Accepting request 911318 from home:jziviani:branches:Virtualization

- usb: unbounded stack allocation in usbredir
  (bsc#1186012, CVE-2021-3527)
  hw-usb-Do-not-build-USB-subsystem-if-not.patch
  hw-usb-host-stub-Remove-unused-header.patch
  usb-hid-avoid-dynamic-stack-allocation.patch
  usb-limit-combined-packets-to-1-MiB-CVE-.patch
  usb-mtp-avoid-dynamic-stack-allocation.patch
- usbredir: free call on invalid pointer in bufp_alloc
  (bsc#1189145, CVE-2021-3682)
  usbredir-fix-free-call.patch

OBS-URL: https://build.opensuse.org/request/show/911318
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=664

bundles.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f01e2ec49bb5088e9e97f58d8fc422acb6760c387e1313e49a4d13979a5b48c8
-size 77828
+oid sha256:8799c60d25f8b55f108c1a876a7739d1deedb8fa6a4d01009d325a9a3d09e29f
+size 80624

hw-usb-Do-not-build-USB-subsystem-if-not.patch

@@ -0,0 +1,107 @@
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 25 Apr 2021 00:41:10 +0200
+Subject: hw/usb: Do not build USB subsystem if not required
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 9c3c834bdda5ca6d58c0e61508737683d12968b5
+References: bsc#1186012, CVE-2021-3527
+
+If the Kconfig 'USB' value is not selected, it is pointless to
+build the USB core components. Add a stub for the HMP commands
+and usbdevice_create() which is called by usb_device_add in
+softmmu/vl.c.
+
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20210424224110.3442424-3-f4bug@amsat.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ MAINTAINERS          |  1 +
+ hw/usb/meson.build   |  9 +++------
+ stubs/meson.build    |  1 +
+ stubs/usb-dev-stub.c | 25 +++++++++++++++++++++++++
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 36055f14c594947b5ee9f2c3ff19..cd63d3efd8b1c8c7532c4f778f29 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -1804,6 +1804,7 @@ USB
+ M: Gerd Hoffmann <kraxel@redhat.com>
+ S: Maintained
+ F: hw/usb/*
++F: stubs/usb-dev-stub.c
+ F: tests/qtest/usb-*-test.c
+ F: docs/usb2.txt
+ F: docs/usb-storage.txt
+diff --git a/hw/usb/meson.build b/hw/usb/meson.build
+index fb7a74e73ae843480fc121e07816..f357270d0b6bf5d810a5e49681a5 100644
+--- a/hw/usb/meson.build
++++ b/hw/usb/meson.build
+@@ -1,17 +1,14 @@
+ hw_usb_modules = {}
+ 
+ # usb subsystem core
+-softmmu_ss.add(files(
++softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
+   'bus.c',
+   'combined-packet.c',
+   'core.c',
+-  'pcap.c',
+-  'libhw.c'
+-))
+-
+-softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
+   'desc.c',
+   'desc-msos.c',
++  'libhw.c',
++  'pcap.c',
+ ))
+ 
+ # usb host adapters
+diff --git a/stubs/meson.build b/stubs/meson.build
+index 5555b69103baba363483e047af06..f3f979c3fe828984f045fc572d21 100644
+--- a/stubs/meson.build
++++ b/stubs/meson.build
+@@ -51,6 +51,7 @@ if have_block
+ endif
+ if have_system
+   stub_ss.add(files('semihost.c'))
++  stub_ss.add(files('usb-dev-stub.c'))
+   stub_ss.add(files('xen-hw-stub.c'))
+ else
+   stub_ss.add(files('qdev.c'))
+diff --git a/stubs/usb-dev-stub.c b/stubs/usb-dev-stub.c
+new file mode 100644
+index 0000000000000000000000000000000000000000..b1adeeb4548d2aa4f4c8c9eae967578c5da18efc
+--- /dev/null
++++ b/stubs/usb-dev-stub.c
+@@ -0,0 +1,25 @@
++/*
++ * QEMU USB device emulation stubs
++ *
++ * Copyright (C) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
++ *
++ * SPDX-License-Identifier: GPL-2.0-or-later
++ */
++
++#include "qemu/osdep.h"
++#include "qemu/error-report.h"
++#include "sysemu/sysemu.h"
++#include "monitor/monitor.h"
++#include "hw/usb.h"
++
++USBDevice *usbdevice_create(const char *driver)
++{
++    error_report("Support for USB devices not built-in");
++
++    return NULL;
++}
++
++void hmp_info_usb(Monitor *mon, const QDict *qdict)
++{
++    monitor_printf(mon, "Support for USB devices not built-in\n");
++}

hw-usb-host-stub-Remove-unused-header.patch

@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 25 Apr 2021 00:41:09 +0200
+Subject: hw/usb/host-stub: Remove unused header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 1081607bfab94a0b6149c4a2195737107aed265f
+References: bsc#1186012, CVE-2021-3527
+
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20210424224110.3442424-2-f4bug@amsat.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ hw/usb/host-stub.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c
+index 538ed29684cb7d3ed15df7a7b298..80809ceba54221818bd937ff01b6 100644
+--- a/hw/usb/host-stub.c
++++ b/hw/usb/host-stub.c
+@@ -31,7 +31,6 @@
+  */
+ 
+ #include "qemu/osdep.h"
+-#include "ui/console.h"
+ #include "hw/usb.h"
+ #include "monitor/monitor.h"
+ 

qemu.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Aug 10 19:32:50 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
+
+- usb: unbounded stack allocation in usbredir
+  (bsc#1186012, CVE-2021-3527)
+  hw-usb-Do-not-build-USB-subsystem-if-not.patch
+  hw-usb-host-stub-Remove-unused-header.patch
+  usb-hid-avoid-dynamic-stack-allocation.patch
+  usb-limit-combined-packets-to-1-MiB-CVE-.patch
+  usb-mtp-avoid-dynamic-stack-allocation.patch
+
+-------------------------------------------------------------------
+Fri Aug  6 17:49:56 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
+
+- usbredir: free call on invalid pointer in bufp_alloc
+  (bsc#1189145, CVE-2021-3682)
+  usbredir-fix-free-call.patch
+
 -------------------------------------------------------------------
 Tue Aug  3 20:39:25 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
 

qemu.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package qemu
+# spec file
 #
 # Copyright (c) 2021 SUSE LLC
 #
@@ -181,51 +181,57 @@ Patch00045:     ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch
 Patch00046:     hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch
 Patch00047:     monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch
 Patch00048:     vhost-user-blk-Fail-gracefully-on-too-la.patch
-Patch00049:     usb-redir-avoid-dynamic-stack-allocation.patch
-Patch00050:     virtiofsd-Fix-side-effect-in-assert.patch
-Patch00051:     sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch
-Patch00052:     virtio-blk-Fix-rollback-path-in-virtio_b.patch
-Patch00053:     hw-block-nvme-consider-metadata-read-aio.patch
-Patch00054:     vhost-user-blk-Make-sure-to-set-Error-on.patch
-Patch00055:     vhost-user-blk-Don-t-reconnect-during-in.patch
-Patch00056:     vhost-user-blk-Get-more-feature-flags-fr.patch
-Patch00057:     virtio-Fail-if-iommu_platform-is-request.patch
-Patch00058:     vhost-user-blk-Check-that-num-queues-is-.patch
-Patch00059:     vfio-ccw-Permit-missing-IRQs.patch
-Patch00060:     vhost-user-gpu-fix-memory-disclosure-in-.patch
-Patch00061:     vhost-user-gpu-fix-resource-leak-in-vg_r.patch
-Patch00062:     vhost-user-gpu-fix-memory-leak-in-vg_res.patch
-Patch00063:     vhost-user-gpu-fix-memory-leak-while-cal.patch
-Patch00064:     vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
-Patch00065:     vhost-user-gpu-fix-leak-in-virgl_resourc.patch
-Patch00066:     vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
-Patch00067:     vhost-user-gpu-abstract-vg_cleanup_mappi.patch
-Patch00068:     target-sh4-Return-error-if-CPUClass-get_.patch
-Patch00069:     tcg-arm-Fix-tcg_out_op-function-signatur.patch
-Patch00070:     x86-acpi-use-offset-instead-of-pointer-w.patch
-Patch00071:     linux-user-aarch64-Enable-hwcap-for-RND-.patch
-Patch00072:     target-i386-Exit-tb-after-wrmsr.patch
-Patch00073:     vl-allow-not-specifying-size-in-m-when-u.patch
-Patch00074:     qemu-config-load-modules-when-instantiat.patch
-Patch00075:     hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch
-Patch00076:     qemu-config-parse-configuration-files-to.patch
-Patch00077:     vl-plumb-keyval-based-options-into-readc.patch
-Patch00078:     vl-plug-object-back-into-readconfig.patch
-Patch00079:     vhost-vdpa-don-t-initialize-backend_feat.patch
-Patch00080:     vl-Fix-an-assert-failure-in-error-path.patch
-Patch00081:     qemu-config-use-qemu_opts_from_qdict.patch
-Patch00082:     runstate-Initialize-Error-to-NULL.patch
-Patch00083:     tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch
-Patch00084:     tcg-Allocate-sufficient-storage-in-temp_.patch
-Patch00085:     hw-block-nvme-align-with-existing-style.patch
-Patch00086:     hw-nvme-fix-missing-check-for-PMR-capabi.patch
-Patch00087:     hw-nvme-fix-pin-based-interrupt-behavior.patch
-Patch00088:     hw-rdma-Fix-possible-mremap-overflow-in-.patch
-Patch00089:     pvrdma-Ensure-correct-input-on-ring-init.patch
-Patch00090:     pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
-Patch00091:     hw-pci-host-q35-Ignore-write-of-reserved.patch
-Patch00092:     block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch
-Patch00093:     hw-net-can-sja1000-fix-buff2frame_bas-an.patch
+Patch00049:     virtiofsd-Fix-side-effect-in-assert.patch
+Patch00050:     sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch
+Patch00051:     virtio-blk-Fix-rollback-path-in-virtio_b.patch
+Patch00052:     hw-block-nvme-consider-metadata-read-aio.patch
+Patch00053:     vhost-user-blk-Make-sure-to-set-Error-on.patch
+Patch00054:     vhost-user-blk-Don-t-reconnect-during-in.patch
+Patch00055:     vhost-user-blk-Get-more-feature-flags-fr.patch
+Patch00056:     virtio-Fail-if-iommu_platform-is-request.patch
+Patch00057:     vhost-user-blk-Check-that-num-queues-is-.patch
+Patch00058:     vfio-ccw-Permit-missing-IRQs.patch
+Patch00059:     vhost-user-gpu-fix-memory-disclosure-in-.patch
+Patch00060:     vhost-user-gpu-fix-resource-leak-in-vg_r.patch
+Patch00061:     vhost-user-gpu-fix-memory-leak-in-vg_res.patch
+Patch00062:     vhost-user-gpu-fix-memory-leak-while-cal.patch
+Patch00063:     vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
+Patch00064:     vhost-user-gpu-fix-leak-in-virgl_resourc.patch
+Patch00065:     vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
+Patch00066:     vhost-user-gpu-abstract-vg_cleanup_mappi.patch
+Patch00067:     target-sh4-Return-error-if-CPUClass-get_.patch
+Patch00068:     tcg-arm-Fix-tcg_out_op-function-signatur.patch
+Patch00069:     x86-acpi-use-offset-instead-of-pointer-w.patch
+Patch00070:     linux-user-aarch64-Enable-hwcap-for-RND-.patch
+Patch00071:     target-i386-Exit-tb-after-wrmsr.patch
+Patch00072:     vl-allow-not-specifying-size-in-m-when-u.patch
+Patch00073:     qemu-config-load-modules-when-instantiat.patch
+Patch00074:     hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch
+Patch00075:     qemu-config-parse-configuration-files-to.patch
+Patch00076:     vl-plumb-keyval-based-options-into-readc.patch
+Patch00077:     vl-plug-object-back-into-readconfig.patch
+Patch00078:     vhost-vdpa-don-t-initialize-backend_feat.patch
+Patch00079:     vl-Fix-an-assert-failure-in-error-path.patch
+Patch00080:     qemu-config-use-qemu_opts_from_qdict.patch
+Patch00081:     runstate-Initialize-Error-to-NULL.patch
+Patch00082:     tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch
+Patch00083:     tcg-Allocate-sufficient-storage-in-temp_.patch
+Patch00084:     hw-block-nvme-align-with-existing-style.patch
+Patch00085:     hw-nvme-fix-missing-check-for-PMR-capabi.patch
+Patch00086:     hw-nvme-fix-pin-based-interrupt-behavior.patch
+Patch00087:     hw-rdma-Fix-possible-mremap-overflow-in-.patch
+Patch00088:     pvrdma-Ensure-correct-input-on-ring-init.patch
+Patch00089:     pvrdma-Fix-the-ring-init-error-flow-CVE-.patch
+Patch00090:     hw-pci-host-q35-Ignore-write-of-reserved.patch
+Patch00091:     block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch
+Patch00092:     hw-net-can-sja1000-fix-buff2frame_bas-an.patch
+Patch00093:     usbredir-fix-free-call.patch
+Patch00094:     usb-redir-avoid-dynamic-stack-allocation.patch
+Patch00095:     usb-limit-combined-packets-to-1-MiB-CVE-.patch
+Patch00096:     hw-usb-host-stub-Remove-unused-header.patch
+Patch00097:     hw-usb-Do-not-build-USB-subsystem-if-not.patch
+Patch00098:     usb-hid-avoid-dynamic-stack-allocation.patch
+Patch00099:     usb-mtp-avoid-dynamic-stack-allocation.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@@ -1165,6 +1171,12 @@ This package records qemu testsuite results and represents successful testing.
 %patch00091 -p1
 %patch00092 -p1
 %patch00093 -p1
+%patch00094 -p1
+%patch00095 -p1
+%patch00096 -p1
+%patch00097 -p1
+%patch00098 -p1
+%patch00099 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1

usb-hid-avoid-dynamic-stack-allocation.patch

@@ -0,0 +1,48 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:11 +0200
+Subject: usb/hid: avoid dynamic stack allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03
+References: bsc#1186012, CVE-2021-3527
+
+Use autofree heap allocation instead.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-2-kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ hw/usb/dev-hid.c   | 2 +-
+ hw/usb/dev-wacom.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
+index fc39bab79f94b0a0d06c23fc650d..1c7ae97c3033442dba820db492bd 100644
+--- a/hw/usb/dev-hid.c
++++ b/hw/usb/dev-hid.c
+@@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
+ {
+     USBHIDState *us = USB_HID(dev);
+     HIDState *hs = &us->hid;
+-    uint8_t buf[p->iov.size];
++    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+     int len = 0;
+ 
+     switch (p->pid) {
+diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
+index b595048635090242b5e771a11436..ed687bc9f1eb1b20b7e8ab0db35a 100644
+--- a/hw/usb/dev-wacom.c
++++ b/hw/usb/dev-wacom.c
+@@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
+ static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
+ {
+     USBWacomState *s = (USBWacomState *) dev;
+-    uint8_t buf[p->iov.size];
++    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+     int len = 0;
+ 
+     switch (p->pid) {

usb-limit-combined-packets-to-1-MiB-CVE-.patch

@@ -0,0 +1,36 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+Git-commit: 05a40b172e4d691371534828078be47e7fff524c
+References: bsc#1186012, CVE-2021-3527
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dcb515c9b8acc58d97b4..e56802f89a32f44bc94f3b3dbda2 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
++                (totalsize == (16 * KiB - 36) && p->int_req) ||
++                /* Next package may grow combined package over 1MiB */
++                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {

usb-mtp-avoid-dynamic-stack-allocation.patch

@@ -0,0 +1,35 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:13 +0200
+Subject: usb/mtp: avoid dynamic stack allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 06aa50c06c6392084244f8169d34b8e2d9c43ef2
+References: bsc#1186012, CVE-2021-3527
+
+Use autofree heap allocation instead.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-4-kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ hw/usb/dev-mtp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index bbb827434482d3b191df857d6fa0..2a895a73b083315d617e73a12cbd 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
+                                            MTPObject *o)
+ {
+     MTPData *d = usb_mtp_data_alloc(c);
+-    uint32_t i = 0, handles[o->nchildren];
++    uint32_t i = 0;
++    g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
+     MTPObject *iter;
+ 
+     trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);

usb-redir-avoid-dynamic-stack-allocation.patch

@@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
-References: CVE-2021-3527
+References: bsc#1186012, CVE-2021-3527
 
 Use autofree heap allocation instead.
 
@@ -21,7 +21,7 @@ Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index 17f06f34179a257e3fd2b354164e..6a75b0dc4ab295a70b4c507c9821 100644
+index af1721a391139818ec9007c16f55..e6474dc543faa707de4d6b2ab03f 100644
 --- a/hw/usb/redirect.c
 +++ b/hw/usb/redirect.c
 @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,

usbredir-fix-free-call.patch

@@ -0,0 +1,37 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 22 Jul 2021 09:27:56 +0200
+Subject: usbredir: fix free call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9
+References: bsc#1189145 CVE-2021-3682
+
+data might point into the middle of a larger buffer, there is a separate
+free_on_destroy pointer passed into bufp_alloc() to handle that.  It is
+only used in the normal workflow though, not when dropping packets due
+to the queue being full.  Fix that.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ hw/usb/redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f34179a257e3fd2b354164e..af1721a391139818ec9007c16f55 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
+     if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+         if (dev->endpoint[EP2I(ep)].bufpq_size >
+                 dev->endpoint[EP2I(ep)].bufpq_target_size) {
+-            free(data);
++            free(free_on_destroy);
+             return -1;
+         }
+         dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;