* [Qemu-devel] [PULL 1/3] input: limit kbd queue depth
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
@ 2017-05-04 5:50 ` Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 2/3] input: don't queue delay if paused Gerd Hoffmann
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, P J P, Huawei PSIRT
Apply a limit to the number of items we accept into the keyboard queue.
Impact: Without this limit vnc clients can exhaust host memory by
sending keyboard events faster than qemu feeds them to the guest.
Fixes: CVE-2017-8379
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: jiangxin1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170428084237.23960-1-kraxel@redhat.com
---
ui/input.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ui/input.c b/ui/input.c
index ed88cda6d6..fb1f404095 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
QTAILQ_HEAD_INITIALIZER(kbd_queue);
static QEMUTimer *kbd_timer;
static uint32_t kbd_default_delay_ms = 10;
+static uint32_t queue_count;
+static uint32_t queue_limit = 1024;
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
QemuInputHandler *handler)
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
break;
}
QTAILQ_REMOVE(queue, item, node);
+ queue_count--;
g_free(item);
}
}
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
item->delay_ms = delay_ms;
item->timer = timer;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
if (start_timer) {
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
item->src = src;
item->evt = evt;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
item->type = QEMU_INPUT_QUEUE_SYNC;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
qemu_input_event_send(src, evt);
qemu_input_event_sync();
qapi_free_InputEvent(evt);
- } else {
+ } else if (queue_count < queue_limit) {
qemu_input_queue_event(&kbd_queue, src, evt);
qemu_input_queue_sync(&kbd_queue);
}
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
}
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
- delay_ms ? delay_ms : kbd_default_delay_ms);
+ if (queue_count < queue_limit) {
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
+ delay_ms ? delay_ms : kbd_default_delay_ms);
+ }
}
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 2/3] input: don't queue delay if paused
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 1/3] input: limit kbd queue depth Gerd Hoffmann
@ 2017-05-04 5:50 ` Gerd Hoffmann
2017-05-04 5:50 ` [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue Gerd Hoffmann
2017-05-05 15:44 ` [Qemu-devel] [PULL 0/3] input patch queue Stefan Hajnoczi
3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2017-05-04 5:50 UTC (permalink / raw)
To: qemu-devel; +Cc: Marc-André Lureau, Gerd Hoffmann
From: Marc-André Lureau <marcandre.lureau@redhat.com>
qemu_input_event_send() discards key event when the guest is paused,
but not the delay.
The delay ends up in the input queue, and qemu_input_event_send_key()
will further fill the queue with upcoming events.
VNC uses qemu_input_event_send_key_delay(), not SPICE, which results
in a different input behaviour on pause: VNC will queue the events
(except the first that is discarded), SPICE will discard all events.
Don't queue delay if paused, and provide same behaviour on SPICE and
VNC clients on resume (and potentially avoid over-allocating the
buffer queue)
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1444326
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20170425130520.31819-1-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/input.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ui/input.c b/ui/input.c
index fb1f404095..830f912f99 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -411,6 +411,10 @@ void qemu_input_event_send_key_qcode(QemuConsole *src, QKeyCode q, bool down)
void qemu_input_event_send_key_delay(uint32_t delay_ms)
{
+ if (!runstate_is_running() && !runstate_check(RUN_STATE_SUSPENDED)) {
+ return;
+ }
+
if (!kbd_timer) {
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] input patch queue
2017-05-04 5:50 [Qemu-devel] [PULL 0/3] input patch queue Gerd Hoffmann
` (2 preceding siblings ...)
2017-05-04 5:50 ` [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue Gerd Hoffmann
@ 2017-05-05 15:44 ` Stefan Hajnoczi
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2017-05-05 15:44 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 1423 bytes --]
On Thu, May 04, 2017 at 07:50:37AM +0200, Gerd Hoffmann wrote:
> Hi,
>
> Input patch queue, with a new tracepoint and two bugfixes (one of them
> cve).
>
> please pull,
> Gerd
>
> The following changes since commit e619b14746e5d8c0e53061661fd0e1da01fd4d60:
>
> Merge remote-tracking branch 'sthibault/tags/samuel-thibault' into staging (2017-05-02 15:16:29 +0100)
>
> are available in the git repository at:
>
> git://git.kraxel.org/qemu tags/pull-input-20170504-1
>
> for you to fetch changes up to 2222e0a633070f7f3eafcc9d0e95e7f1a4e6fe36:
>
> input: Add trace event for empty keyboard queue (2017-05-03 14:20:12 +0200)
>
> ----------------------------------------------------------------
> input: limit kbd queue depth
> input: don't queue delay if paused
> input: Add trace event for empty keyboard queue
>
> ----------------------------------------------------------------
> Alexander Graf (1):
> input: Add trace event for empty keyboard queue
>
> Gerd Hoffmann (1):
> input: limit kbd queue depth
>
> Marc-André Lureau (1):
> input: don't queue delay if paused
>
> hw/input/hid.c | 4 ++++
> ui/input.c | 18 +++++++++++++++---
> hw/input/trace-events | 1 +
> 3 files changed, 20 insertions(+), 3 deletions(-)
>
Thanks, applied to my staging tree:
https://github.com/stefanha/qemu/commits/staging
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread