Bug 546483 - buffer overflow in usb-linux.c
buffer overflow in usb-linux.c
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Justin M. Forbes
Fedora Extras Quality Assurance
: Reopened, Triaged
Depends On:
Blocks: F13VirtImportant
  Show dependency treegraph
 
Reported: 2009-12-10 19:17 EST by Christian Krause
Modified: 2010-04-26 08:17 EDT (History)
9 users (show)

See Also:
Fixed In Version: qemu-0.12.3-6.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-16 19:20:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
modified upstream patch to solve the problem (2.42 KB, patch)
2009-12-10 19:17 EST, Christian Krause
no flags Details | Diff

  None (edit)
Description Christian Krause 2009-12-10 19:17:05 EST
Created attachment 377626 [details]
modified upstream patch to solve the problem

Description of problem:
When using certain USB in the guest system (in my case an Zyxel Wireless device) the qemu process crashs when a usb control request is greater than 1024 bytes. The problem was already fixed (partially) upstream for the upcoming 0.12.0 release.

Version-Release number of selected component (if applicable):
F11: qemu-0.10.6-9.fc11
F12: qemu-0.11.0-12.fc12
rawhide: qemu-0.11.0-12.fc13

How reproducible:
100% with specific devices, in my case a Zyxel USB Wlan Stick

Steps to Reproduce:
1. add the USB device to the guest system
  
Additional info:
Here is the commit info for the upstream patch:

  usb-linux.c: fix buffer overflow
    
    In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and
    length to the kernel.  However, the length was provided by the caller
    of dev->handle_packet, and is not checked, so the kernel might provide
    too much data and overflow our buffer.
    
    For example, hw/usb-uhci.c could set the length to 2047.
    hw/usb-ohci.c looks like it might go up to 4096 or 8192.
    
    This causes a qemu crash, as reported here:
      http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html
    
    This patch increases the usb-linux.c buffer size to 2048 to fix the
    specific device reported, and adds a check to avoid the overflow in
    any case.
    
    Signed-off-by: Jim Paris <jim@jtan.com>
    Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

I have altered that patch in that respect, that I've increased the buffer size even more (the patch adds a sanity check to prevent the crash and increases the buffer size, too), because my USB stick seems to send more than 4k data within a control request. Setting the buffer to 8k seems to be a safe choice. I will upstream this small change in the next days.

I have attached the final patch to this bug report. It would be great if you could apply it to Rawhide, F12 and F11.

I have tested the patch with an F11 version of qemu and it works without any problems, solves the buffer overflow and allows me to use my USB Wireless Stick. ;)
Comment 1 Justin M. Forbes 2009-12-11 12:39:49 EST
Thanks for the patch. Would you mind posting an update when you have upstreamed the patch so that we have a reference in this bz?
Comment 2 Christian Krause 2009-12-11 18:16:15 EST
(In reply to comment #1)
> Thanks for the patch. Would you mind posting an update when you have upstreamed
> the patch so that we have a reference in this bz?  

Sure - I've just sent my modification upstream:
http://lists.gnu.org/archive/html/qemu-devel/2009-12/msg01253.html

I'll add another comment once it is comitted.
Comment 3 Christian Krause 2009-12-21 15:12:16 EST
Unfortunately I haven't heard back from upstream yet.

Would would be possible to include my patch (the critical bug fix is already in upstreams git, only the increased number for the control requests isn't) in Fedora nevertheless? This would help me a lot since I would not have to re-compile qemu for all machines where I need this fix. ;-)

I'll be happy to provide any help (testing, modifying the spec file, etc.) you need.
Comment 4 Justin M. Forbes 2009-12-21 15:32:13 EST
Yes, it is possible, I am working on an update for F-12 this week.  It should be included.
Comment 5 Fedora Update System 2010-01-20 21:26:26 EST
qemu-0.11.0-13.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qemu-0.11.0-13.fc12
Comment 6 Fedora Update System 2010-01-22 17:35:41 EST
qemu-0.11.0-13.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qemu'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0913
Comment 7 Christian Krause 2010-01-24 11:39:38 EST
Thank you very much for the new package - it works without any problems. ;-)

Is it planned to push out the bug fix for F11 as well? This would be really great and help me a lot since there are still lots of F11 machines in my environment. Thank you very much in advance.
Comment 8 Christian Krause 2010-02-06 12:12:01 EST
Just for reference - patch is now committed upstream:

http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=fd7a446f162768c044b3bf3844f7605eeef351af
Comment 9 Fedora Update System 2010-02-09 00:11:46 EST
qemu-0.11.0-13.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Christian Krause 2010-03-15 06:46:53 EDT
The problem is back in F13 and rawhide, since 0.12.3 does not yet include the following upstream commit:
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=fd7a446f162768c044b3bf3844f7605eeef351af

Please can you add the patch in devel and F-13? Thanks!
Comment 11 Fedora Update System 2010-03-16 00:09:51 EDT
qemu-0.12.3-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qemu-0.12.3-2.fc12
Comment 12 Fedora Update System 2010-03-16 00:25:29 EDT
qemu-0.12.3-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/qemu-0.12.3-6.fc13
Comment 13 Fedora Update System 2010-03-16 19:14:55 EDT
qemu-0.12.3-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qemu'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/qemu-0.12.3-2.fc12
Comment 14 Fedora Update System 2010-03-16 19:20:04 EDT
qemu-0.12.3-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-04-26 08:17:02 EDT
qemu-0.12.3-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/qemu-0.12.3-4.fc12

Note You need to log in before you can comment on or make changes to this bug.