Created attachment 377626 [details] modified upstream patch to solve the problem Description of problem: When using certain USB in the guest system (in my case an Zyxel Wireless device) the qemu process crashs when a usb control request is greater than 1024 bytes. The problem was already fixed (partially) upstream for the upcoming 0.12.0 release. Version-Release number of selected component (if applicable): F11: qemu-0.10.6-9.fc11 F12: qemu-0.11.0-12.fc12 rawhide: qemu-0.11.0-12.fc13 How reproducible: 100% with specific devices, in my case a Zyxel USB Wlan Stick Steps to Reproduce: 1. add the USB device to the guest system Additional info: Here is the commit info for the upstream patch: usb-linux.c: fix buffer overflow In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and length to the kernel. However, the length was provided by the caller of dev->handle_packet, and is not checked, so the kernel might provide too much data and overflow our buffer. For example, hw/usb-uhci.c could set the length to 2047. hw/usb-ohci.c looks like it might go up to 4096 or 8192. This causes a qemu crash, as reported here: http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html This patch increases the usb-linux.c buffer size to 2048 to fix the specific device reported, and adds a check to avoid the overflow in any case. Signed-off-by: Jim Paris <jim> Signed-off-by: Anthony Liguori <aliguori.com> I have altered that patch in that respect, that I've increased the buffer size even more (the patch adds a sanity check to prevent the crash and increases the buffer size, too), because my USB stick seems to send more than 4k data within a control request. Setting the buffer to 8k seems to be a safe choice. I will upstream this small change in the next days. I have attached the final patch to this bug report. It would be great if you could apply it to Rawhide, F12 and F11. I have tested the patch with an F11 version of qemu and it works without any problems, solves the buffer overflow and allows me to use my USB Wireless Stick. ;)
Thanks for the patch. Would you mind posting an update when you have upstreamed the patch so that we have a reference in this bz?
(In reply to comment #1) > Thanks for the patch. Would you mind posting an update when you have upstreamed > the patch so that we have a reference in this bz? Sure - I've just sent my modification upstream: http://lists.gnu.org/archive/html/qemu-devel/2009-12/msg01253.html I'll add another comment once it is comitted.
Unfortunately I haven't heard back from upstream yet. Would would be possible to include my patch (the critical bug fix is already in upstreams git, only the increased number for the control requests isn't) in Fedora nevertheless? This would help me a lot since I would not have to re-compile qemu for all machines where I need this fix. ;-) I'll be happy to provide any help (testing, modifying the spec file, etc.) you need.
Yes, it is possible, I am working on an update for F-12 this week. It should be included.
qemu-0.11.0-13.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/qemu-0.11.0-13.fc12
qemu-0.11.0-13.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update qemu'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0913
Thank you very much for the new package - it works without any problems. ;-) Is it planned to push out the bug fix for F11 as well? This would be really great and help me a lot since there are still lots of F11 machines in my environment. Thank you very much in advance.
Just for reference - patch is now committed upstream: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=fd7a446f162768c044b3bf3844f7605eeef351af
qemu-0.11.0-13.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
The problem is back in F13 and rawhide, since 0.12.3 does not yet include the following upstream commit: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=fd7a446f162768c044b3bf3844f7605eeef351af Please can you add the patch in devel and F-13? Thanks!
qemu-0.12.3-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/qemu-0.12.3-2.fc12
qemu-0.12.3-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/qemu-0.12.3-6.fc13
qemu-0.12.3-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update qemu'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/qemu-0.12.3-2.fc12
qemu-0.12.3-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
qemu-0.12.3-4.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/qemu-0.12.3-4.fc12