From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 28 Apr 2017 10:42:37 +0200 Subject: [PATCH 1/3] input: limit kbd queue depth Apply a limit to the number of items we accept into the keyboard queue. Impact: Without this limit vnc clients can exhaust host memory by sending keyboard events faster than qemu feeds them to the guest. Fixes: CVE-2017-8379 Cc: P J P Cc: Huawei PSIRT Reported-by: jiangxin1@huawei.com Signed-off-by: Gerd Hoffmann Message-id: 20170428084237.23960-1-kraxel@redhat.com --- ui/input.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ui/input.c b/ui/input.c index ed88cda6d6..fb1f404095 100644 --- a/ui/input.c +++ b/ui/input.c @@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = QTAILQ_HEAD_INITIALIZER(kbd_queue); static QEMUTimer *kbd_timer; static uint32_t kbd_default_delay_ms = 10; +static uint32_t queue_count; +static uint32_t queue_limit = 1024; QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, QemuInputHandler *handler) @@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) break; } QTAILQ_REMOVE(queue, item, node); + queue_count--; g_free(item); } } @@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, item->delay_ms = delay_ms; item->timer = timer; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; if (start_timer) { timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) @@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, item->src = src; item->evt = evt; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; } static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) @@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) item->type = QEMU_INPUT_QUEUE_SYNC; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; } void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) @@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) qemu_input_event_send(src, evt); qemu_input_event_sync(); qapi_free_InputEvent(evt); - } else { + } else if (queue_count < queue_limit) { qemu_input_queue_event(&kbd_queue, src, evt); qemu_input_queue_sync(&kbd_queue); } @@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, &kbd_queue); } - qemu_input_queue_delay(&kbd_queue, kbd_timer, - delay_ms ? delay_ms : kbd_default_delay_ms); + if (queue_count < queue_limit) { + qemu_input_queue_delay(&kbd_queue, kbd_timer, + delay_ms ? delay_ms : kbd_default_delay_ms); + } } InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) From 05c6638b203fd7d8bbfa88ac6e6198e32ed0506f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 25 Apr 2017 17:05:20 +0400 Subject: [PATCH 2/3] input: don't queue delay if paused MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit qemu_input_event_send() discards key event when the guest is paused, but not the delay. The delay ends up in the input queue, and qemu_input_event_send_key() will further fill the queue with upcoming events. VNC uses qemu_input_event_send_key_delay(), not SPICE, which results in a different input behaviour on pause: VNC will queue the events (except the first that is discarded), SPICE will discard all events. Don't queue delay if paused, and provide same behaviour on SPICE and VNC clients on resume (and potentially avoid over-allocating the buffer queue) Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1444326 Signed-off-by: Marc-André Lureau Message-id: 20170425130520.31819-1-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- ui/input.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ui/input.c b/ui/input.c index fb1f404095..830f912f99 100644 --- a/ui/input.c +++ b/ui/input.c @@ -411,6 +411,10 @@ void qemu_input_event_send_key_qcode(QemuConsole *src, QKeyCode q, bool down) void qemu_input_event_send_key_delay(uint32_t delay_ms) { + if (!runstate_is_running() && !runstate_check(RUN_STATE_SUSPENDED)) { + return; + } + if (!kbd_timer) { kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, &kbd_queue); From 2222e0a633070f7f3eafcc9d0e95e7f1a4e6fe36 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 30 Mar 2017 16:22:55 +0200 Subject: [PATCH 3/3] input: Add trace event for empty keyboard queue When driving QEMU from the outside, we have basically no chance to determine how quickly the guest OS picks up key events, so we usually have to limit ourselves to very slow keyboard presses to make sure the guest always has enough chance to pick them up. This patch adds a trace events when the keyboarde queue is drained. An external driver can use that as hint that new keys can be pressed. Signed-off-by: Alexander Graf Message-id: 1490883775-94658-1-git-send-email-agraf@suse.de Signed-off-by: Gerd Hoffmann --- hw/input/hid.c | 4 ++++ hw/input/trace-events | 1 + 2 files changed, 5 insertions(+) diff --git a/hw/input/hid.c b/hw/input/hid.c index fa9cc4c616..93887ecc43 100644 --- a/hw/input/hid.c +++ b/hw/input/hid.c @@ -256,6 +256,10 @@ static void hid_keyboard_process_keycode(HIDState *hs) slot = hs->head & QUEUE_MASK; QUEUE_INCR(hs->head); hs->n--; keycode = hs->kbd.keycodes[slot]; + if (!hs->n) { + trace_hid_kbd_queue_empty(); + } + key = keycode & 0x7f; index = key | ((hs->kbd.modifiers & (1 << 8)) >> 1); hid_code = hid_usage_keys[index]; diff --git a/hw/input/trace-events b/hw/input/trace-events index f3bfbede5c..5a87818b49 100644 --- a/hw/input/trace-events +++ b/hw/input/trace-events @@ -24,6 +24,7 @@ milkymist_softusb_pulse_irq(void) "Pulse IRQ" # hw/input/hid.c hid_kbd_queue_full(void) "queue full" +hid_kbd_queue_empty(void) "queue empty" # hw/input/virtio virtio_input_queue_full(void) "queue full"