rpms/qemu/F-12 qemu-usb-linux-fix-buffer-overflow.patch, NONE, 1.1 qemu.spec, 1.149, 1.150

Justin M. Forbes jforbes at fedoraproject.org
Wed Jan 20 21:50:36 UTC 2010 

Author: jforbes

Update of /cvs/pkgs/rpms/qemu/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30667

Modified Files:
	qemu.spec 
Added Files:
	qemu-usb-linux-fix-buffer-overflow.patch 
Log Message:
- Re-enable preadv/pwritev support (#545006)
- Fix buffer overflow in usb-linux.c (#546483)


qemu-usb-linux-fix-buffer-overflow.patch:
 usb-linux.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- NEW FILE qemu-usb-linux-fix-buffer-overflow.patch ---
>From a7c87c869ac75a076fa5552f9604f73f710cff80 Mon Sep 17 00:00:00 2001
From: Jim Paris <jim at jtan.com>
Date: Mon, 24 Aug 2009 14:56:12 -0400
Subject: [PATCH] usb-linux.c: fix buffer overflow

In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and
length to the kernel.  However, the length was provided by the caller
of dev->handle_packet, and is not checked, so the kernel might provide
too much data and overflow our buffer.

For example, hw/usb-uhci.c could set the length to 2047.
hw/usb-ohci.c looks like it might go up to 4096 or 8192.

This causes a qemu crash, as reported here:
  http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html

This patch increases the usb-linux.c buffer size to 2048 to fix the
specific device reported, and adds a check to avoid the overflow in
any case.

Signed-off-by: Jim Paris <jim at jtan.com>
Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

The WLAN USB stick ZyXEL NWD271N (0586:3417) uses very large
usb control transfers of more than 2048 bytes. Increasing the
buffer size to 8192.

Signed-off-by: Christian Krause <chkr at plauener.de>
---
 usb-linux.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/usb-linux.c b/usb-linux.c
index f19f0c4..298f342 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -115,7 +115,7 @@ struct ctrl_struct {
     uint16_t offset;
     uint8_t  state;
     struct   usb_ctrlrequest req;
-    uint8_t  buffer[1024];
+    uint8_t  buffer[8192];
 };
 
 typedef struct USBHostDevice {
@@ -552,6 +552,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
     struct usbdevfs_urb *urb;
     AsyncURB *aurb;
     int ret, value, index;
+    int buffer_len;
 
     /* 
      * Process certain standard device requests.
@@ -580,6 +581,13 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
 
     /* The rest are asynchronous */
 
+    buffer_len = 8 + s->ctrl.len;
+    if (buffer_len > sizeof(s->ctrl.buffer)) {
+	    fprintf(stderr, "husb: ctrl buffer too small (%u > %lu)\n",
+		    buffer_len, sizeof(s->ctrl.buffer));
+	    return USB_RET_STALL;
+    }
+
     aurb = async_alloc();
     aurb->hdev   = s;
     aurb->packet = p;
@@ -596,7 +604,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p)
     urb->endpoint = p->devep;
 
     urb->buffer        = &s->ctrl.req;
-    urb->buffer_length = 8 + s->ctrl.len;
+    urb->buffer_length = buffer_len;
 
     urb->usercontext = s;
 
-- 
1.6.2.5



Index: qemu.spec
===================================================================
RCS file: /cvs/pkgs/rpms/qemu/F-12/qemu.spec,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -p -r1.149 -r1.150
--- qemu.spec	20 Nov 2009 18:28:23 -0000	1.149
+++ qemu.spec	20 Jan 2010 21:50:36 -0000	1.150
@@ -1,7 +1,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 0.11.0
-Release: 12%{?dist}
+Release: 13%{?dist}
 # Epoch because we pushed a qemu-1.0 package
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -58,8 +58,8 @@ Patch11: qemu-properly-save-kvm-system-t
 # Fix dropped packets with non-virtio NICs (#531419)
 Patch12: qemu-fix-dropped-packets-with-non-virtio-nics.patch
 
-# Temporarily disable preadv/pwritev support (#526549)
-Patch13: qemu-disable-preadv-support.patch
+# Fix buffer overflow in usb-linux.c (#546483)
+Patch13: qemu-usb-linux-fix-buffer-overflow.patch
 
 # Fix a use-after-free crasher in the slirp code (#539583)
 Patch14: qemu-slirp-use-after-free.patch
@@ -550,6 +550,10 @@ fi
 %{_mandir}/man1/qemu-img.1*
 
 %changelog
+* Wed Jan 20 2009 Justin M. Forbes <jforbes at redhat.com> - 2:0.11.0-13
+- Re-enable preadv/pwritev support (#545006)
+- Fix buffer overflow in usb-linux.c (#546483)
+
 * Fri Nov 20 2009 Mark McLoughlin <markmc at redhat.com> - 2:0.11.0-12
 - Fix a use-after-free crasher in the slirp code (#539583)
 - Fix overflow in the parallels image format support (#533573)

More information about the scm-commits mailing list