: Replace QEMUMachine with MachineClass in QEMUMachineInitArgs

QEMUMachine's fields are already in MachineClass. We can safely
make the switch because we copy them in machine_class_init() and
spapr_machine_class_init().

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

machine: Copy QEMUMachine's fields to MachineClass

In order to eliminate the QEMUMachine indirection,
add its fields directly to MachineClass.
Do not yet remove qemu_machine field because it is
still in use by sPAPR.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
[AF: Copied fields for sPAPR, too]
Signed-off-by: Andreas Färber <afaerber@suse.de>

machine: Remove obsoleted field from QEMUMachine

This field shouldn't be used any more since we
adopted the QOM way of iterating over the types.

The commit that obsoleted it is:
commit 261747f176f6f2d88f8268aaebfdd1a1afe887e2
    vl: Use MachineClass instead of global QEMUMachine list

    The machine registration flow is refactored to use the QOM functionality.
    Instead of linking the machines into a list, each machine has a type
    and the types can be traversed in the QOM way.

Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qdev: Fix crash by validating the object type

QEMU crashed when I try to list device parameters and the driver name is
actually an available bus name.

# qemu -device virtio-pci-bus,?
# qemu -device virtio-bus,?
# qemu -device virtio-serial-bus,?
qdev-monitor.c:212:qdev_device_help: Object 0x7fd932f50620 is not an
instance of type device
Aborted (core dumped)

We can also reproduce this bug by adding device from monitor, so it's
worth to fix the crash.

(qemu) device_add virtio-serial-bus
qdev-monitor.c:491:qdev_device_add: Object 0x7f5e89530920 is not an
instance of type device
Aborted (core dumped)

Cc: qemu-stable@nongnu.org
Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

linux-user: fix getrusage and wait4 failures with invalid rusage struct

Implementations of system calls getrusage and wait4 have not previously
handled correctly cases when incorrect address of struct rusage is
passed.
This change makes sure return values are correctly set for these cases.

Signed-off-by: Petar Jovanovic <petar.jovanovic@imgtec.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>

virtio-net: out-of-bounds buffer write on invalid state load

CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c

This code is in hw/net/virtio-net.c:

    if (n->max_queues > 1) {
        if (n->max_queues != qemu_get_be16(f)) {
            error_report("virtio-net: different max_queues ");
            return -1;
        }

        n->curr_queues = qemu_get_be16(f);
        for (i = 1; i < n->curr_queues; i++) {
            n->vqs[i].tx_waiting = qemu_get_be32(f);
        }
    }

Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.

This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

virtio-net: fix buffer overflow on invalid state load

CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c

Deals with loading a corrupted savevm image.

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

Fix it by making the value unsigned.
For consistency, change first_multi as well.

Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.

Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

vmstate: add VMSTATE_VALIDATE

Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

vmstate: add VMS_MUST_EXIST

Can be used to verify a required field exists or validate
state in some other way.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

vmstate: reduce code duplication

move size offset and number of elements math out
to functions, to reduce code duplication.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

SMBIOS: Build aggregate smbios tables and entry point

Build an aggregate set of smbios tables and an entry point structure.

Insert tables and entry point into fw_cfg respectively under
"etc/smbios/smbios-tables" and "etc/smbios/smbios-anchor".

Machine types <= 2.0 will for now continue using field-by-field
overrides to SeaBIOS defaults, but for machine types 2.1 and up we
expect the BIOS to look for and use the aggregate tables generated
by this patch.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
[ kraxel: fix 32bit build ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

usb: mtp: reply INCOMPLETE_TRANSFER on read errors

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: fix possible buffer overflow

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: drop data-out hexdump

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: avoid empty description string

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: fix error path memory leak

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: fix serial (must be exact 32 chars)

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: fix version (is decimal not bcd)

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: fix usb_mtp_add_u64

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb: mtp: replace debug printfs with trace points

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

usb-ohci: Add vmstate descriptor

This adds migration support for OHCI.

This defines a descriptor for OHCIState.
This changes some OHCIState field types to be migration compatible.
This adds a descriptor for OHCIPort.
This migrates the EOF timer if the USB was started at the time of
migration.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

SMBIOS: Use bitmaps to prevent incompatible comand line options

Replace existing smbios_check_collision() functionality with
a pair of bitmaps: have_binfile_bitmap and have_fields_bitmap.
Bits corresponding to each smbios type are set by smbios_entry_add(),
which also uses the bitmaps to ensure that binary blobs and field
values are never accepted for the same type.

These bitmaps will also be used in the future to decide whether
or not to build a full table for a given smbios type.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

SMBIOS: Use macro to set smbios defaults

The function smbios_set_defaults() uses a repeating code pattern
for each field. This patch replaces that pattern with a macro.

This patch contains no functional changes.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

SMBIOS: Update header file definitions

Add definitions for smbios entry point (anchor), and for type 2
(base board) structure which is required by some versions of OS X.

Remove definition for type 20 (memory device mapped address)
structure, which is no longer required as of smbios spec v2.5.

Update all other structure definitions to bring them into
compliance with smbios spec v2.8.

This patch contains no functional changes.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

SMBIOS: Rename symbols to better reflect future use

Rename the following symbols:

  - smbios_set_type1_defaults() to the more general smbios_set_defaults();
  - bool smbios_type1_defaults to the more general smbios_defaults;
  - smbios_get_table() to smbios_get_table_legacy();

This patch contains no functional changes.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

E820: Add interface for accessing e820 table

Add the following two functions:

- e820_get_num_entries() - query the size of the e820 table
- e820_get_entry() - grab an entry matching a given set of criteria

This interface is currently necessary for creating type 19
(memory array mapped address) structures in smbios.

Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

pc: add 2.1 machine type

At the moment, 2.1 and 2.0 machines are identical.
As several people are working on incompatible changes
to the PC machine, collaboration will be made easier
by merging this place-holder.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

target-alpha: Fix RDUSP

Commit 06ef8604e92964cbf30084b7d31091aa7cbbb62f contained a typo.

Signed-off-by: Richard Henderson <rth@twiddle.net>

linux-user/elfload.c: Support ARM HWCAP2 flags

The ARM kernel has chosen to spill into the HWCAP2 ELF feature bit flags
early, even though it hasn't yet exhausted all 32 bits of the HWCAP word.
Add support for setting this in the same way we do for HWCAP.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>