|
Revision tags: v9.2.1 |
|
| #
e82fbf01 |
| 13-Jan-2025 |
Hongren Zheng <i@zenithal.me> |
hw/usb/canokey: Fix buffer overflow for OUT packet
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.
It could be fixed by limit
hw/usb/canokey: Fix buffer overflow for OUT packet
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.
It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.
This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.
Cc: qemu-stable@nongnu.org
Fixes: d7d34918551dc48 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <thatjiaozi@gmail.com>
Signed-off-by: Hongren Zheng <i@zenithal.me>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 664280abddcb3cacc9c6204706bb739fcc1316f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
show more ...
|
|
Revision tags: v9.2.0, v9.1.2, v9.1.1, v9.1.0 |
|
| #
5fc77092 |
| 26-Jul-2023 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging
Miscellaneous fixes
* Switch canokey license from Apache to GPLv2+
* Fix uninitialized variable in LUKS driver
Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging
Miscellaneous fixes
* Switch canokey license from Apache to GPLv2+
* Fix uninitialized variable in LUKS driver
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmS/91MACgkQvobrtBUQ
# T9+WjA/9Gx02s4aZvLJ1gSpzPguIEjwEulVOBCTaxQ1Fuu/5RawWXmFMhQ/iwAbi
# EnbeDpghG+Qk+4DCfQDMq0F8zkozvZOLW8NTZJW66dpV9PSwji39eIpVgvin2GXA
# bGZBz6ZwXoTozplfY8LTzLIGyZNzGNjSO4ND1zsyXq57LXbWXhAdHvsxwi1h1rOc
# FbNMeSPFlwPtCnpQgBDQmRmQ5UzwZiJOCp3zi9njMM/D6AfU/n275QzLvd/3ydBO
# JW4q1IHyDs13g+SCnI4a2rqI7+Uf+Z7h2DfkwhoaGoGuTpZ6llTgM4asjUOFri66
# RzVWz6UK+uCUogq2wgfYJ5jyNwerU8DtyjSW3kxhLcaTTRUGG/+nQu9PV+aPy1xD
# DZWo74KBtiRDFVS1XTLoDd+tNDqzNRdCmWqlc0CWgjUU68b61+GCDnkr+F0rJ59t
# rL1Q+bgKDVnYVxbTVJQs9V6zdeu6o7x94moK2UCAUbGlaCcpkl/sZXqF586dMQAj
# SvaGRYBxMvZvDVeIaINV/sW+vssoSdi7MKaUHAiHydnph/NFzC501bszh7RMyfAd
# 4/PLsm4ezmSFBZ0BS6+zjMBwWEQYiJbl6DDZZI631qSC4G5yOm9TCW2I7ZPNdpRu
# CveFHf8/dREd5o5iE6Vl5mWZF++dOcil64PnevqEv5/wjQcyHJs=
# =+YRm
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 25 Jul 2023 09:24:51 AM PDT
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
* tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu:
hw/usb/canokey: change license to GPLv2+
crypto: Always initialize splitkeylen
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
| #
0e6b20b9 |
| 30-Apr-2023 |
Hongren (Zenithal) Zheng <i@zenithal.me> |
hw/usb/canokey: change license to GPLv2+
Apache license is considered by some to be not compatible
with GPLv2+. Since QEMU as combined work is GPLv2-only,
these two files should be made compatible.
hw/usb/canokey: change license to GPLv2+
Apache license is considered by some to be not compatible
with GPLv2+. Since QEMU as combined work is GPLv2-only,
these two files should be made compatible.
Reported-by: "Daniel P. Berrangé" <berrange@redhat.com>
Link: https://lore.kernel.org/qemu-devel/ZEpKXncC%2Fe6FKRe9@redhat.com/
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-By: canokeys.org (http://canokeys.org) <contact@canokeys.org>
Acked-by: YuanYang Meng <mkfssion@mkfssion.com>
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
show more ...
|
|
Revision tags: v8.0.0, v7.2.0 |
|
| #
dfe2382f |
| 04-Jul-2022 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'kraxel-20220704-pull-request' of https://gitlab.com/kraxel/qemu into staging
usb: canokey fixes.
ui: better tab labels, cocoa fix,
docs: convert fw_cfg to rst.
# -----BEGIN PGP SIGNATURE
Merge tag 'kraxel-20220704-pull-request' of https://gitlab.com/kraxel/qemu into staging
usb: canokey fixes.
ui: better tab labels, cocoa fix,
docs: convert fw_cfg to rst.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmLCndwACgkQTLbY7tPo
# cTjNHA/+MT56crVXnjMTdgBRLOuq0cxYnIUptN0JPKx9DTJzdlXEyT+zYD7iIzUt
# W0xbOrTLVzU9hfJVh9/5V2HuFmc1eAhfl0BDTzd1TT0kdH6LyUkz5RWgotzo3nvH
# 7tnl/sBy48a7diSyQn6K2s8r35ubrX1GNJiJcCLWdVEqvzKKWDEqebs02PxbN/OJ
# 9UG9xtkM/QQ1+h74jq5BGKXf08xOhOZIjO274Sn5zievBC9JU6RVkCOlUXiBdk51
# +vNTfKt3c864cstryXSTknYWyVv7zKzCqr7xR7c+fgbt3cN/HmLkM9LGytDMEDl/
# IC0CtKiRN316GgVHHMDT8v8X2dVHNH9ZEEoXRKIbc5jD/tetJw7IIEO7blJphdpV
# WE4/bRpJwYVW9UHzig9rPRxsHLs3NSZbNCQEbGUvAbZzS2kq9hnDa/BBtFSYaf+X
# RIwR7rY7WhENfSrus1jR5rfWRU7n+q+fcNIFZetUakH1V6Idb0xQir3eM/yM6sBC
# nzQSzzLsd3Mwh2ahbnLZ1HkyybZV692usVylKsFLVwcUhCvk+VHccOF31QfrxO/j
# ogVzTYYtfrGM5kaknueIMg7XAhjQ04Av70+0b886kZawB3ZE5Ccare2TztHq1jcG
# dMdEm7DLaDRm2RXa9NtcbxsIrS0DT2EuFcBnQ1mHMCGql4MidzE=
# =Bhbw
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Jul 2022 01:29:24 PM +0530
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [undefined]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [undefined]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'kraxel-20220704-pull-request' of https://gitlab.com/kraxel/qemu:
hw: canokey: Remove HS support as not compliant to the spec
docs/system/devices/usb/canokey: remove limitations on qemu-xhci
hw/usb/canokey: fix compatibility of qemu-xhci
hw/usb/canokey: Fix CCID ZLP
ui/cocoa: Fix clipboard text release
ui/console: allow display device to be labeled with given id
Convert fw_cfg.rst to reStructuredText syntax
Rename docs/specs/fw_cfg.txt to .rst
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
| #
927b968d |
| 25-Jun-2022 |
MkfsSion <mkfssion@mkfssion.com> |
hw: canokey: Remove HS support as not compliant to the spec
Canokey core currently using 16 bytes as maximum packet size for
control endpoint, but to run the device in high-speed a 64 bytes
maximum
hw: canokey: Remove HS support as not compliant to the spec
Canokey core currently using 16 bytes as maximum packet size for
control endpoint, but to run the device in high-speed a 64 bytes
maximum packet size is required according to USB 2.0 specification.
Since we don't acutally need to run the device in high-speed, simply
don't assign high member in USBDesc.
When canokey-qemu is used with xhci, xhci would drive canokey
in high speed mode, since the bcdUSB in canokey-core is 2.1,
yet canokey-core set bMaxPacketSize0 to be 16, this is out
of the spec as the spec said that ``The allowable maximum
control transfer data payload sizes...for high-speed devices,
it is 64 bytes''.
In this case, usb device validation in Windows 10 LTSC 2021
as the guest would fail. It would complain
USB\DEVICE_DESCRIPTOR_VALIDATION_FAILURE.
Note that bcdUSB only identifies the spec version the device
complies, but it has no indication of its speed. So it is
allowed for the device to run in FS but comply the 2.1 spec.
To solve the issue we decided to just drop the high
speed support. This only affects usb-ehci as usb-ehci would
complain speed mismatch when FS device is attached to a HS port.
That's why the .high member was initialized in the first place.
Meanwhile, xhci is not affected as it works well with FS device.
Since everyone is now using xhci, it does no harm to most users.
Suggested-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Signed-off-by: YuanYang Meng <mkfssion@mkfssion.com>
Reviewed-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Message-Id: <20220625142138.19363-1-mkfssion@mkfssion.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
show more ...
|
| #
10425630 |
| 13-Jun-2022 |
Hongren (Zenithal) Zheng <i@zenithal.me> |
hw/usb/canokey: fix compatibility of qemu-xhci
XHCI wont poll interrupt IN endpoint if NAKed, and needs wakeup
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Hongren (Zenithal) Zhen
hw/usb/canokey: fix compatibility of qemu-xhci
XHCI wont poll interrupt IN endpoint if NAKed, and needs wakeup
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Message-Id: <YqcqSHNpI7sXRNpZ@Sun>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
show more ...
|
| #
ada270cd |
| 13-Jun-2022 |
Hongren (Zenithal) Zheng <i@zenithal.me> |
hw/usb/canokey: Fix CCID ZLP
CCID could send zero-length packet (ZLP)
if we invoke two data_in, two packets would be concated
and we could not distinguish them.
The CANOKEY_EMU_EP_CTAPHID is import
hw/usb/canokey: Fix CCID ZLP
CCID could send zero-length packet (ZLP)
if we invoke two data_in, two packets would be concated
and we could not distinguish them.
The CANOKEY_EMU_EP_CTAPHID is imported from canokey-qemu.h
Reported-by: MkfsSion <myychina28759@gmail.com>
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Message-Id: <YqcqGz0s3+LE42ms@Sun>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
show more ...
|
| #
8e6c70b9 |
| 14-Jun-2022 |
Richard Henderson <richard.henderson@linaro.org> |
Merge tag 'kraxel-20220614-pull-request' of git://git.kraxel.org/qemu into staging
usb: add CanoKey device, fixes for ehci + redir
ui: fixes for gtk and cocoa, rework refresh rate
virtio-gpu: scanou
Merge tag 'kraxel-20220614-pull-request' of git://git.kraxel.org/qemu into staging
usb: add CanoKey device, fixes for ehci + redir
ui: fixes for gtk and cocoa, rework refresh rate
virtio-gpu: scanout flush fix
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmKoe/8ACgkQTLbY7tPo
# cTgZqw/9HD5dMjP74jwrf14dSCR6FD8PfSZU43YBZtMKMtYIzSgrG0NGmreDIhmr
# ZM+G0By+J8vFaSqDukX31077DnptyrxsANOg3zc28SfOCrI7I/mNVymd9hl+Ydpd
# A7h0DpHxs1mkpTVxGoXZoJRGXUE41rctbFVjG3CGynSG9K2vFQRsJz0jG723dg5Y
# uv+Di1WkhqNkyKNsTEGbz9LNqtdtGzvQm3COBpKoTsl4X3EXIE68Qh7i3cMTSNIw
# KKPARW3oiCOy3Fc4kQW9nSxkkHMS6NPL1uyQ52j7pXYxRdxRaREFQ9Gxst3ie9bS
# mbqSuzS2+1v0w37bq9wE0PiCkmwWnu2KWiWWkAIYlmmZTgHvgxCvPcJaeItmap27
# dsAuPUGBbhhrmUwfMgJXp/wRvoZQc2l9w9+eUklsbI+VTbr6i+r/OoLRmnDJr+K/
# yNscMU1LzoigK0NDdP+PnFl3k8pux0Awtotgfyd+UGTSW8a5L6UFAWIxcUcd0Jjv
# 24jAEEc1S1ciDxJDWYn4+17KJARG7no2PRXsGXCUNaWduGEk8wPK+i6Xk82U36o7
# 7j0N16RFNv1YSUaUJHgtmAMRJIQMCiB42VaYxlDfzKupvq2RgRWaWBD/HozgLhXn
# DjEX+JRAnaOYnn1NURzTNDwnhQethJRXI1ntI1U8IFLYT4baSCY=
# =L5PO
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Jun 2022 05:15:59 AM PDT
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [undefined]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [undefined]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'kraxel-20220614-pull-request' of git://git.kraxel.org/qemu:
virtio-gpu: Respect UI refresh rate for EDID
ui: Deliver refresh rate via QemuUIInfo
ui/console: Do not return a value with ui_info
virtio-gpu: update done only on the scanout associated with rect
usbredir: avoid queuing hello packet on snapshot restore
hw/usb/hcd-ehci: fix writeback order
MAINTAINERS: add myself as CanoKey maintainer
docs/system/devices/usb: Add CanoKey to USB devices examples
docs: Add CanoKey documentation
meson: Add CanoKey
hw/usb/canokey: Add trace events
hw/usb: Add CanoKey Implementation
ui/cocoa: Fix poweroff request code
ui/gtk-gl-area: create the requested GL context version
ui/gtk-gl-area: implement GL context destruction
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
show more ...
|
| #
d37d0e0e |
| 19-May-2022 |
Hongren (Zenithal) Zheng <i@zenithal.me> |
hw/usb/canokey: Add trace events
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Message-Id: <YoY6RoDKQIxSkFwL@Sun>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
| #
d7d34918 |
| 19-May-2022 |
Hongren (Zenithal) Zheng <i@zenithal.me> |
hw/usb: Add CanoKey Implementation
This commit added a new emulated device called CanoKey to QEMU.
CanoKey implements platform independent features in canokey-core
https://github.com/canokeys/canok
hw/usb: Add CanoKey Implementation
This commit added a new emulated device called CanoKey to QEMU.
CanoKey implements platform independent features in canokey-core
https://github.com/canokeys/canokey-core, and leaves the USB implementation
to the platform.
In this commit the USB part was implemented in QEMU using QEMU's USB APIs,
therefore the emulated CanoKey can communicate with the guest OS using USB.
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Message-Id: <YoY6Mgph6f6Hc/zI@Sun>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
show more ...
|