From c57c3c69e6332642eeb4d55ed21f876c125fba646b566a29a8681cd94c362a3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Ricardo=20Ziviani?= Date: Tue, 10 Aug 2021 20:38:06 +0000 Subject: [PATCH] Accepting request 911318 from home:jziviani:branches:Virtualization - usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527) hw-usb-Do-not-build-USB-subsystem-if-not.patch hw-usb-host-stub-Remove-unused-header.patch usb-hid-avoid-dynamic-stack-allocation.patch usb-limit-combined-packets-to-1-MiB-CVE-.patch usb-mtp-avoid-dynamic-stack-allocation.patch - usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682) usbredir-fix-free-call.patch OBS-URL: https://build.opensuse.org/request/show/911318 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=664 --- bundles.tar.xz | 4 +- ...sb-Do-not-build-USB-subsystem-if-not.patch | 107 ++++++++++++++++++ hw-usb-host-stub-Remove-unused-header.patch | 31 +++++ qemu.changes | 18 +++ qemu.spec | 104 +++++++++-------- usb-hid-avoid-dynamic-stack-allocation.patch | 48 ++++++++ ...limit-combined-packets-to-1-MiB-CVE-.patch | 36 ++++++ usb-mtp-avoid-dynamic-stack-allocation.patch | 35 ++++++ ...redir-avoid-dynamic-stack-allocation.patch | 4 +- usbredir-fix-free-call.patch | 37 ++++++ 10 files changed, 374 insertions(+), 50 deletions(-) create mode 100644 hw-usb-Do-not-build-USB-subsystem-if-not.patch create mode 100644 hw-usb-host-stub-Remove-unused-header.patch create mode 100644 usb-hid-avoid-dynamic-stack-allocation.patch create mode 100644 usb-limit-combined-packets-to-1-MiB-CVE-.patch create mode 100644 usb-mtp-avoid-dynamic-stack-allocation.patch create mode 100644 usbredir-fix-free-call.patch diff --git a/bundles.tar.xz b/bundles.tar.xz index b83a5a8a..2a17f84b 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f01e2ec49bb5088e9e97f58d8fc422acb6760c387e1313e49a4d13979a5b48c8 -size 77828 +oid sha256:8799c60d25f8b55f108c1a876a7739d1deedb8fa6a4d01009d325a9a3d09e29f +size 80624 diff --git a/hw-usb-Do-not-build-USB-subsystem-if-not.patch b/hw-usb-Do-not-build-USB-subsystem-if-not.patch new file mode 100644 index 00000000..8e5bf147 --- /dev/null +++ b/hw-usb-Do-not-build-USB-subsystem-if-not.patch @@ -0,0 +1,107 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sun, 25 Apr 2021 00:41:10 +0200 +Subject: hw/usb: Do not build USB subsystem if not required +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 9c3c834bdda5ca6d58c0e61508737683d12968b5 +References: bsc#1186012, CVE-2021-3527 + +If the Kconfig 'USB' value is not selected, it is pointless to +build the USB core components. Add a stub for the HMP commands +and usbdevice_create() which is called by usb_device_add in +softmmu/vl.c. + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Message-Id: <20210424224110.3442424-3-f4bug@amsat.org> +Signed-off-by: Gerd Hoffmann +Signed-off-by: Jose R. Ziviani +--- + MAINTAINERS | 1 + + hw/usb/meson.build | 9 +++------ + stubs/meson.build | 1 + + stubs/usb-dev-stub.c | 25 +++++++++++++++++++++++++ + 4 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/MAINTAINERS b/MAINTAINERS +index 36055f14c594947b5ee9f2c3ff19..cd63d3efd8b1c8c7532c4f778f29 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -1804,6 +1804,7 @@ USB + M: Gerd Hoffmann + S: Maintained + F: hw/usb/* ++F: stubs/usb-dev-stub.c + F: tests/qtest/usb-*-test.c + F: docs/usb2.txt + F: docs/usb-storage.txt +diff --git a/hw/usb/meson.build b/hw/usb/meson.build +index fb7a74e73ae843480fc121e07816..f357270d0b6bf5d810a5e49681a5 100644 +--- a/hw/usb/meson.build ++++ b/hw/usb/meson.build +@@ -1,17 +1,14 @@ + hw_usb_modules = {} + + # usb subsystem core +-softmmu_ss.add(files( ++softmmu_ss.add(when: 'CONFIG_USB', if_true: files( + 'bus.c', + 'combined-packet.c', + 'core.c', +- 'pcap.c', +- 'libhw.c' +-)) +- +-softmmu_ss.add(when: 'CONFIG_USB', if_true: files( + 'desc.c', + 'desc-msos.c', ++ 'libhw.c', ++ 'pcap.c', + )) + + # usb host adapters +diff --git a/stubs/meson.build b/stubs/meson.build +index 5555b69103baba363483e047af06..f3f979c3fe828984f045fc572d21 100644 +--- a/stubs/meson.build ++++ b/stubs/meson.build +@@ -51,6 +51,7 @@ if have_block + endif + if have_system + stub_ss.add(files('semihost.c')) ++ stub_ss.add(files('usb-dev-stub.c')) + stub_ss.add(files('xen-hw-stub.c')) + else + stub_ss.add(files('qdev.c')) +diff --git a/stubs/usb-dev-stub.c b/stubs/usb-dev-stub.c +new file mode 100644 +index 0000000000000000000000000000000000000000..b1adeeb4548d2aa4f4c8c9eae967578c5da18efc +--- /dev/null ++++ b/stubs/usb-dev-stub.c +@@ -0,0 +1,25 @@ ++/* ++ * QEMU USB device emulation stubs ++ * ++ * Copyright (C) 2021 Philippe Mathieu-Daudé ++ * ++ * SPDX-License-Identifier: GPL-2.0-or-later ++ */ ++ ++#include "qemu/osdep.h" ++#include "qemu/error-report.h" ++#include "sysemu/sysemu.h" ++#include "monitor/monitor.h" ++#include "hw/usb.h" ++ ++USBDevice *usbdevice_create(const char *driver) ++{ ++ error_report("Support for USB devices not built-in"); ++ ++ return NULL; ++} ++ ++void hmp_info_usb(Monitor *mon, const QDict *qdict) ++{ ++ monitor_printf(mon, "Support for USB devices not built-in\n"); ++} diff --git a/hw-usb-host-stub-Remove-unused-header.patch b/hw-usb-host-stub-Remove-unused-header.patch new file mode 100644 index 00000000..637df848 --- /dev/null +++ b/hw-usb-host-stub-Remove-unused-header.patch @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sun, 25 Apr 2021 00:41:09 +0200 +Subject: hw/usb/host-stub: Remove unused header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 1081607bfab94a0b6149c4a2195737107aed265f +References: bsc#1186012, CVE-2021-3527 + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Message-Id: <20210424224110.3442424-2-f4bug@amsat.org> +Signed-off-by: Gerd Hoffmann +Signed-off-by: Jose R. Ziviani +--- + hw/usb/host-stub.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c +index 538ed29684cb7d3ed15df7a7b298..80809ceba54221818bd937ff01b6 100644 +--- a/hw/usb/host-stub.c ++++ b/hw/usb/host-stub.c +@@ -31,7 +31,6 @@ + */ + + #include "qemu/osdep.h" +-#include "ui/console.h" + #include "hw/usb.h" + #include "monitor/monitor.h" + diff --git a/qemu.changes b/qemu.changes index 938d0bb0..756e5fc7 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Aug 10 19:32:50 UTC 2021 - José Ricardo Ziviani + +- usb: unbounded stack allocation in usbredir + (bsc#1186012, CVE-2021-3527) + hw-usb-Do-not-build-USB-subsystem-if-not.patch + hw-usb-host-stub-Remove-unused-header.patch + usb-hid-avoid-dynamic-stack-allocation.patch + usb-limit-combined-packets-to-1-MiB-CVE-.patch + usb-mtp-avoid-dynamic-stack-allocation.patch + +------------------------------------------------------------------- +Fri Aug 6 17:49:56 UTC 2021 - José Ricardo Ziviani + +- usbredir: free call on invalid pointer in bufp_alloc + (bsc#1189145, CVE-2021-3682) + usbredir-fix-free-call.patch + ------------------------------------------------------------------- Tue Aug 3 20:39:25 UTC 2021 - José Ricardo Ziviani diff --git a/qemu.spec b/qemu.spec index 36e6154a..1f55282f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,5 +1,5 @@ # -# spec file for package qemu +# spec file # # Copyright (c) 2021 SUSE LLC # @@ -181,51 +181,57 @@ Patch00045: ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch Patch00046: hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch Patch00047: monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch Patch00048: vhost-user-blk-Fail-gracefully-on-too-la.patch -Patch00049: usb-redir-avoid-dynamic-stack-allocation.patch -Patch00050: virtiofsd-Fix-side-effect-in-assert.patch -Patch00051: sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch -Patch00052: virtio-blk-Fix-rollback-path-in-virtio_b.patch -Patch00053: hw-block-nvme-consider-metadata-read-aio.patch -Patch00054: vhost-user-blk-Make-sure-to-set-Error-on.patch -Patch00055: vhost-user-blk-Don-t-reconnect-during-in.patch -Patch00056: vhost-user-blk-Get-more-feature-flags-fr.patch -Patch00057: virtio-Fail-if-iommu_platform-is-request.patch -Patch00058: vhost-user-blk-Check-that-num-queues-is-.patch -Patch00059: vfio-ccw-Permit-missing-IRQs.patch -Patch00060: vhost-user-gpu-fix-memory-disclosure-in-.patch -Patch00061: vhost-user-gpu-fix-resource-leak-in-vg_r.patch -Patch00062: vhost-user-gpu-fix-memory-leak-in-vg_res.patch -Patch00063: vhost-user-gpu-fix-memory-leak-while-cal.patch -Patch00064: vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch -Patch00065: vhost-user-gpu-fix-leak-in-virgl_resourc.patch -Patch00066: vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch -Patch00067: vhost-user-gpu-abstract-vg_cleanup_mappi.patch -Patch00068: target-sh4-Return-error-if-CPUClass-get_.patch -Patch00069: tcg-arm-Fix-tcg_out_op-function-signatur.patch -Patch00070: x86-acpi-use-offset-instead-of-pointer-w.patch -Patch00071: linux-user-aarch64-Enable-hwcap-for-RND-.patch -Patch00072: target-i386-Exit-tb-after-wrmsr.patch -Patch00073: vl-allow-not-specifying-size-in-m-when-u.patch -Patch00074: qemu-config-load-modules-when-instantiat.patch -Patch00075: hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch -Patch00076: qemu-config-parse-configuration-files-to.patch -Patch00077: vl-plumb-keyval-based-options-into-readc.patch -Patch00078: vl-plug-object-back-into-readconfig.patch -Patch00079: vhost-vdpa-don-t-initialize-backend_feat.patch -Patch00080: vl-Fix-an-assert-failure-in-error-path.patch -Patch00081: qemu-config-use-qemu_opts_from_qdict.patch -Patch00082: runstate-Initialize-Error-to-NULL.patch -Patch00083: tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch -Patch00084: tcg-Allocate-sufficient-storage-in-temp_.patch -Patch00085: hw-block-nvme-align-with-existing-style.patch -Patch00086: hw-nvme-fix-missing-check-for-PMR-capabi.patch -Patch00087: hw-nvme-fix-pin-based-interrupt-behavior.patch -Patch00088: hw-rdma-Fix-possible-mremap-overflow-in-.patch -Patch00089: pvrdma-Ensure-correct-input-on-ring-init.patch -Patch00090: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch -Patch00091: hw-pci-host-q35-Ignore-write-of-reserved.patch -Patch00092: block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch -Patch00093: hw-net-can-sja1000-fix-buff2frame_bas-an.patch +Patch00049: virtiofsd-Fix-side-effect-in-assert.patch +Patch00050: sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch +Patch00051: virtio-blk-Fix-rollback-path-in-virtio_b.patch +Patch00052: hw-block-nvme-consider-metadata-read-aio.patch +Patch00053: vhost-user-blk-Make-sure-to-set-Error-on.patch +Patch00054: vhost-user-blk-Don-t-reconnect-during-in.patch +Patch00055: vhost-user-blk-Get-more-feature-flags-fr.patch +Patch00056: virtio-Fail-if-iommu_platform-is-request.patch +Patch00057: vhost-user-blk-Check-that-num-queues-is-.patch +Patch00058: vfio-ccw-Permit-missing-IRQs.patch +Patch00059: vhost-user-gpu-fix-memory-disclosure-in-.patch +Patch00060: vhost-user-gpu-fix-resource-leak-in-vg_r.patch +Patch00061: vhost-user-gpu-fix-memory-leak-in-vg_res.patch +Patch00062: vhost-user-gpu-fix-memory-leak-while-cal.patch +Patch00063: vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch +Patch00064: vhost-user-gpu-fix-leak-in-virgl_resourc.patch +Patch00065: vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch +Patch00066: vhost-user-gpu-abstract-vg_cleanup_mappi.patch +Patch00067: target-sh4-Return-error-if-CPUClass-get_.patch +Patch00068: tcg-arm-Fix-tcg_out_op-function-signatur.patch +Patch00069: x86-acpi-use-offset-instead-of-pointer-w.patch +Patch00070: linux-user-aarch64-Enable-hwcap-for-RND-.patch +Patch00071: target-i386-Exit-tb-after-wrmsr.patch +Patch00072: vl-allow-not-specifying-size-in-m-when-u.patch +Patch00073: qemu-config-load-modules-when-instantiat.patch +Patch00074: hmp-Fix-loadvm-to-resume-the-VM-on-succe.patch +Patch00075: qemu-config-parse-configuration-files-to.patch +Patch00076: vl-plumb-keyval-based-options-into-readc.patch +Patch00077: vl-plug-object-back-into-readconfig.patch +Patch00078: vhost-vdpa-don-t-initialize-backend_feat.patch +Patch00079: vl-Fix-an-assert-failure-in-error-path.patch +Patch00080: qemu-config-use-qemu_opts_from_qdict.patch +Patch00081: runstate-Initialize-Error-to-NULL.patch +Patch00082: tcg-sparc-Fix-temp_allocate_frame-vs-spa.patch +Patch00083: tcg-Allocate-sufficient-storage-in-temp_.patch +Patch00084: hw-block-nvme-align-with-existing-style.patch +Patch00085: hw-nvme-fix-missing-check-for-PMR-capabi.patch +Patch00086: hw-nvme-fix-pin-based-interrupt-behavior.patch +Patch00087: hw-rdma-Fix-possible-mremap-overflow-in-.patch +Patch00088: pvrdma-Ensure-correct-input-on-ring-init.patch +Patch00089: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch +Patch00090: hw-pci-host-q35-Ignore-write-of-reserved.patch +Patch00091: block-nvme-Fix-VFIO_MAP_DMA-failed-No-sp.patch +Patch00092: hw-net-can-sja1000-fix-buff2frame_bas-an.patch +Patch00093: usbredir-fix-free-call.patch +Patch00094: usb-redir-avoid-dynamic-stack-allocation.patch +Patch00095: usb-limit-combined-packets-to-1-MiB-CVE-.patch +Patch00096: hw-usb-host-stub-Remove-unused-header.patch +Patch00097: hw-usb-Do-not-build-USB-subsystem-if-not.patch +Patch00098: usb-hid-avoid-dynamic-stack-allocation.patch +Patch00099: usb-mtp-avoid-dynamic-stack-allocation.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1165,6 +1171,12 @@ This package records qemu testsuite results and represents successful testing. %patch00091 -p1 %patch00092 -p1 %patch00093 -p1 +%patch00094 -p1 +%patch00095 -p1 +%patch00096 -p1 +%patch00097 -p1 +%patch00098 -p1 +%patch00099 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 diff --git a/usb-hid-avoid-dynamic-stack-allocation.patch b/usb-hid-avoid-dynamic-stack-allocation.patch new file mode 100644 index 00000000..a68ed3bd --- /dev/null +++ b/usb-hid-avoid-dynamic-stack-allocation.patch @@ -0,0 +1,48 @@ +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:11 +0200 +Subject: usb/hid: avoid dynamic stack allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03 +References: bsc#1186012, CVE-2021-3527 + +Use autofree heap allocation instead. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Philippe Mathieu-Daudé +Message-Id: <20210503132915.2335822-2-kraxel@redhat.com> +Signed-off-by: Jose R. Ziviani +--- + hw/usb/dev-hid.c | 2 +- + hw/usb/dev-wacom.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c +index fc39bab79f94b0a0d06c23fc650d..1c7ae97c3033442dba820db492bd 100644 +--- a/hw/usb/dev-hid.c ++++ b/hw/usb/dev-hid.c +@@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) + { + USBHIDState *us = USB_HID(dev); + HIDState *hs = &us->hid; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + int len = 0; + + switch (p->pid) { +diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c +index b595048635090242b5e771a11436..ed687bc9f1eb1b20b7e8ab0db35a 100644 +--- a/hw/usb/dev-wacom.c ++++ b/hw/usb/dev-wacom.c +@@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, + static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) + { + USBWacomState *s = (USBWacomState *) dev; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + int len = 0; + + switch (p->pid) { diff --git a/usb-limit-combined-packets-to-1-MiB-CVE-.patch b/usb-limit-combined-packets-to-1-MiB-CVE-.patch new file mode 100644 index 00000000..d0a23c75 --- /dev/null +++ b/usb-limit-combined-packets-to-1-MiB-CVE-.patch @@ -0,0 +1,36 @@ +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527) + +Git-commit: 05a40b172e4d691371534828078be47e7fff524c +References: bsc#1186012, CVE-2021-3527 + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann +Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> +Signed-off-by: Jose R. Ziviani +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dcb515c9b8acc58d97b4..e56802f89a32f44bc94f3b3dbda2 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { diff --git a/usb-mtp-avoid-dynamic-stack-allocation.patch b/usb-mtp-avoid-dynamic-stack-allocation.patch new file mode 100644 index 00000000..f033d46f --- /dev/null +++ b/usb-mtp-avoid-dynamic-stack-allocation.patch @@ -0,0 +1,35 @@ +From: Gerd Hoffmann +Date: Mon, 3 May 2021 15:29:13 +0200 +Subject: usb/mtp: avoid dynamic stack allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 06aa50c06c6392084244f8169d34b8e2d9c43ef2 +References: bsc#1186012, CVE-2021-3527 + +Use autofree heap allocation instead. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Philippe Mathieu-Daudé +Message-Id: <20210503132915.2335822-4-kraxel@redhat.com> +Signed-off-by: Jose R. Ziviani +--- + hw/usb/dev-mtp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index bbb827434482d3b191df857d6fa0..2a895a73b083315d617e73a12cbd 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c, + MTPObject *o) + { + MTPData *d = usb_mtp_data_alloc(c); +- uint32_t i = 0, handles[o->nchildren]; ++ uint32_t i = 0; ++ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren); + MTPObject *iter; + + trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path); diff --git a/usb-redir-avoid-dynamic-stack-allocation.patch b/usb-redir-avoid-dynamic-stack-allocation.patch index 8ac14fb5..95f14f4c 100644 --- a/usb-redir-avoid-dynamic-stack-allocation.patch +++ b/usb-redir-avoid-dynamic-stack-allocation.patch @@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 -References: CVE-2021-3527 +References: bsc#1186012, CVE-2021-3527 Use autofree heap allocation instead. @@ -21,7 +21,7 @@ Signed-off-by: Jose R. Ziviani 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index 17f06f34179a257e3fd2b354164e..6a75b0dc4ab295a70b4c507c9821 100644 +index af1721a391139818ec9007c16f55..e6474dc543faa707de4d6b2ab03f 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, diff --git a/usbredir-fix-free-call.patch b/usbredir-fix-free-call.patch new file mode 100644 index 00000000..e8046b1d --- /dev/null +++ b/usbredir-fix-free-call.patch @@ -0,0 +1,37 @@ +From: Gerd Hoffmann +Date: Thu, 22 Jul 2021 09:27:56 +0200 +Subject: usbredir: fix free call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 +References: bsc#1189145 CVE-2021-3682 + +data might point into the middle of a larger buffer, there is a separate +free_on_destroy pointer passed into bufp_alloc() to handle that. It is +only used in the normal workflow though, not when dropping packets due +to the queue being full. Fix that. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-Id: <20210722072756.647673-1-kraxel@redhat.com> +Signed-off-by: Jose R. Ziviani +--- + hw/usb/redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f34179a257e3fd2b354164e..af1721a391139818ec9007c16f55 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, + if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { + if (dev->endpoint[EP2I(ep)].bufpq_size > + dev->endpoint[EP2I(ep)].bufpq_target_size) { +- free(data); ++ free(free_on_destroy); + return -1; + } + dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;