From nobody Sun May 5 17:22:44 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1660644170; cv=none; d=zohomail.com; s=zohoarc; b=NCqC33m3PuAKDsa13HRvKqfOar3L7esJZbftd2Dkd134oY0oBMbku3TcvYVuI46fF6JIJNHSvVKSiOqgpKDbQIH/zqXLl7g61EBzGZtb7uwgZY8YY4jWGjy9ZRK/GMAbua1M2IRWJPUOk0IURzrexF0jag4PFXXc6x2vO8rwRfM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1660644170; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ZzCTDd1hfU2+GJo6Yl9Co4kWnqVQUcKRurznV7vfWs8=; b=apD54ejDiTpmdz04n5hJtYnkGMO8kBd15VsT76K2dAv40cD2MvNnNQ1elhLn5vFSYqjK9a2KRrqyBi1Ey8I1Wtf1s6UeA99Ci17mTlUG8aEyloueTE5hAh0DfUzkDn2Zw457o5y4vnPvUEY66sPGu2sbLArNUf/sls7+TOAFcnw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 166064417011048.926268698855324; Tue, 16 Aug 2022 03:02:50 -0700 (PDT) Received: from localhost ([::1]:41498 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oNtPM-0006l6-QB for importer2@patchew.org; Tue, 16 Aug 2022 06:02:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42892) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNtLg-000567-Pp for qemu-devel@nongnu.org; Tue, 16 Aug 2022 05:59:00 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:31351) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNtLf-0000yc-AP for qemu-devel@nongnu.org; Tue, 16 Aug 2022 05:59:00 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-396-uzjyuk1hNie-1eav6Sb0Gw-1; Tue, 16 Aug 2022 05:58:55 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CB474382624A; Tue, 16 Aug 2022 09:58:54 +0000 (UTC) Received: from thuth.com (unknown [10.39.192.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 14588492C3B; Tue, 16 Aug 2022 09:58:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1660643938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZzCTDd1hfU2+GJo6Yl9Co4kWnqVQUcKRurznV7vfWs8=; b=WjaPuzgcxr9PopHmIgyWQymtvDWT7+fBk9g/42DxK1nlm1K1iQqaCEQY7JyAuRdStEZTpK ChHr2hK5ETCOAmpRaWzgrb+4Hoq/M1XeQ2wrtX3jchojwqYSDgM1X9lJRr23wCyI+p2B3s rRcjr7mmmr/T0iyYG3nq/ihIm0gBqJk= X-MC-Unique: uzjyuk1hNie-1eav6Sb0Gw-1 From: Thomas Huth To: qemu-devel@nongnu.org, Richard Henderson Subject: [PULL 1/2] tests/qtest: misc tweaks to readconfig Date: Tue, 16 Aug 2022 11:58:48 +0200 Message-Id: <20220816095849.211139-2-thuth@redhat.com> In-Reply-To: <20220816095849.211139-1-thuth@redhat.com> References: <20220816095849.211139-1-thuth@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1660644171584100001 From: Daniel P. Berrang=C3=A9 The property name parameter is ignored when visiting a top level type, but the obvious typo should be fixed to avoid confusion. A few indentation issues were tidied up. We can break out of the loop when finding the RNG device. Finally, close the temp FD immediately when no longer needed. Signed-off-by: Daniel P. Berrang=C3=A9 Message-Id: <20220809093854.168438-1-berrange@redhat.com> Reviewed-by: Marc-Andr=C3=A9 Lureau Reviewed-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Thomas Huth --- tests/qtest/readconfig-test.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/qtest/readconfig-test.c b/tests/qtest/readconfig-test.c index 2e604d7c2d..c7a9b0c7dd 100644 --- a/tests/qtest/readconfig-test.c +++ b/tests/qtest/readconfig-test.c @@ -33,13 +33,12 @@ static QTestState *qtest_init_with_config(const char *c= fgdata) g_assert_cmpint(cfgfd, >=3D, 0); =20 ret =3D qemu_write_full(cfgfd, cfgdata, strlen(cfgdata)); + close(cfgfd); if (ret < 0) { unlink(cfgpath); } g_assert_cmpint(ret, =3D=3D, strlen(cfgdata)); =20 - close(cfgfd); - args =3D g_strdup_printf("-nodefaults -machine none -readconfig %s", c= fgpath); =20 qts =3D qtest_init(args); @@ -79,7 +78,7 @@ static void test_x86_memdev(void) "size =3D \"200\""; =20 qts =3D qtest_init_with_config(cfgdata); - /* Test valid command */ + /* Test valid command */ resp =3D qtest_qmp(qts, "{ 'execute': 'query-memdev' }"); test_x86_memdev_resp(qdict_get(resp, "return")); qobject_unref(resp); @@ -96,7 +95,7 @@ static void test_spice_resp(QObject *res) =20 g_assert(res); v =3D qobject_input_visitor_new(res); - visit_type_SpiceInfo(v, "spcie", &spice, &error_abort); + visit_type_SpiceInfo(v, "spice", &spice, &error_abort); =20 g_assert(spice); g_assert(spice->enabled); @@ -114,7 +113,7 @@ static void test_spice(void) "unix =3D \"on\"\n"; =20 qts =3D qtest_init_with_config(cfgdata); - /* Test valid command */ + /* Test valid command */ resp =3D qtest_qmp(qts, "{ 'execute': 'query-spice' }"); test_spice_resp(qdict_get(resp, "return")); qobject_unref(resp); @@ -144,6 +143,7 @@ static void test_object_rng_resp(QObject *res) if (g_str_equal(obj->name, "rng0") && g_str_equal(obj->type, "child")) { seen_rng =3D true; + break; } =20 tmp =3D tmp->next; @@ -164,7 +164,7 @@ static void test_object_rng(void) "id =3D \"rng0\"\n"; =20 qts =3D qtest_init_with_config(cfgdata); - /* Test valid command */ + /* Test valid command */ resp =3D qtest_qmp(qts, "{ 'execute': 'qom-list'," " 'arguments': {'path': '/objects' }}"); --=20 2.31.1 From nobody Sun May 5 17:22:44 2024 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1660644405; cv=none; d=zohomail.com; s=zohoarc; b=VMb6imygKoVbS9DXMvCplvtxSyZDqJANa9Wif0lIjSRLi2vtggYv8oivmHs8lFWdige/R/upXD6y20vUG5lwWMc/4N4SLAdrbFcIXV8z3vKo5gBeytINE7dKuqc9DoC4lNnBmD5cDpfxDHSuO0zhOf/+miLKDvZNO+kUWFqk5GU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1660644405; h=Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9EcByTx8o21JX/WVTo586WE5QiGfvM9rQBHXjkXSUJo=; b=ns0Ls4VA4ZyLkjv0XUuZg8bX/4VDasdTaMN7KyE5ncC/LCzgNm4dYaPQkRq2b+9YCyUNWY29SmI2Ah8bXVBg26Vc7BzSFBPOkh9d6gzNR6XvAA4dD4usXuA3mJ0J4pKdwJUYO7K1GuqPP+4Al7CXjZ4exG472nRPFyBiDe2TJRQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1660644405935465.27621236494565; Tue, 16 Aug 2022 03:06:45 -0700 (PDT) Received: from localhost ([::1]:36222 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oNtT9-0002pw-WD for importer2@patchew.org; Tue, 16 Aug 2022 06:06:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42922) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNtLi-00059I-ND for qemu-devel@nongnu.org; Tue, 16 Aug 2022 05:59:02 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:32509) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNtLh-0000zD-09 for qemu-devel@nongnu.org; Tue, 16 Aug 2022 05:59:02 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-147-fCJ6pXcxMxOfmDrlSRDKAQ-1; Tue, 16 Aug 2022 05:58:57 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D4ED78037B7; Tue, 16 Aug 2022 09:58:56 +0000 (UTC) Received: from thuth.com (unknown [10.39.192.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id 566AD492C3B; Tue, 16 Aug 2022 09:58:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1660643940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9EcByTx8o21JX/WVTo586WE5QiGfvM9rQBHXjkXSUJo=; b=VJYhGRa+aC8C09Z0uBWXRA75op16BJBE36sLm6zvEYgia5d7BPScHTAxybIwchzmFjrabL 4jHgbRsfLJQibucRMAiUYTc0t2Ex7UhX3XeZp3ReuovfCmJhZ3LR9m8Zw6BzAoLTPSn+Yy FjgDyrzkgxSdTzyX+jW31zqRMM16MY8= X-MC-Unique: fCJ6pXcxMxOfmDrlSRDKAQ-1 From: Thomas Huth To: qemu-devel@nongnu.org, Richard Henderson Subject: [PULL 2/2] hw/usb/hcd-xhci: Fix unbounded loop in xhci_ring_chain_length() (CVE-2020-14394) Date: Tue, 16 Aug 2022 11:58:49 +0200 Message-Id: <20220816095849.211139-3-thuth@redhat.com> In-Reply-To: <20220816095849.211139-1-thuth@redhat.com> References: <20220816095849.211139-1-thuth@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1660644406841100001 Content-Type: text/plain; charset="utf-8" The loop condition in xhci_ring_chain_length() is under control of the guest, and additionally the code does not check for failed DMA transfers (e.g. if reaching the end of the RAM), so the loop there could run for a very long time or even forever. Fix it by checking the return value of dma_memory_read() and by introducing a maximum loop length. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 Message-Id: <20220804131300.96368-1-thuth@redhat.com> Reviewed-by: Mauro Matteo Cascella Acked-by: Gerd Hoffmann Signed-off-by: Thomas Huth --- hw/usb/hcd-xhci.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 296cc6c8e6..3c48b58dde 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -21,6 +21,7 @@ =20 #include "qemu/osdep.h" #include "qemu/timer.h" +#include "qemu/log.h" #include "qemu/module.h" #include "qemu/queue.h" #include "migration/vmstate.h" @@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, co= nst XHCIRing *ring) bool control_td_set =3D 0; uint32_t link_cnt =3D 0; =20 - while (1) { + do { TRBType type; - dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, - MEMTXATTRS_UNSPECIFIED); + if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, + MEMTXATTRS_UNSPECIFIED) !=3D MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\= n", + __func__); + return -1; + } le64_to_cpus(&trb.parameter); le32_to_cpus(&trb.status); le32_to_cpus(&trb.control); @@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, con= st XHCIRing *ring) if (!control_td_set && !(trb.control & TRB_TR_CH)) { return length; } - } + + /* + * According to the xHCI spec, Transfer Ring segments should have + * a maximum size of 64 kB (see chapter "6 Data Structures") + */ + } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); + + qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size= !\n", + __func__); + + return -1; } =20 static void xhci_er_reset(XHCIState *xhci, int v) --=20 2.31.1