1. 14 12月, 2018 2 次提交
    • M
      usb-mtp: Limit filename to object information size · 90c1a742
      Michael Hanselmann 提交于
      The filename length in MTP metadata is specified by the guest. By
      trusting it directly it'd theoretically be possible to get the host to
      write memory parts outside the filename buffer into a filename. In
      practice though there are usually NUL bytes stopping the string
      operations.
      
      Also use the opportunity to not assign the filename member twice.
      Signed-off-by: NMichael Hanselmann <public@hansmi.ch>
      Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch
      
      [ kraxel: codestyle fix: break a long line ]
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      90c1a742
    • G
      usb-mtp: use O_NOFOLLOW and O_CLOEXEC. · bab9df35
      Gerd Hoffmann 提交于
      Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
      While being at it also add O_CLOEXEC.
      
      usb-mtp only handles regular files and directories and ignores
      everything else, so users should not see a difference.
      
      Because qemu ignores symlinks, carrying out a successful symlink attack
      requires swapping an existing file or directory below rootdir for a
      symlink and winning the race against the inotify notification to qemu.
      
      Fixes: CVE-2018-16872
      Cc: Prasad J Pandit <ppandit@redhat.com>
      Cc: Bandan Das <bsd@redhat.com>
      Reported-by: NMichael Hanselmann <public@hansmi.ch>
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Reviewed-by: NMichael Hanselmann <public@hansmi.ch>
      Message-id: 20181213122511.13853-1-kraxel@redhat.com
      bab9df35
  2. 13 12月, 2018 1 次提交
  3. 10 12月, 2018 3 次提交
  4. 04 12月, 2018 2 次提交
  5. 27 11月, 2018 2 次提交
  6. 29 10月, 2018 3 次提交
  7. 19 10月, 2018 1 次提交
    • M
      error: Fix use of error_prepend() with &error_fatal, &error_abort · 4b576648
      Markus Armbruster 提交于
      From include/qapi/error.h:
      
        * Pass an existing error to the caller with the message modified:
        *     error_propagate(errp, err);
        *     error_prepend(errp, "Could not frobnicate '%s': ", name);
      
      Fei Li pointed out that doing error_propagate() first doesn't work
      well when @errp is &error_fatal or &error_abort: the error_prepend()
      is never reached.
      
      Since I doubt fixing the documentation will stop people from getting
      it wrong, introduce error_propagate_prepend(), in the hope that it
      lures people away from using its constituents in the wrong order.
      Update the instructions in error.h accordingly.
      
      Convert existing error_prepend() next to error_propagate to
      error_propagate_prepend().  If any of these get reached with
      &error_fatal or &error_abort, the error messages improve.  I didn't
      check whether that's the case anywhere.
      
      Cc: Fei Li <fli@suse.com>
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Message-Id: <20181017082702.5581-2-armbru@redhat.com>
      4b576648
  8. 01 10月, 2018 4 次提交
  9. 21 8月, 2018 6 次提交
  10. 15 8月, 2018 1 次提交
  11. 10 7月, 2018 1 次提交
  12. 03 7月, 2018 2 次提交
    • G
      xhci: fix guest-triggerable assert · 8f36ec70
      Gerd Hoffmann 提交于
      Set xhci into error state instead of throwing a core dump.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 20180702162752.29233-1-kraxel@redhat.com
      8f36ec70
    • S
      ehci: Don't fetch a NULL current qtd but advance the queue instead. · 8bb01b25
      Sebastian Bauer 提交于
      Fetching qtd with the NULL address most likely makes no sense so from now
      on, we handle it this case similarly as if the terminate (T) bit is not
      set, which is already an exception as according to section 3.6 of the EHCI
      spec there is no T bit defined for the current_qtd field.
      
      The spec is a bit vague on how an EHCI driver should initialize these
      fields: "The general operational model is that the host controller can
      detect whether the overlay area contains a description of an active
      transfer" (p. 49). QEMU primarily uses the QTD_TOKEN_ACTIVE bit of the
      queue header to infer the activity state but there are other ways
      conceivable.
      
      This change allows QEMU to boot further into AmigaOS. The public available
      version of the EHCI driver recycles queue heads in some rare conditions but
      only clears the current_qtd field but not the status field. This works with
      many available EHCI PCI cards but e.g., not with the Freescale USB
      controller's found on the P5040. On the emulated EHCI controller of QEMU
      the consequence is that some garbage was read in, which resulted in a
      reset of the controller. This change fixes the problem.
      Signed-off-by: NSebastian Bauer <mail@sebastianbauer.info>
      Tested-by: NBALATON Zoltan <balaton@eik.bme.hu>
      Message-id: 20180625222718.4488-1-mail@sebastianbauer.info
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      8bb01b25
  13. 02 7月, 2018 1 次提交
  14. 29 6月, 2018 1 次提交
  15. 18 6月, 2018 2 次提交
  16. 15 6月, 2018 1 次提交
  17. 13 6月, 2018 1 次提交
  18. 12 6月, 2018 4 次提交
  19. 02 6月, 2018 1 次提交
  20. 01 6月, 2018 1 次提交
反馈
建议
客服 返回
顶部