[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] f8224f: pvusb: set max grants only in initial
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] f8224f: pvusb: set max grants only in initialise |
|
Date: |
Sun, 16 Dec 2018 04:47:46 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: f8224fb0faec9f4184b29b8158534536e6580748
https://github.com/qemu/qemu/commit/f8224fb0faec9f4184b29b8158534536e6580748
Author: Juergen Gross <address@hidden>
Date: 2018-12-10 (Mon, 10 Dec 2018)
Changed paths:
M hw/usb/xen-usb.c
Log Message:
-----------
pvusb: set max grants only in initialise
Don't call xen_be_set_max_grant_refs() in usbback_alloc(), as the
gnttabdev pointer won't be initialised yet. The call can easily be
moved to usbback_connect().
Signed-off-by: Juergen Gross <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: 5621d0453c60ce4fc104a9795791d6402386c3b3
https://github.com/qemu/qemu/commit/5621d0453c60ce4fc104a9795791d6402386c3b3
Author: linzhecheng <address@hidden>
Date: 2018-12-10 (Mon, 10 Dec 2018)
Changed paths:
M hw/usb/host-libusb.c
Log Message:
-----------
usb-host: reset and close libusb_device_handle before qemu exit
we should perform these things as same as usb_host_close.
Signed-off-by: linzhecheng <address@hidden>
Message-id: address@hidden
[ kraxel: whitespace fixup ]
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: b7d3a7e1a8830af78e71952e82f186b12b70ff1f
https://github.com/qemu/qemu/commit/b7d3a7e1a8830af78e71952e82f186b12b70ff1f
Author: Gerd Hoffmann <address@hidden>
Date: 2018-12-10 (Mon, 10 Dec 2018)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
ehci: fix fetch qtd race
The token field contains the (guest-filled) state of the qtd, which
indicates whenever the other fields are valid or not. So make sure
we read the token first, otherwise we may end up with an stale next
pointer:
(1) ehci reads next
(2) guest writes next
(3) guest writes token
(4) ehci reads token
(5) ehci operates with stale next.
Typical effect is that qemu doesn't notice that the guest appends new
qtds to the end of the queue. Looks like the usb device stopped
responding. Linux can recover from that, but leaves a message in the
kernel log that it did reset the usb device in question.
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Commit: bab9df35ce73d1c8e19a37e2737717ea1c984dc1
https://github.com/qemu/qemu/commit/bab9df35ce73d1c8e19a37e2737717ea1c984dc1
Author: Gerd Hoffmann <address@hidden>
Date: 2018-12-14 (Fri, 14 Dec 2018)
Changed paths:
M hw/usb/dev-mtp.c
Log Message:
-----------
usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.
usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.
Because qemu ignores symlinks, carrying out a successful symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.
Fixes: CVE-2018-16872
Cc: Prasad J Pandit <address@hidden>
Cc: Bandan Das <address@hidden>
Reported-by: Michael Hanselmann <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Michael Hanselmann <address@hidden>
Message-id: address@hidden
Commit: 90c1a74271ce4667d16eeca575dfa78a6c7d465c
https://github.com/qemu/qemu/commit/90c1a74271ce4667d16eeca575dfa78a6c7d465c
Author: Michael Hanselmann <address@hidden>
Date: 2018-12-14 (Fri, 14 Dec 2018)
Changed paths:
M hw/usb/dev-mtp.c
Log Message:
-----------
usb-mtp: Limit filename to object information size
The filename length in MTP metadata is specified by the guest. By
trusting it directly it'd theoretically be possible to get the host to
write memory parts outside the filename buffer into a filename. In
practice though there are usually NUL bytes stopping the string
operations.
Also use the opportunity to not assign the filename member twice.
Signed-off-by: Michael Hanselmann <address@hidden>
Message-id: address@hidden
[ kraxel: codestyle fix: break a long line ]
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: 3866e6bebd0cd498e684f1d3ab10b64c853d186f
https://github.com/qemu/qemu/commit/3866e6bebd0cd498e684f1d3ab10b64c853d186f
Author: Peter Maydell <address@hidden>
Date: 2018-12-16 (Sun, 16 Dec 2018)
Changed paths:
M hw/usb/dev-mtp.c
M hw/usb/hcd-ehci.c
M hw/usb/host-libusb.c
M hw/usb/xen-usb.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/kraxel/tags/usb-20181214-pull-request'
into staging
usb: fixes for mtp, ehci, usb-host and pvusb (xen).
# gpg: Signature made Fri 14 Dec 2018 10:38:33 GMT
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg: aka "Gerd Hoffmann <address@hidden>"
# gpg: aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/usb-20181214-pull-request:
usb-mtp: Limit filename to object information size
usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
ehci: fix fetch qtd race
usb-host: reset and close libusb_device_handle before qemu exit
pvusb: set max grants only in initialise
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/81781be3c992...3866e6bebd0c
**NOTE:** This service has been marked for deprecation:
https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] f8224f: pvusb: set max grants only in initialise,
GitHub <=