From 4f50d4a48e0caa1aad591f3ca437502e33b8699d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volker=20R=C3=BCmelin?= Date: Tue, 7 Jul 2020 20:08:36 +0200 Subject: [PATCH 1/4] ossaudio: fix out of bounds write MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In function oss_read() a read error currently does not exit the read loop. With no data to read the variable pos will quickly underflow and a subsequent successful read overwrites memory outside the buffer. This patch adds the missing break statement to the error path of the function. To reproduce start qemu with -audiodev oss,id=audio0 and in the guest start audio recording. After some time this will trigger an exception. Fixes: 3ba4066d08 "ossaudio: port to the new audio backend api" Signed-off-by: Volker Rümelin Message-id: 20200707180836.5435-1-vr_qemu@t-online.de Signed-off-by: Gerd Hoffmann --- audio/ossaudio.c | 1 + 1 file changed, 1 insertion(+) diff --git a/audio/ossaudio.c b/audio/ossaudio.c index f88d076ec2..a7dcaa31ad 100644 --- a/audio/ossaudio.c +++ b/audio/ossaudio.c @@ -691,6 +691,7 @@ static size_t oss_read(HWVoiceIn *hw, void *buf, size_t len) len, dst); break; } + break; } pos += nread; From 480324ec8d76582fa1c367cc9a0fdb653d4ea96e Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Fri, 10 Jul 2020 08:55:20 +0200 Subject: [PATCH 2/4] docs/qdev-device-use: Clean up the sentences related to -usbdevice Most of the -usbdevice paramaters have been removed already. Update the doc accordingly. Signed-off-by: Thomas Huth Message-id: 20200710065520.24784-1-thuth@redhat.com Signed-off-by: Gerd Hoffmann --- docs/qdev-device-use.txt | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/docs/qdev-device-use.txt b/docs/qdev-device-use.txt index 4bbbcf561f..f8d0d2fe29 100644 --- a/docs/qdev-device-use.txt +++ b/docs/qdev-device-use.txt @@ -125,12 +125,7 @@ The -device argument differs in detail for each type of drive: * if=pflash, if=mtd, if=sd, if=xen are not yet available with -device -For USB devices, the old way is actually different: - - -usbdevice disk:format=FMT:FILENAME - -Provides much less control than -drive's OPTS... The new way fixes -that: +For USB storage devices, you can use something like: -device usb-storage,drive=DRIVE-ID,removable=RMB @@ -177,8 +172,6 @@ The appropriate DEVNAME depends on the machine type. For type "pc": This lets you control I/O ports and IRQs. -* -usbdevice serial::chardev becomes -device usb-serial,chardev=dev. - * -usbdevice braille doesn't support LEGACY-CHARDEV syntax. It always uses "braille". With -device, this useful default is gone, so you have to use something like @@ -238,10 +231,6 @@ The old way to define the guest part looks like this: -net nic,netdev=NET-ID,macaddr=MACADDR,model=MODEL,name=ID,addr=STR,vectors=V -Except for USB it looks like this: - - -usbdevice net:netdev=NET-ID,macaddr=MACADDR,name=ID - The new way is -device: -device DEVNAME,netdev=NET-ID,mac=MACADDR,DEV-OPTS... @@ -336,12 +325,7 @@ The new way is -device DEVNAME,DEV-OPTS... Details depend on DRIVER: * mouse -device usb-mouse * tablet -device usb-tablet * wacom-tablet -device usb-wacom-tablet -* host:... See "Host Device Assignment" -* disk:... See "Block Devices" -* serial:... See "Character Devices" * braille See "Character Devices" -* net:... See "Network Devices" -* bt:... not yet available with -device === Watchdog Devices === @@ -358,17 +342,11 @@ and host USB devices. PCI devices can only be assigned with -device: -device vfio-pci,host=ADDR,id=ID -The old way to assign a host USB device is - - -usbdevice host:auto:BUS.ADDR:VID:PRID - -where any of BUS, ADDR, VID, PRID can be the wildcard *. - -The new way is +To assign a host USB device use: -device usb-host,hostbus=BUS,hostaddr=ADDR,vendorid=VID,productid=PRID -Omitted options match anything, just like the old way's wildcard. +Omitted options match anything. === Default Devices === From 185951817dede3dfe4eb1c4c6d262607bee605ef Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 1 Jul 2020 20:18:01 +0200 Subject: [PATCH 3/4] ui: fix vc_chr_write call in text_console_do_init In case the string doesn't fit into the buffer snprintf returns the size it would need, so len can be larger than the buffer. Fix this by simply using g_strdup_printf() instead of a static buffer. Reported-by: Wenxiang Qian Signed-off-by: Gerd Hoffmann Message-id: 20200701181801.27935-1-kraxel@redhat.com --- ui/console.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ui/console.c b/ui/console.c index 08f75c9bf6..0579be792f 100644 --- a/ui/console.c +++ b/ui/console.c @@ -2184,12 +2184,12 @@ static void text_console_do_init(Chardev *chr, DisplayState *ds) text_console_resize(s); if (chr->label) { - char msg[128]; - int len; + char *msg; s->t_attrib.bgcol = QEMU_COLOR_BLUE; - len = snprintf(msg, sizeof(msg), "%s console\r\n", chr->label); - vc_chr_write(chr, (uint8_t *)msg, len); + msg = g_strdup_printf("%s console\r\n", chr->label); + vc_chr_write(chr, (uint8_t *)msg, strlen(msg)); + g_free(msg); s->t_attrib = s->t_attrib_default; } From 631009e775a91018a62e2670b4473e99916f858f Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 24 Jun 2020 15:45:10 +0200 Subject: [PATCH 4/4] usb: fix usb-host build on windows. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Seems the new API is not available on windows. Update #ifdefs accordingly. Fixes: 9f815e83e983 ("usb: add hostdevice property to usb-host") Reported-by: Howard Spoelstra Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Tested-by: Howard Spoelstra Message-id: 20200624134510.9381-1-kraxel@redhat.com --- hw/usb/host-libusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c index ad7ed8fb0c..c474551d84 100644 --- a/hw/usb/host-libusb.c +++ b/hw/usb/host-libusb.c @@ -907,7 +907,7 @@ static int usb_host_open(USBHostDevice *s, libusb_device *dev, int hostfd) goto fail; } } else { -#if LIBUSB_API_VERSION >= 0x01000107 +#if LIBUSB_API_VERSION >= 0x01000107 && !defined(CONFIG_WIN32) trace_usb_host_open_hostfd(hostfd); rc = libusb_wrap_sys_device(ctx, hostfd, &s->dh); @@ -1107,7 +1107,7 @@ static void usb_host_realize(USBDevice *udev, Error **errp) QTAILQ_INIT(&s->isorings); s->hostfd = -1; -#if LIBUSB_API_VERSION >= 0x01000107 +#if LIBUSB_API_VERSION >= 0x01000107 && !defined(CONFIG_WIN32) if (s->hostdevice) { int fd; s->needs_autoscan = false;