Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package qemu for openSUSE:Factory checked in
at 2021-08-16 10:08:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/qemu (Old)
and /work/SRC/openSUSE:Factory/.qemu.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu"
Mon Aug 16 10:08:42 2021 rev:209 rq:911328 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2021-07-29
21:31:05.304835758 +0200
+++ /work/SRC/openSUSE:Factory/.qemu.new.1899/qemu.changes 2021-08-16
10:13:16.718979341 +0200
@@ -1,0 +2,26 @@
+Tue Aug 10 19:32:50 UTC 2021 - Jos?? Ricardo Ziviani <jose.zivi...@suse.com>
+
+- usb: unbounded stack allocation in usbredir
+ (bsc#1186012, CVE-2021-3527)
+ hw-usb-Do-not-build-USB-subsystem-if-not.patch
+ hw-usb-host-stub-Remove-unused-header.patch
+ usb-hid-avoid-dynamic-stack-allocation.patch
+ usb-limit-combined-packets-to-1-MiB-CVE-.patch
+ usb-mtp-avoid-dynamic-stack-allocation.patch
+
+-------------------------------------------------------------------
+Fri Aug 6 17:49:56 UTC 2021 - Jos?? Ricardo Ziviani <jose.zivi...@suse.com>
+
+- usbredir: free call on invalid pointer in bufp_alloc
+ (bsc#1189145, CVE-2021-3682)
+ usbredir-fix-free-call.patch
+
+-------------------------------------------------------------------
+Tue Aug 3 20:39:25 UTC 2021 - Jos?? Ricardo Ziviani <jose.zivi...@suse.com>
+
+- Add stable patches from upstream:
+ block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch
+ hw-net-can-sja1000-fix-buff2frame_bas-an.patch
+ hw-pci-host-q35-Ignore-write-of-reserved.patch
+
+-------------------------------------------------------------------
New:
----
block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch
hw-net-can-sja1000-fix-buff2frame_bas-an.patch
hw-pci-host-q35-Ignore-write-of-reserved.patch
hw-usb-Do-not-build-USB-subsystem-if-not.patch
hw-usb-host-stub-Remove-unused-header.patch
usb-hid-avoid-dynamic-stack-allocation.patch
usb-limit-combined-packets-to-1-MiB-CVE-.patch
usb-mtp-avoid-dynamic-stack-allocation.patch
usbredir-fix-free-call.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ qemu.spec ++++++
--- /var/tmp/diff_new_pack.eYLbyJ/_old 2021-08-16 10:13:18.510977238 +0200
+++ /var/tmp/diff_new_pack.eYLbyJ/_new 2021-08-16 10:13:18.514977234 +0200
@@ -181,48 +181,57 @@
Patch00046: hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch
Patch00047: monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch
Patch00048: vhost-user-blk-Fail-gracefully-on-too-la.patch
-Patch00049: usb-redir-avoid-dynamic-stack-allocation.patch
-Patch00050: virtiofsd-Fix-side-effect-in-assert.patch
-Patch00051: sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch
-Patch00052: virtio-blk-Fix-rollback-path-in-virtio_b.patch
-Patch00053: hw-block-nvme-consider-metadata-read-aio.patch
-Patch00054: vhost-user-blk-Make-sure-to-set-Error-on.patch
-Patch00055: vhost-user-blk-Don-t-reconnect-during-in.patch
-Patch00056: vhost-user-blk-Get-more-feature-flags-fr.patch
-Patch00057: virtio-Fail-if-iommu_platform-is-request.patch
-Patch00058: vhost-user-blk-Check-that-num-queues-is-.patch
-Patch00059: vfio-ccw-Permit-missing-IRQs.patch
-Patch00060: vhost-user-gpu-fix-memory-disclosure-in-.patch
-Patch00061: vhost-user-gpu-fix-resource-leak-in-vg_r.patch
-Patch00062: vhost-user-gpu-fix-memory-leak-in-vg_res.patch
-Patch00063: vhost-user-gpu-fix-memory-leak-while-cal.patch
-Patch00064: vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
-Patch00065: vhost-user-gpu-fix-leak-in-virgl_resourc.patch
-Patch00066: vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
-Patch00067: vhost-user-gpu-abstract-vg_cleanup_mappi.patch
-Patch00068: target-sh4-Return-error-if-CPUClass-get_.patch
-Patch00069: tcg-arm-Fix-tcg_out_op-function-signatur.patch
-Patch00070: x86-acpi-use-offset-instead-of-pointer-w.patch
-Patch00071: linux-user-aarch64-Enable-hwcap-for-RND-.patch
-Patch00072: target-i386-Exit-tb-after-wrmsr.patch
-Patch00073: vl-allow-not-specifying-size-in-m-when-u.patch
-Patch00074: qemu-config-load-modules-when-instantiat.patch
-Patch00075: hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch
-Patch00076: qemu-config-parse-configuration-files-to.patch
-Patch00077: vl-plumb-keyval-based-options-into-readc.patch
-Patch00078: vl-plug-object-back-into-readconfig.patch
-Patch00079: vhost-vdpa-don-t-initialize-backend_feat.patch
-Patch00080: vl-Fix-an-assert-failure-in-error-path.patch
-Patch00081: qemu-config-use-qemu_opts_from_qdict.patch
-Patch00082: runstate-Initialize-Error-to-NULL.patch
-Patch00083: tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch
-Patch00084: tcg-Allocate-sufficient-storage-in-temp_.patch
-Patch00085: hw-block-nvme-align-with-existing-style.patch
-Patch00086: hw-nvme-fix-missing-check-for-PMR-capabi.patch
-Patch00087: hw-nvme-fix-pin-based-interrupt-behavior.patch
-Patch00088: hw-rdma-Fix-possible-mremap-overflow-in-.patch
-Patch00089: pvrdma-Ensure-correct-input-on-ring-init.patch
-Patch00090: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
+Patch00049: virtiofsd-Fix-side-effect-in-assert.patch
+Patch00050: sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch
+Patch00051: virtio-blk-Fix-rollback-path-in-virtio_b.patch
+Patch00052: hw-block-nvme-consider-metadata-read-aio.patch
+Patch00053: vhost-user-blk-Make-sure-to-set-Error-on.patch
+Patch00054: vhost-user-blk-Don-t-reconnect-during-in.patch
+Patch00055: vhost-user-blk-Get-more-feature-flags-fr.patch
+Patch00056: virtio-Fail-if-iommu_platform-is-request.patch
+Patch00057: vhost-user-blk-Check-that-num-queues-is-.patch
+Patch00058: vfio-ccw-Permit-missing-IRQs.patch
+Patch00059: vhost-user-gpu-fix-memory-disclosure-in-.patch
+Patch00060: vhost-user-gpu-fix-resource-leak-in-vg_r.patch
+Patch00061: vhost-user-gpu-fix-memory-leak-in-vg_res.patch
+Patch00062: vhost-user-gpu-fix-memory-leak-while-cal.patch
+Patch00063: vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
+Patch00064: vhost-user-gpu-fix-leak-in-virgl_resourc.patch
+Patch00065: vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
+Patch00066: vhost-user-gpu-abstract-vg_cleanup_mappi.patch
+Patch00067: target-sh4-Return-error-if-CPUClass-get_.patch
+Patch00068: tcg-arm-Fix-tcg_out_op-function-signatur.patch
+Patch00069: x86-acpi-use-offset-instead-of-pointer-w.patch
+Patch00070: linux-user-aarch64-Enable-hwcap-for-RND-.patch
+Patch00071: target-i386-Exit-tb-after-wrmsr.patch
+Patch00072: vl-allow-not-specifying-size-in-m-when-u.patch
+Patch00073: qemu-config-load-modules-when-instantiat.patch
+Patch00074: hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch
+Patch00075: qemu-config-parse-configuration-files-to.patch
+Patch00076: vl-plumb-keyval-based-options-into-readc.patch
+Patch00077: vl-plug-object-back-into-readconfig.patch
+Patch00078: vhost-vdpa-don-t-initialize-backend_feat.patch
+Patch00079: vl-Fix-an-assert-failure-in-error-path.patch
+Patch00080: qemu-config-use-qemu_opts_from_qdict.patch
+Patch00081: runstate-Initialize-Error-to-NULL.patch
+Patch00082: tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch
+Patch00083: tcg-Allocate-sufficient-storage-in-temp_.patch
+Patch00084: hw-block-nvme-align-with-existing-style.patch
+Patch00085: hw-nvme-fix-missing-check-for-PMR-capabi.patch
+Patch00086: hw-nvme-fix-pin-based-interrupt-behavior.patch
+Patch00087: hw-rdma-Fix-possible-mremap-overflow-in-.patch
+Patch00088: pvrdma-Ensure-correct-input-on-ring-init.patch
+Patch00089: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
+Patch00090: hw-pci-host-q35-Ignore-write-of-reserved.patch
+Patch00091: block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch
+Patch00092: hw-net-can-sja1000-fix-buff2frame_bas-an.patch
+Patch00093: usbredir-fix-free-call.patch
+Patch00094: usb-redir-avoid-dynamic-stack-allocation.patch
+Patch00095: usb-limit-combined-packets-to-1-MiB-CVE-.patch
+Patch00096: hw-usb-host-stub-Remove-unused-header.patch
+Patch00097: hw-usb-Do-not-build-USB-subsystem-if-not.patch
+Patch00098: usb-hid-avoid-dynamic-stack-allocation.patch
+Patch00099: usb-mtp-avoid-dynamic-stack-allocation.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@@ -1159,6 +1168,15 @@
%patch00088 -p1
%patch00089 -p1
%patch00090 -p1
+%patch00091 -p1
+%patch00092 -p1
+%patch00093 -p1
+%patch00094 -p1
+%patch00095 -p1
+%patch00096 -p1
+%patch00097 -p1
+%patch00098 -p1
+%patch00099 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1
++++++ block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch ++++++
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <phi...@redhat.com>
Date: Fri, 23 Jul 2021 21:58:43 +0200
Subject: block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 15a730e7a3aaac180df72cd5730e0617bcf44a5a
When the NVMe block driver was introduced (see commit bdd6a90a9e5,
January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
-ENOMEM in case of error. The driver was correctly handling the
error path to recycle its volatile IOVA mappings.
To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
DMA mappings per container", April 2019) added the -ENOSPC error to
signal the user exhausted the DMA mappings available for a container.
The block driver started to mis-behave:
qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
(qemu)
(qemu) info status
VM status: paused (io-error)
(qemu) c
VFIO_MAP_DMA failed: No space left on device
(qemu) c
VFIO_MAP_DMA failed: No space left on device
(The VM is not resumable from here, hence stuck.)
Fix by handling the new -ENOSPC error (when DMA mappings are
exhausted) without any distinction to the current -ENOMEM error,
so we don't change the behavior on old kernels where the CVE-2019-3882
fix is not present.
An easy way to reproduce this bug is to restrict the DMA mapping
limit (65535 by default) when loading the VFIO IOMMU module:
# modprobe vfio_iommu_type1 dma_entry_limit=666
Cc: qemu-sta...@nongnu.org
Cc: Fam Zheng <f...@euphon.net>
Cc: Maxim Levitsky <mlevi...@redhat.com>
Cc: Alex Williamson <alex.william...@redhat.com>
Reported-by: Michal Pr??vozn??k <mpriv...@redhat.com>
Signed-off-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Message-id: 20210723195843.1032825-1-phi...@redhat.com
Fixes: bdd6a90a9e5 ("block: Add VFIO based NVMe driver")
Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
Signed-off-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
block/nvme.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/block/nvme.c b/block/nvme.c
index 2b5421e7aa6e0a3bfaf403203c9b..e8dbbc23177d8e89d67349fc15a8 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -1030,7 +1030,29 @@ try_map:
r = qemu_vfio_dma_map(s->vfio,
qiov->iov[i].iov_base,
len, true, &iova);
+ if (r == -ENOSPC) {
+ /*
+ * In addition to the -ENOMEM error, the VFIO_IOMMU_MAP_DMA
+ * ioctl returns -ENOSPC to signal the user exhausted the DMA
+ * mappings available for a container since Linux kernel commit
+ * 492855939bdb ("vfio/type1: Limit DMA mappings per container",
+ * April 2019, see CVE-2019-3882).
+ *
+ * This block driver already handles this error path by checking
+ * for the -ENOMEM error, so we directly replace -ENOSPC by
+ * -ENOMEM. Beside, -ENOSPC has a specific meaning for blockdev
+ * coroutines: it triggers BLOCKDEV_ON_ERROR_ENOSPC and
+ * BLOCK_ERROR_ACTION_STOP which stops the VM, asking the operator
+ * to add more storage to the blockdev. Not something we can do
+ * easily with an IOMMU :)
+ */
+ r = -ENOMEM;
+ }
if (r == -ENOMEM && retry) {
+ /*
+ * We exhausted the DMA mappings available for our container:
+ * recycle the volatile IOVA mappings.
+ */
retry = false;
trace_nvme_dma_flush_queue_wait(s);
if (s->dma_map_count) {
++++++ bundles.tar.xz ++++++
Binary files old/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle and
new/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle differ
++++++ hw-net-can-sja1000-fix-buff2frame_bas-an.patch ++++++
From: Pavel Pisa <p...@cmp.felk.cvut.cz>
Date: Thu, 29 Jul 2021 14:33:27 +0200
Subject: hw/net/can: sja1000 fix buff2frame_bas and buff2frame_pel when dlc is
out of std CAN 8 bytes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 11744862f27b9ba6488a247d2fd6bb83d9bc3c8d
Problem reported by openEuler fuzz-sig group.
The buff2frame_bas function (hw\net\can\can_sja1000.c)
infoleak(qemu5.x~qemu6.x) or stack-overflow(qemu 4.x).
Reported-by: Qiang Ning <ningqia...@huawei.com>
Cc: qemu-sta...@nongnu.org
Reviewed-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Signed-off-by: Pavel Pisa <p...@cmp.felk.cvut.cz>
Signed-off-by: Jason Wang <jasow...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/net/can/can_sja1000.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 42d2f99dfb1d3cd3fa26f56ccb8d..34eea684ced278738bdb26327100 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -275,6 +275,10 @@ static void buff2frame_pel(const uint8_t *buff,
qemu_can_frame *frame)
}
frame->can_dlc = buff[0] & 0x0f;
+ if (frame->can_dlc > 8) {
+ frame->can_dlc = 8;
+ }
+
if (buff[0] & 0x80) { /* Extended */
frame->can_id |= QEMU_CAN_EFF_FLAG;
frame->can_id |= buff[1] << 21; /* ID.28~ID.21 */
@@ -311,6 +315,10 @@ static void buff2frame_bas(const uint8_t *buff,
qemu_can_frame *frame)
}
frame->can_dlc = buff[1] & 0x0f;
+ if (frame->can_dlc > 8) {
+ frame->can_dlc = 8;
+ }
+
for (i = 0; i < frame->can_dlc; i++) {
frame->data[i] = buff[2 + i];
}
++++++ hw-pci-host-q35-Ignore-write-of-reserved.patch ++++++
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4...@amsat.org>
Date: Wed, 26 May 2021 16:24:38 +0200
Subject: hw/pci-host/q35: Ignore write of reserved PCIEXBAR LENGTH field
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 9b0ca75e0196a72523232063db1e07ae36a5077a
libFuzzer triggered the following assertion:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 \
-nographic -monitor none -serial none \
-qtest stdio -d guest_errors -trace pci\*
outl 0xcf8 0xf2000060
outl 0xcfc 0x8400056e
EOF
pci_cfg_write mch 00:0 @0x60 <- 0x8400056e
Aborted (core dumped)
This is because guest wrote MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD
(reserved value) to the PCIE XBAR register.
There is no indication on the datasheet about what occurs when
this value is written. Simply ignore it on QEMU (and report an
guest error):
pci_cfg_write mch 00:0 @0x60 <- 0x8400056e
Q35: Reserved PCIEXBAR LENGTH
pci_cfg_read mch 00:0 @0x0 -> 0x8086
pci_cfg_read mch 00:0 @0x0 -> 0x29c08086
...
Cc: qemu-sta...@nongnu.org
Reported-by: Alexander Bulekov <alx...@bu.edu>
BugLink: https://bugs.launchpad.net/qemu/+bug/1878641
Fixes: df2d8b3ed4 ("q35: Introduce q35 pc based chipset emulator")
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Signed-off-by: Philippe Mathieu-Daud?? <f4...@amsat.org>
Message-Id: <20210526142438.281477-1-f4...@amsat.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Reviewed-by: Alexander Bulekov <alx...@bu.edu>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/pci-host/q35.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 2eb729dff5854aff586d9ac813f9..0f37cf056a9af4081f2350400ab2 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -29,6 +29,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/log.h"
#include "hw/i386/pc.h"
#include "hw/pci-host/q35.h"
#include "hw/qdev-properties.h"
@@ -318,6 +319,8 @@ static void mch_update_pciexbar(MCHPCIState *mch)
addr_mask |= MCH_HOST_BRIDGE_PCIEXBAR_64ADMSK;
break;
case MCH_HOST_BRIDGE_PCIEXBAR_LENGTH_RVD:
+ qemu_log_mask(LOG_GUEST_ERROR, "Q35: Reserved PCIEXBAR LENGTH\n");
+ return;
default:
abort();
}
++++++ hw-usb-Do-not-build-USB-subsystem-if-not.patch ++++++
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4...@amsat.org>
Date: Sun, 25 Apr 2021 00:41:10 +0200
Subject: hw/usb: Do not build USB subsystem if not required
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 9c3c834bdda5ca6d58c0e61508737683d12968b5
References: bsc#1186012, CVE-2021-3527
If the Kconfig 'USB' value is not selected, it is pointless to
build the USB core components. Add a stub for the HMP commands
and usbdevice_create() which is called by usb_device_add in
softmmu/vl.c.
Signed-off-by: Philippe Mathieu-Daud?? <f4...@amsat.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <20210424224110.3442424-3-f4...@amsat.org>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
MAINTAINERS | 1 +
hw/usb/meson.build | 9 +++------
stubs/meson.build | 1 +
stubs/usb-dev-stub.c | 25 +++++++++++++++++++++++++
4 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index 36055f14c594947b5ee9f2c3ff19..cd63d3efd8b1c8c7532c4f778f29 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1804,6 +1804,7 @@ USB
M: Gerd Hoffmann <kra...@redhat.com>
S: Maintained
F: hw/usb/*
+F: stubs/usb-dev-stub.c
F: tests/qtest/usb-*-test.c
F: docs/usb2.txt
F: docs/usb-storage.txt
diff --git a/hw/usb/meson.build b/hw/usb/meson.build
index fb7a74e73ae843480fc121e07816..f357270d0b6bf5d810a5e49681a5 100644
--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@@ -1,17 +1,14 @@
hw_usb_modules = {}
# usb subsystem core
-softmmu_ss.add(files(
+softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
'bus.c',
'combined-packet.c',
'core.c',
- 'pcap.c',
- 'libhw.c'
-))
-
-softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
'desc.c',
'desc-msos.c',
+ 'libhw.c',
+ 'pcap.c',
))
# usb host adapters
diff --git a/stubs/meson.build b/stubs/meson.build
index 5555b69103baba363483e047af06..f3f979c3fe828984f045fc572d21 100644
--- a/stubs/meson.build
+++ b/stubs/meson.build
@@ -51,6 +51,7 @@ if have_block
endif
if have_system
stub_ss.add(files('semihost.c'))
+ stub_ss.add(files('usb-dev-stub.c'))
stub_ss.add(files('xen-hw-stub.c'))
else
stub_ss.add(files('qdev.c'))
diff --git a/stubs/usb-dev-stub.c b/stubs/usb-dev-stub.c
new file mode 100644
index
0000000000000000000000000000000000000000..b1adeeb4548d2aa4f4c8c9eae967578c5da18efc
--- /dev/null
+++ b/stubs/usb-dev-stub.c
@@ -0,0 +1,25 @@
+/*
+ * QEMU USB device emulation stubs
+ *
+ * Copyright (C) 2021 Philippe Mathieu-Daud?? <f4...@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "sysemu/sysemu.h"
+#include "monitor/monitor.h"
+#include "hw/usb.h"
+
+USBDevice *usbdevice_create(const char *driver)
+{
+ error_report("Support for USB devices not built-in");
+
+ return NULL;
+}
+
+void hmp_info_usb(Monitor *mon, const QDict *qdict)
+{
+ monitor_printf(mon, "Support for USB devices not built-in\n");
+}
++++++ hw-usb-host-stub-Remove-unused-header.patch ++++++
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4...@amsat.org>
Date: Sun, 25 Apr 2021 00:41:09 +0200
Subject: hw/usb/host-stub: Remove unused header
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 1081607bfab94a0b6149c4a2195737107aed265f
References: bsc#1186012, CVE-2021-3527
Signed-off-by: Philippe Mathieu-Daud?? <f4...@amsat.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <20210424224110.3442424-2-f4...@amsat.org>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/usb/host-stub.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c
index 538ed29684cb7d3ed15df7a7b298..80809ceba54221818bd937ff01b6 100644
--- a/hw/usb/host-stub.c
+++ b/hw/usb/host-stub.c
@@ -31,7 +31,6 @@
*/
#include "qemu/osdep.h"
-#include "ui/console.h"
#include "hw/usb.h"
#include "monitor/monitor.h"
++++++ usb-hid-avoid-dynamic-stack-allocation.patch ++++++
From: Gerd Hoffmann <kra...@redhat.com>
Date: Mon, 3 May 2021 15:29:11 +0200
Subject: usb/hid: avoid dynamic stack allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03
References: bsc#1186012, CVE-2021-3527
Use autofree heap allocation instead.
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Tested-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Message-Id: <20210503132915.2335822-2-kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/usb/dev-hid.c | 2 +-
hw/usb/dev-wacom.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
index fc39bab79f94b0a0d06c23fc650d..1c7ae97c3033442dba820db492bd 100644
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket
*p)
{
USBHIDState *us = USB_HID(dev);
HIDState *hs = &us->hid;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index b595048635090242b5e771a11436..ed687bc9f1eb1b20b7e8ab0db35a 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev,
USBPacket *p,
static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
{
USBWacomState *s = (USBWacomState *) dev;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
++++++ usb-limit-combined-packets-to-1-MiB-CVE-.patch ++++++
From: Gerd Hoffmann <kra...@redhat.com>
Date: Mon, 3 May 2021 15:29:15 +0200
Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527)
Git-commit: 05a40b172e4d691371534828078be47e7fff524c
References: bsc#1186012, CVE-2021-3527
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Message-Id: <20210503132915.2335822-6-kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/usb/combined-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dcb515c9b8acc58d97b4..e56802f89a32f44bc94f3b3dbda2 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
next == NULL ||
/* Work around for Linux usbfs bulk splitting + migration */
- (totalsize == (16 * KiB - 36) && p->int_req)) {
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
+ /* Next package may grow combined package over 1MiB */
+ totalsize > 1 * MiB - ep->max_packet_size) {
usb_device_handle_data(ep->dev, first);
assert(first->status == USB_RET_ASYNC);
if (first->combined) {
++++++ usb-mtp-avoid-dynamic-stack-allocation.patch ++++++
From: Gerd Hoffmann <kra...@redhat.com>
Date: Mon, 3 May 2021 15:29:13 +0200
Subject: usb/mtp: avoid dynamic stack allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 06aa50c06c6392084244f8169d34b8e2d9c43ef2
References: bsc#1186012, CVE-2021-3527
Use autofree heap allocation instead.
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Tested-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Message-Id: <20210503132915.2335822-4-kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/usb/dev-mtp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index bbb827434482d3b191df857d6fa0..2a895a73b083315d617e73a12cbd 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s,
MTPControl *c,
MTPObject *o)
{
MTPData *d = usb_mtp_data_alloc(c);
- uint32_t i = 0, handles[o->nchildren];
+ uint32_t i = 0;
+ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
MTPObject *iter;
trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);
++++++ usb-redir-avoid-dynamic-stack-allocation.patch ++++++
--- /var/tmp/diff_new_pack.eYLbyJ/_old 2021-08-16 10:13:19.174976459 +0200
+++ /var/tmp/diff_new_pack.eYLbyJ/_new 2021-08-16 10:13:19.178976455 +0200
@@ -6,7 +6,7 @@
Content-Transfer-Encoding: 8bit
Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
-References: CVE-2021-3527
+References: bsc#1186012, CVE-2021-3527
Use autofree heap allocation instead.
@@ -21,7 +21,7 @@
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index 17f06f34179a257e3fd2b354164e..6a75b0dc4ab295a70b4c507c9821 100644
+index af1721a391139818ec9007c16f55..e6474dc543faa707de4d6b2ab03f 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev,
USBPacket *p,
++++++ usbredir-fix-free-call.patch ++++++
From: Gerd Hoffmann <kra...@redhat.com>
Date: Thu, 22 Jul 2021 09:27:56 +0200
Subject: usbredir: fix free call
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9
References: bsc#1189145 CVE-2021-3682
data might point into the middle of a larger buffer, there is a separate
free_on_destroy pointer passed into bufp_alloc() to handle that. It is
only used in the normal workflow though, not when dropping packets due
to the queue being full. Fix that.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Marc-Andr?? Lureau <marcandre.lur...@redhat.com>
Message-Id: <20210722072756.647673-1-kra...@redhat.com>
Signed-off-by: Jose R. Ziviani <jzivi...@suse.de>
---
hw/usb/redirect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 17f06f34179a257e3fd2b354164e..af1721a391139818ec9007c16f55 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data,
uint16_t len,
if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
if (dev->endpoint[EP2I(ep)].bufpq_size >
dev->endpoint[EP2I(ep)].bufpq_target_size) {
- free(data);
+ free(free_on_destroy);
return -1;
}
dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
