diff options
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-8379.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8379.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch deleted file mode 100644 index 200b133d3e..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8379.patch +++ /dev/null @@ -1,98 +0,0 @@ -Fix CVE-2017-8379: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc - -From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 28 Apr 2017 10:42:37 +0200 -Subject: [PATCH] input: limit kbd queue depth - -Apply a limit to the number of items we accept into the keyboard queue. - -Impact: Without this limit vnc clients can exhaust host memory by -sending keyboard events faster than qemu feeds them to the guest. - -Fixes: CVE-2017-8379 -Cc: P J P <ppandit@redhat.com> -Cc: Huawei PSIRT <PSIRT@huawei.com> -Reported-by: jiangxin1@huawei.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 20170428084237.23960-1-kraxel@redhat.com ---- - ui/input.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ui/input.c b/ui/input.c -index ed88cda6d6..fb1f404095 100644 ---- a/ui/input.c -+++ b/ui/input.c -@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = - QTAILQ_HEAD_INITIALIZER(kbd_queue); - static QEMUTimer *kbd_timer; - static uint32_t kbd_default_delay_ms = 10; -+static uint32_t queue_count; -+static uint32_t queue_limit = 1024; - - QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, - QemuInputHandler *handler) -@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) - break; - } - QTAILQ_REMOVE(queue, item, node); -+ queue_count--; - g_free(item); - } - } -@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, - item->delay_ms = delay_ms; - item->timer = timer; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - - if (start_timer) { - timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) -@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, - item->src = src; - item->evt = evt; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) -@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) - - item->type = QEMU_INPUT_QUEUE_SYNC; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) -@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) - qemu_input_event_send(src, evt); - qemu_input_event_sync(); - qapi_free_InputEvent(evt); -- } else { -+ } else if (queue_count < queue_limit) { - qemu_input_queue_event(&kbd_queue, src, evt); - qemu_input_queue_sync(&kbd_queue); - } -@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) - kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, - &kbd_queue); - } -- qemu_input_queue_delay(&kbd_queue, kbd_timer, -- delay_ms ? delay_ms : kbd_default_delay_ms); -+ if (queue_count < queue_limit) { -+ qemu_input_queue_delay(&kbd_queue, kbd_timer, -+ delay_ms ? delay_ms : kbd_default_delay_ms); -+ } - } - - InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) --- -2.13.0 - |