mirror of
https://github.com/Motorhead1991/qemu.git
synced 2025-08-04 08:13:54 -06:00
f30815390a
In usb_device_post_load, certain values of dev->setup_len or
dev->setup_index can cause -EINVAL to be returned. One example is when
setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf).
This can happen through legitimate guest activity and will cause all
subsequent attempts to migrate the guest to fail in vmstate_load_state.
The values of these variables can be set by USB packets originating in
the guest. There are two ways in which they can be set: in
do_token_setup and in do_parameter in hw/usb/core.c.
It is easy to craft a USB packet in a guest that causes do_token_setup
to set setup_len to a value larger than 4096. When this has been done
once, all subsequent attempts to migrate the VM will fail in
usb_device_post_load until the VM is next power-cycled or a
smaller-sized USB packet is sent to the device.
Sample code for achieving this in a VM started with "-device usb-tablet"
running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
int main() {
char buf[4097];
int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK);
buf[0] = 0x1;
write(fd, buf, 4097);
return 0;
}
When this code is run in the VM, qemu will output:
usb_generic_handle_packet: ctrl buffer too small (4097 > 4096)
A subsequent attempt to migrate the VM will fail and output the
following on the destination host:
qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr'
qemu-kvm: load of migration failed: Invalid argument
The idea behind checking the values of setup_len and setup_index before
they are used is correct, but doing it in usb_device_post_load feels
arbitrary, and will cause unnecessary migration failures. Indeed, none
of the commit messages for
|
||
|---|---|---|
| .. | ||
| bus.c | ||
| ccid-card-emulated.c | ||
| ccid-card-passthru.c | ||
| ccid.h | ||
| chipidea.c | ||
| combined-packet.c | ||
| core.c | ||
| desc-msos.c | ||
| desc.c | ||
| desc.h | ||
| dev-audio.c | ||
| dev-bluetooth.c | ||
| dev-hid.c | ||
| dev-hub.c | ||
| dev-mtp.c | ||
| dev-network.c | ||
| dev-serial.c | ||
| dev-smartcard-reader.c | ||
| dev-storage.c | ||
| dev-uas.c | ||
| dev-wacom.c | ||
| hcd-ehci-pci.c | ||
| hcd-ehci-sysbus.c | ||
| hcd-ehci.c | ||
| hcd-ehci.h | ||
| hcd-musb.c | ||
| hcd-ohci.c | ||
| hcd-uhci.c | ||
| hcd-xhci-nec.c | ||
| hcd-xhci.c | ||
| hcd-xhci.h | ||
| host-libusb.c | ||
| host-stub.c | ||
| host.h | ||
| libhw.c | ||
| Makefile.objs | ||
| quirks-ftdi-ids.h | ||
| quirks-pl2303-ids.h | ||
| quirks.c | ||
| quirks.h | ||
| redirect.c | ||
| trace-events | ||
| tusb6010.c | ||
| xen-usb.c | ||