From nobody Thu May 2 13:25:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1493877132639574.952432703179; Wed, 3 May 2017 22:52:12 -0700 (PDT) Received: from localhost ([::1]:39822 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69gR-0005q0-9c for importer@patchew.org; Thu, 04 May 2017 01:52:11 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47298) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69fG-0005CI-36 for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d69fC-0005Q5-AS for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54728) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d69fC-0005PA-1I for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:54 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BC5C62D9FC0; Thu, 4 May 2017 05:50:51 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-101.ams2.redhat.com [10.36.116.101]) by smtp.corp.redhat.com (Postfix) with ESMTP id D001917D73; Thu, 4 May 2017 05:50:50 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id CF49B80DE9; Thu, 4 May 2017 07:50:48 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com BC5C62D9FC0 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=kraxel@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com BC5C62D9FC0 From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 4 May 2017 07:50:38 +0200 Message-Id: <20170504055040.31904-2-kraxel@redhat.com> In-Reply-To: <20170504055040.31904-1-kraxel@redhat.com> References: <20170504055040.31904-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 04 May 2017 05:50:52 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/3] input: limit kbd queue depth X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Huawei PSIRT , Gerd Hoffmann , P J P Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Apply a limit to the number of items we accept into the keyboard queue. Impact: Without this limit vnc clients can exhaust host memory by sending keyboard events faster than qemu feeds them to the guest. Fixes: CVE-2017-8379 Cc: P J P Cc: Huawei PSIRT Reported-by: jiangxin1@huawei.com Signed-off-by: Gerd Hoffmann Message-id: 20170428084237.23960-1-kraxel@redhat.com --- ui/input.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ui/input.c b/ui/input.c index ed88cda6d6..fb1f404095 100644 --- a/ui/input.c +++ b/ui/input.c @@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEven= tQueue) kbd_queue =3D QTAILQ_HEAD_INITIALIZER(kbd_queue); static QEMUTimer *kbd_timer; static uint32_t kbd_default_delay_ms =3D 10; +static uint32_t queue_count; +static uint32_t queue_limit =3D 1024; =20 QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, QemuInputHandler *handl= er) @@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) break; } QTAILQ_REMOVE(queue, item, node); + queue_count--; g_free(item); } } @@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEven= tQueueHead *queue, item->delay_ms =3D delay_ms; item->timer =3D timer; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; =20 if (start_timer) { timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) @@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEven= tQueueHead *queue, item->src =3D src; item->evt =3D evt; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; } =20 static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) @@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEvent= QueueHead *queue) =20 item->type =3D QEMU_INPUT_QUEUE_SYNC; QTAILQ_INSERT_TAIL(queue, item, node); + queue_count++; } =20 void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) @@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyVal= ue *key, bool down) qemu_input_event_send(src, evt); qemu_input_event_sync(); qapi_free_InputEvent(evt); - } else { + } else if (queue_count < queue_limit) { qemu_input_queue_event(&kbd_queue, src, evt); qemu_input_queue_sync(&kbd_queue); } @@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) kbd_timer =3D timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_pr= ocess, &kbd_queue); } - qemu_input_queue_delay(&kbd_queue, kbd_timer, - delay_ms ? delay_ms : kbd_default_delay_ms); + if (queue_count < queue_limit) { + qemu_input_queue_delay(&kbd_queue, kbd_timer, + delay_ms ? delay_ms : kbd_default_delay_ms); + } } =20 InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) --=20 2.9.3 From nobody Thu May 2 13:25:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1493877132586489.8474916979427; Wed, 3 May 2017 22:52:12 -0700 (PDT) Received: from localhost ([::1]:39821 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69gQ-0005pU-Py for importer@patchew.org; Thu, 04 May 2017 01:52:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47299) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69fG-0005CJ-36 for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d69fE-0005RK-KO for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59196) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d69fE-0005Qr-Dz for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:56 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 30E2561D0F for ; Thu, 4 May 2017 05:50:55 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-101.ams2.redhat.com [10.36.116.101]) by smtp.corp.redhat.com (Postfix) with ESMTP id 65E4318EFE; Thu, 4 May 2017 05:50:51 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id E550D80E0E; Thu, 4 May 2017 07:50:49 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 30E2561D0F Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=kraxel@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 30E2561D0F From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 4 May 2017 07:50:39 +0200 Message-Id: <20170504055040.31904-3-kraxel@redhat.com> In-Reply-To: <20170504055040.31904-1-kraxel@redhat.com> References: <20170504055040.31904-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 04 May 2017 05:50:55 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/3] input: don't queue delay if paused X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Marc-Andr=C3=A9 Lureau qemu_input_event_send() discards key event when the guest is paused, but not the delay. The delay ends up in the input queue, and qemu_input_event_send_key() will further fill the queue with upcoming events. VNC uses qemu_input_event_send_key_delay(), not SPICE, which results in a different input behaviour on pause: VNC will queue the events (except the first that is discarded), SPICE will discard all events. Don't queue delay if paused, and provide same behaviour on SPICE and VNC clients on resume (and potentially avoid over-allocating the buffer queue) Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=3D1444326 Signed-off-by: Marc-Andr=C3=A9 Lureau Message-id: 20170425130520.31819-1-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- ui/input.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ui/input.c b/ui/input.c index fb1f404095..830f912f99 100644 --- a/ui/input.c +++ b/ui/input.c @@ -411,6 +411,10 @@ void qemu_input_event_send_key_qcode(QemuConsole *src,= QKeyCode q, bool down) =20 void qemu_input_event_send_key_delay(uint32_t delay_ms) { + if (!runstate_is_running() && !runstate_check(RUN_STATE_SUSPENDED)) { + return; + } + if (!kbd_timer) { kbd_timer =3D timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_pr= ocess, &kbd_queue); --=20 2.9.3 From nobody Thu May 2 13:25:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1493877211786317.69832656246035; Wed, 3 May 2017 22:53:31 -0700 (PDT) Received: from localhost ([::1]:39824 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69hh-0006ga-08 for importer@patchew.org; Thu, 04 May 2017 01:53:29 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47301) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d69fG-0005CL-3x for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d69fD-0005Ql-O6 for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46242) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d69fD-0005QN-Hv for qemu-devel@nongnu.org; Thu, 04 May 2017 01:50:55 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6867DC04B938; Thu, 4 May 2017 05:50:54 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-101.ams2.redhat.com [10.36.116.101]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4692F62923; Thu, 4 May 2017 05:50:52 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id E279D80E25; Thu, 4 May 2017 07:50:50 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 6867DC04B938 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=kraxel@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 6867DC04B938 From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Thu, 4 May 2017 07:50:40 +0200 Message-Id: <20170504055040.31904-4-kraxel@redhat.com> In-Reply-To: <20170504055040.31904-1-kraxel@redhat.com> References: <20170504055040.31904-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 04 May 2017 05:50:54 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/3] input: Add trace event for empty keyboard queue X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Graf , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Alexander Graf When driving QEMU from the outside, we have basically no chance to determine how quickly the guest OS picks up key events, so we usually have to limit ourselves to very slow keyboard presses to make sure the guest always has enough chance to pick them up. This patch adds a trace events when the keyboarde queue is drained. An external driver can use that as hint that new keys can be pressed. Signed-off-by: Alexander Graf Message-id: 1490883775-94658-1-git-send-email-agraf@suse.de Signed-off-by: Gerd Hoffmann --- hw/input/hid.c | 4 ++++ hw/input/trace-events | 1 + 2 files changed, 5 insertions(+) diff --git a/hw/input/hid.c b/hw/input/hid.c index fa9cc4c616..93887ecc43 100644 --- a/hw/input/hid.c +++ b/hw/input/hid.c @@ -256,6 +256,10 @@ static void hid_keyboard_process_keycode(HIDState *hs) slot =3D hs->head & QUEUE_MASK; QUEUE_INCR(hs->head); hs->n--; keycode =3D hs->kbd.keycodes[slot]; =20 + if (!hs->n) { + trace_hid_kbd_queue_empty(); + } + key =3D keycode & 0x7f; index =3D key | ((hs->kbd.modifiers & (1 << 8)) >> 1); hid_code =3D hid_usage_keys[index]; diff --git a/hw/input/trace-events b/hw/input/trace-events index f3bfbede5c..5a87818b49 100644 --- a/hw/input/trace-events +++ b/hw/input/trace-events @@ -24,6 +24,7 @@ milkymist_softusb_pulse_irq(void) "Pulse IRQ" =20 # hw/input/hid.c hid_kbd_queue_full(void) "queue full" +hid_kbd_queue_empty(void) "queue empty" =20 # hw/input/virtio virtio_input_queue_full(void) "queue full" --=20 2.9.3