From 071da4bb78fc3dcb562c2e7da3c2969cf298fe52 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 22 Jul 2021 09:27:56 +0200 Subject: [PATCH 1/3] usbredir: fix free call MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit data might point into the middle of a larger buffer, there is a separate free_on_destroy pointer passed into bufp_alloc() to handle that. It is only used in the normal workflow though, not when dropping packets due to the queue being full. Fix that. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 Signed-off-by: Gerd Hoffmann Reviewed-by: Marc-André Lureau Message-Id: <20210722072756.647673-1-kraxel@redhat.com> Signed-off-by: imxcc (cherry picked from commit 47c21ec4a9ab183f402ec611e82f49bc020aaab6) --- usbredir-fix-free-call.patch | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 usbredir-fix-free-call.patch diff --git a/usbredir-fix-free-call.patch b/usbredir-fix-free-call.patch new file mode 100644 index 00000000..d4e65ef4 --- /dev/null +++ b/usbredir-fix-free-call.patch @@ -0,0 +1,38 @@ +From 642ace93283c326666a9bbc2f8cf5b483fca2a6a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 22 Jul 2021 09:27:56 +0200 +Subject: [PATCH] usbredir: fix free call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +data might point into the middle of a larger buffer, there is a separate +free_on_destroy pointer passed into bufp_alloc() to handle that. It is +only used in the normal workflow though, not when dropping packets due +to the queue being full. Fix that. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-Id: <20210722072756.647673-1-kraxel@redhat.com> +Signed-off-by: imxcc +--- + hw/usb/redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 3cf82589ed..71f3594f4a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -468,7 +468,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, + if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { + if (dev->endpoint[EP2I(ep)].bufpq_size > + dev->endpoint[EP2I(ep)].bufpq_target_size) { +- free(data); ++ free(free_on_destroy); + return -1; + } + dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; +-- +2.27.0 + -- Gitee From 0d820dd09bcc416df1cd381bbb00ff6047ffbac9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 Aug 2021 11:29:37 +0800 Subject: [PATCH 2/3] spec: Update patch and changelog with !185 fix CVE-2021-3682 #I45H4H !185 usbredir: fix free call Signed-off-by: Chen Qun (cherry picked from commit ce72a2174d52519bca8b951d63d50d1e9c039583) --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 981d9e12..a830a30e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -555,6 +555,7 @@ Patch0542: vfio-Add-vfio_prereg_listener_log_sync-in-nested-sta.patch Patch0543: vfio-Add-vfio_prereg_listener_log_clear-to-re-enable.patch Patch0544: vfio-Add-vfio_prereg_listener_global_log_start-stop-.patch Patch0545: hw-arm-smmuv3-Post-load-stage-1-configurations-to-th.patch +Patch0546: usbredir-fix-free-call.patch BuildRequires: flex BuildRequires: gcc @@ -949,6 +950,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Aug 16 2021 Chen Qun +- usbredir: fix free call + * Wed Aug 04 2021 Chen Qun - vfio: Support host translation granule size - vfio/migrate: Move switch of dirty tracking into vfio_memory_listener -- Gitee From f799026b2ab4a781c9c7869a8f0227f4fb78d2d0 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 Aug 2021 11:29:58 +0800 Subject: [PATCH 3/3] spec: Update release version with !185 increase release verison by one Signed-off-by: Chen Qun (cherry picked from commit 0e5958c788620868a24fa106e2295ffec6bd24c8) --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index a830a30e..00215f52 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 76 +Release: 77 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee