yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch

4ec855
From 24ca1010222cadbfc3c734406b665e6a9775d9d9 Mon Sep 17 00:00:00 2001
4ec855
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
4ec855
Date: Tue, 1 Oct 2019 18:49:25 +0100
4ec855
Subject: [PATCH 03/21] usb: drop unnecessary usb_device_post_load checks
4ec855
4ec855
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
4ec855
Message-id: <20191001184925.29912-2-dgilbert@redhat.com>
4ec855
Patchwork-id: 90933
4ec855
O-Subject: [RHEL-8.2.0 qemu-kvm PATCH 1/1] usb: drop unnecessary usb_device_post_load checks
4ec855
Bugzilla: 1757482
4ec855
RH-Acked-by: Maxim Levitsky <mlevitsk@redhat.com>
4ec855
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
4ec855
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
4ec855
4ec855
From: Jonathan Davies <jonathan.davies@nutanix.com>
4ec855
4ec855
In usb_device_post_load, certain values of dev->setup_len or
4ec855
dev->setup_index can cause -EINVAL to be returned. One example is when
4ec855
setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf).
4ec855
This can happen through legitimate guest activity and will cause all
4ec855
subsequent attempts to migrate the guest to fail in vmstate_load_state.
4ec855
4ec855
The values of these variables can be set by USB packets originating in
4ec855
the guest. There are two ways in which they can be set: in
4ec855
do_token_setup and in do_parameter in hw/usb/core.c.
4ec855
4ec855
It is easy to craft a USB packet in a guest that causes do_token_setup
4ec855
to set setup_len to a value larger than 4096. When this has been done
4ec855
once, all subsequent attempts to migrate the VM will fail in
4ec855
usb_device_post_load until the VM is next power-cycled or a
4ec855
smaller-sized USB packet is sent to the device.
4ec855
4ec855
Sample code for achieving this in a VM started with "-device usb-tablet"
4ec855
running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096:
4ec855
4ec855
  #include <sys/types.h>
4ec855
  #include <sys/stat.h>
4ec855
  #include <fcntl.h>
4ec855
  #include <unistd.h>
4ec855
4ec855
  int main() {
4ec855
           char buf[4097];
4ec855
           int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK);
4ec855
4ec855
           buf[0] = 0x1;
4ec855
           write(fd, buf, 4097);
4ec855
4ec855
           return 0;
4ec855
  }
4ec855
4ec855
When this code is run in the VM, qemu will output:
4ec855
4ec855
  usb_generic_handle_packet: ctrl buffer too small (4097 > 4096)
4ec855
4ec855
A subsequent attempt to migrate the VM will fail and output the
4ec855
following on the destination host:
4ec855
4ec855
  qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr'
4ec855
  qemu-kvm: load of migration failed: Invalid argument
4ec855
4ec855
The idea behind checking the values of setup_len and setup_index before
4ec855
they are used is correct, but doing it in usb_device_post_load feels
4ec855
arbitrary, and will cause unnecessary migration failures. Indeed, none
4ec855
of the commit messages for c60174e8, 9f8e9895 and 719ffe1f justify why
4ec855
post_load is the right place to do these checks. They correctly point
4ec855
out that the important thing to protect is the usb_packet_copy.
4ec855
4ec855
Instead, the right place to do the checks is in do_token_setup and
4ec855
do_parameter. Indeed, there are already some checks here. We can examine
4ec855
each of the disjuncts currently tested in usb_device_post_load to see
4ec855
whether any need adding to do_token_setup or do_parameter to improve
4ec855
safety there:
4ec855
4ec855
  * dev->setup_index < 0
4ec855
     - This test is not needed because setup_index is explicitly set to
4ec855
0 in do_token_setup and do_parameter.
4ec855
4ec855
  * dev->setup_len < 0
4ec855
     - In both do_token_setup and do_parameter, the value of setup_len
4ec855
is computed by (s->setup_buf[7] << 8) | s->setup_buf[6]. Since
4ec855
s->setup_buf is a byte array and setup_len is an int32_t, it's
4ec855
impossible for this arithmetic to set setup_len's top bit, so it can
4ec855
never be negative.
4ec855
4ec855
  * dev->setup_index > dev->setup_len
4ec855
     - Since setup_index is 0, this is equivalent to the previous test,
4ec855
so is redundant.
4ec855
4ec855
  * dev->setup_len > sizeof(dev->data_buf)
4ec855
     - This condition is already explicitly checked in both
4ec855
do_token_setup and do_parameter.
4ec855
4ec855
Hence there is no need to bolster the existing checks in do_token_setup
4ec855
or do_parameter, and we can safely remove these checks from
4ec855
usb_device_post_load without reducing safety but allowing migrations to
4ec855
proceed regardless of what USB packets have been generated by the guest.
4ec855
4ec855
Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
4ec855
Message-Id: <20190107175117.23769-1-jonathan.davies@nutanix.com>
4ec855
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
4ec855
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
4ec855
(cherry picked from commit f30815390adb1ec153327c3832ab378e8bce9808)
4ec855
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
4ec855
---
4ec855
 hw/usb/bus.c | 6 ------
4ec855
 1 file changed, 6 deletions(-)
4ec855
4ec855
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
4ec855
index 11f7720..5499810 100644
4ec855
--- a/hw/usb/bus.c
4ec855
+++ b/hw/usb/bus.c
4ec855
@@ -59,12 +59,6 @@ static int usb_device_post_load(void *opaque, int version_id)
4ec855
     } else {
4ec855
         dev->attached = true;
4ec855
     }
4ec855
-    if (dev->setup_index < 0 ||
4ec855
-        dev->setup_len < 0 ||
4ec855
-        dev->setup_index > dev->setup_len ||
4ec855
-        dev->setup_len > sizeof(dev->data_buf)) {
4ec855
-        return -EINVAL;
4ec855
-    }
4ec855
     return 0;
4ec855
 }
4ec855
 
4ec855
-- 
4ec855
1.8.3.1
4ec855