- Re-enable preadv/pwritev support (#545006)
- Fix buffer overflow in usb-linux.c (#546483)
This commit is contained in:
parent
549f978acd
commit
1201a69697
79
qemu-usb-linux-fix-buffer-overflow.patch
Normal file
79
qemu-usb-linux-fix-buffer-overflow.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
From a7c87c869ac75a076fa5552f9604f73f710cff80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jim Paris <jim@jtan.com>
|
||||||
|
Date: Mon, 24 Aug 2009 14:56:12 -0400
|
||||||
|
Subject: [PATCH] usb-linux.c: fix buffer overflow
|
||||||
|
|
||||||
|
In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and
|
||||||
|
length to the kernel. However, the length was provided by the caller
|
||||||
|
of dev->handle_packet, and is not checked, so the kernel might provide
|
||||||
|
too much data and overflow our buffer.
|
||||||
|
|
||||||
|
For example, hw/usb-uhci.c could set the length to 2047.
|
||||||
|
hw/usb-ohci.c looks like it might go up to 4096 or 8192.
|
||||||
|
|
||||||
|
This causes a qemu crash, as reported here:
|
||||||
|
http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html
|
||||||
|
|
||||||
|
This patch increases the usb-linux.c buffer size to 2048 to fix the
|
||||||
|
specific device reported, and adds a check to avoid the overflow in
|
||||||
|
any case.
|
||||||
|
|
||||||
|
Signed-off-by: Jim Paris <jim@jtan.com>
|
||||||
|
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||||
|
|
||||||
|
The WLAN USB stick ZyXEL NWD271N (0586:3417) uses very large
|
||||||
|
usb control transfers of more than 2048 bytes. Increasing the
|
||||||
|
buffer size to 8192.
|
||||||
|
|
||||||
|
Signed-off-by: Christian Krause <chkr@plauener.de>
|
||||||
|
---
|
||||||
|
usb-linux.c | 12 ++++++++++--
|
||||||
|
1 files changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/usb-linux.c b/usb-linux.c
|
||||||
|
index f19f0c4..298f342 100644
|
||||||
|
--- a/usb-linux.c
|
||||||
|
+++ b/usb-linux.c
|
||||||
|
@@ -115,7 +115,7 @@ struct ctrl_struct {
|
||||||
|
uint16_t offset;
|
||||||
|
uint8_t state;
|
||||||
|
struct usb_ctrlrequest req;
|
||||||
|
- uint8_t buffer[1024];
|
||||||
|
+ uint8_t buffer[8192];
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct USBHostDevice {
|
||||||
|
@@ -552,6 +552,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
|
||||||
|
struct usbdevfs_urb *urb;
|
||||||
|
AsyncURB *aurb;
|
||||||
|
int ret, value, index;
|
||||||
|
+ int buffer_len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Process certain standard device requests.
|
||||||
|
@@ -580,6 +581,13 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
|
||||||
|
|
||||||
|
/* The rest are asynchronous */
|
||||||
|
|
||||||
|
+ buffer_len = 8 + s->ctrl.len;
|
||||||
|
+ if (buffer_len > sizeof(s->ctrl.buffer)) {
|
||||||
|
+ fprintf(stderr, "husb: ctrl buffer too small (%u > %lu)\n",
|
||||||
|
+ buffer_len, sizeof(s->ctrl.buffer));
|
||||||
|
+ return USB_RET_STALL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
aurb = async_alloc();
|
||||||
|
aurb->hdev = s;
|
||||||
|
aurb->packet = p;
|
||||||
|
@@ -596,7 +604,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
|
||||||
|
urb->endpoint = p->devep;
|
||||||
|
|
||||||
|
urb->buffer = &s->ctrl.req;
|
||||||
|
- urb->buffer_length = 8 + s->ctrl.len;
|
||||||
|
+ urb->buffer_length = buffer_len;
|
||||||
|
|
||||||
|
urb->usercontext = s;
|
||||||
|
|
||||||
|
--
|
||||||
|
1.6.2.5
|
||||||
|
|
10
qemu.spec
10
qemu.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 0.11.0
|
Version: 0.11.0
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package
|
# Epoch because we pushed a qemu-1.0 package
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
@ -58,8 +58,8 @@ Patch11: qemu-properly-save-kvm-system-time-registers.patch
|
|||||||
# Fix dropped packets with non-virtio NICs (#531419)
|
# Fix dropped packets with non-virtio NICs (#531419)
|
||||||
Patch12: qemu-fix-dropped-packets-with-non-virtio-nics.patch
|
Patch12: qemu-fix-dropped-packets-with-non-virtio-nics.patch
|
||||||
|
|
||||||
# Temporarily disable preadv/pwritev support (#526549)
|
# Fix buffer overflow in usb-linux.c (#546483)
|
||||||
Patch13: qemu-disable-preadv-support.patch
|
Patch13: qemu-usb-linux-fix-buffer-overflow.patch
|
||||||
|
|
||||||
# Fix a use-after-free crasher in the slirp code (#539583)
|
# Fix a use-after-free crasher in the slirp code (#539583)
|
||||||
Patch14: qemu-slirp-use-after-free.patch
|
Patch14: qemu-slirp-use-after-free.patch
|
||||||
@ -550,6 +550,10 @@ fi
|
|||||||
%{_mandir}/man1/qemu-img.1*
|
%{_mandir}/man1/qemu-img.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 20 2009 Justin M. Forbes <jforbes@redhat.com> - 2:0.11.0-13
|
||||||
|
- Re-enable preadv/pwritev support (#545006)
|
||||||
|
- Fix buffer overflow in usb-linux.c (#546483)
|
||||||
|
|
||||||
* Fri Nov 20 2009 Mark McLoughlin <markmc@redhat.com> - 2:0.11.0-12
|
* Fri Nov 20 2009 Mark McLoughlin <markmc@redhat.com> - 2:0.11.0-12
|
||||||
- Fix a use-after-free crasher in the slirp code (#539583)
|
- Fix a use-after-free crasher in the slirp code (#539583)
|
||||||
- Fix overflow in the parallels image format support (#533573)
|
- Fix overflow in the parallels image format support (#533573)
|
||||||
|
Loading…
Reference in New Issue
Block a user