diff --git a/qemu-usb-linux-fix-buffer-overflow.patch b/qemu-usb-linux-fix-buffer-overflow.patch new file mode 100644 index 0000000..129dc5b --- /dev/null +++ b/qemu-usb-linux-fix-buffer-overflow.patch @@ -0,0 +1,79 @@ +From a7c87c869ac75a076fa5552f9604f73f710cff80 Mon Sep 17 00:00:00 2001 +From: Jim Paris +Date: Mon, 24 Aug 2009 14:56:12 -0400 +Subject: [PATCH] usb-linux.c: fix buffer overflow + +In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and +length to the kernel. However, the length was provided by the caller +of dev->handle_packet, and is not checked, so the kernel might provide +too much data and overflow our buffer. + +For example, hw/usb-uhci.c could set the length to 2047. +hw/usb-ohci.c looks like it might go up to 4096 or 8192. + +This causes a qemu crash, as reported here: + http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html + +This patch increases the usb-linux.c buffer size to 2048 to fix the +specific device reported, and adds a check to avoid the overflow in +any case. + +Signed-off-by: Jim Paris +Signed-off-by: Anthony Liguori + +The WLAN USB stick ZyXEL NWD271N (0586:3417) uses very large +usb control transfers of more than 2048 bytes. Increasing the +buffer size to 8192. + +Signed-off-by: Christian Krause +--- + usb-linux.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/usb-linux.c b/usb-linux.c +index f19f0c4..298f342 100644 +--- a/usb-linux.c ++++ b/usb-linux.c +@@ -115,7 +115,7 @@ struct ctrl_struct { + uint16_t offset; + uint8_t state; + struct usb_ctrlrequest req; +- uint8_t buffer[1024]; ++ uint8_t buffer[8192]; + }; + + typedef struct USBHostDevice { +@@ -552,6 +552,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p) + struct usbdevfs_urb *urb; + AsyncURB *aurb; + int ret, value, index; ++ int buffer_len; + + /* + * Process certain standard device requests. +@@ -580,6 +581,13 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p) + + /* The rest are asynchronous */ + ++ buffer_len = 8 + s->ctrl.len; ++ if (buffer_len > sizeof(s->ctrl.buffer)) { ++ fprintf(stderr, "husb: ctrl buffer too small (%u > %lu)\n", ++ buffer_len, sizeof(s->ctrl.buffer)); ++ return USB_RET_STALL; ++ } ++ + aurb = async_alloc(); + aurb->hdev = s; + aurb->packet = p; +@@ -596,7 +604,7 @@ static int usb_host_handle_control(USBHostDevice *s, USBPacket *p) + urb->endpoint = p->devep; + + urb->buffer = &s->ctrl.req; +- urb->buffer_length = 8 + s->ctrl.len; ++ urb->buffer_length = buffer_len; + + urb->usercontext = s; + +-- +1.6.2.5 + diff --git a/qemu.spec b/qemu.spec index c9cd57f..a6522bd 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,7 +1,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 0.11.0 -Release: 12%{?dist} +Release: 13%{?dist} # Epoch because we pushed a qemu-1.0 package Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -58,8 +58,8 @@ Patch11: qemu-properly-save-kvm-system-time-registers.patch # Fix dropped packets with non-virtio NICs (#531419) Patch12: qemu-fix-dropped-packets-with-non-virtio-nics.patch -# Temporarily disable preadv/pwritev support (#526549) -Patch13: qemu-disable-preadv-support.patch +# Fix buffer overflow in usb-linux.c (#546483) +Patch13: qemu-usb-linux-fix-buffer-overflow.patch # Fix a use-after-free crasher in the slirp code (#539583) Patch14: qemu-slirp-use-after-free.patch @@ -550,6 +550,10 @@ fi %{_mandir}/man1/qemu-img.1* %changelog +* Wed Jan 20 2009 Justin M. Forbes - 2:0.11.0-13 +- Re-enable preadv/pwritev support (#545006) +- Fix buffer overflow in usb-linux.c (#546483) + * Fri Nov 20 2009 Mark McLoughlin - 2:0.11.0-12 - Fix a use-after-free crasher in the slirp code (#539583) - Fix overflow in the parallels image format support (#533573)