{"id":806882,"url":"http://patchwork.ozlabs.org/api/1.0/patches/806882/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<1503965694-10794-73-git-send-email-mdroth@linux.vnet.ibm.com>","date":"2017-08-29T00:14:47","name":"[72/79] input: limit kbd queue depth","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ad490de891b08c43a08b61790bc132b6c8be2a5a","submitter":{"id":5549,"url":"http://patchwork.ozlabs.org/api/1.0/people/5549/?format=json","name":"Michael Roth","email":"mdroth@linux.vnet.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/1503965694-10794-73-git-send-email-mdroth@linux.vnet.ibm.com/mbox/","series":[{"id":281,"url":"http://patchwork.ozlabs.org/api/1.0/series/281/?format=json","date":"2017-08-29T00:13:45","name":"Patch Round-up for stable 2.9.1, freeze on 2017-09-04","version":1,"mbox":"http://patchwork.ozlabs.org/series/281/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/806882/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)","Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xh9Xp2JLkz9sQl\n\tfor <incoming@patchwork.ozlabs.org>;\n\tTue, 29 Aug 2017 11:10:02 +1000 (AEST)","from localhost ([::1]:42187 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dmV2W-0006or-4q\n\tfor incoming@patchwork.ozlabs.org; Mon, 28 Aug 2017 21:10:00 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:49079)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <mdroth@linux.vnet.ibm.com>) id 1dmUCx-0001u8-1M\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:16:44 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <mdroth@linux.vnet.ibm.com>) id 1dmUCt-0006JE-0f\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:16:43 -0400","from mx0b-001b2d01.pphosted.com ([148.163.158.5]:35504\n\thelo=mx0a-001b2d01.pphosted.com)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <mdroth@linux.vnet.ibm.com>)\n\tid 1dmUCs-0006Id-Q0\n\tfor qemu-devel@nongnu.org; Mon, 28 Aug 2017 20:16:38 -0400","from pps.filterd (m0098413.ppops.net [127.0.0.1])\n\tby mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv7T0E8DR017766\n\tfor <qemu-devel@nongnu.org>; Mon, 28 Aug 2017 20:16:38 -0400","from e13.ny.us.ibm.com (e13.ny.us.ibm.com [129.33.205.203])\n\tby mx0b-001b2d01.pphosted.com with ESMTP id 2cmub2wwdp-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor <qemu-devel@nongnu.org>; Mon, 28 Aug 2017 20:16:38 -0400","from localhost\n\tby e13.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;\n\tMon, 28 Aug 2017 20:16:37 -0400","from b01cxnp22036.gho.pok.ibm.com (9.57.198.26)\n\tby e13.ny.us.ibm.com (146.89.104.200) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tMon, 28 Aug 2017 20:16:34 -0400","from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com\n\t[9.57.199.110])\n\tby b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP\n\tid v7T0GXCn30867496; Tue, 29 Aug 2017 00:16:33 GMT","from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 42161AE03C;\n\tMon, 28 Aug 2017 20:16:57 -0400 (EDT)","from localhost (unknown [9.80.85.217])\n\tby b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP id 0A28EAE034;\n\tMon, 28 Aug 2017 20:16:56 -0400 (EDT)"],"From":"Michael Roth <mdroth@linux.vnet.ibm.com>","To":"qemu-devel@nongnu.org","Date":"Mon, 28 Aug 2017 19:14:47 -0500","X-Mailer":"git-send-email 2.7.4","In-Reply-To":"<1503965694-10794-1-git-send-email-mdroth@linux.vnet.ibm.com>","References":"<1503965694-10794-1-git-send-email-mdroth@linux.vnet.ibm.com>","X-TM-AS-GCONF":"00","x-cbid":"17082900-0008-0000-0000-00000275D344","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007630; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000226; SDB=6.00909028; UDB=6.00455849;\n\tIPR=6.00689279; \n\tBA=6.00005557; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016909;\n\tXFM=3.00000015; UTC=2017-08-29 00:16:36","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17082900-0009-0000-0000-000036857B51","Message-Id":"<1503965694-10794-73-git-send-email-mdroth@linux.vnet.ibm.com>","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-08-28_13:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=3\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1708290001","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy]","X-Received-From":"148.163.158.5","Subject":"[Qemu-devel] [PATCH 72/79] input: limit kbd queue depth","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"<qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<http://lists.nongnu.org/archive/html/qemu-devel/>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Cc":"P J P <ppandit@redhat.com>, Huawei PSIRT <PSIRT@huawei.com>,\n\tqemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"},"content":"From: Gerd Hoffmann <kraxel@redhat.com>\n\nApply a limit to the number of items we accept into the keyboard queue.\n\nImpact: Without this limit vnc clients can exhaust host memory by\nsending keyboard events faster than qemu feeds them to the guest.\n\nFixes: CVE-2017-8379\nCc: P J P <ppandit@redhat.com>\nCc: Huawei PSIRT <PSIRT@huawei.com>\nReported-by: jiangxin1@huawei.com\nSigned-off-by: Gerd Hoffmann <kraxel@redhat.com>\nMessage-id: 20170428084237.23960-1-kraxel@redhat.com\n(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc)\nSigned-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>\n---\n ui/input.c | 14 +++++++++++---\n 1 file changed, 11 insertions(+), 3 deletions(-)","diff":"diff --git a/ui/input.c b/ui/input.c\nindex ed88cda..fb1f404 100644\n--- a/ui/input.c\n+++ b/ui/input.c\n@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =\n     QTAILQ_HEAD_INITIALIZER(kbd_queue);\n static QEMUTimer *kbd_timer;\n static uint32_t kbd_default_delay_ms = 10;\n+static uint32_t queue_count;\n+static uint32_t queue_limit = 1024;\n \n QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,\n                                                    QemuInputHandler *handler)\n@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)\n             break;\n         }\n         QTAILQ_REMOVE(queue, item, node);\n+        queue_count--;\n         g_free(item);\n     }\n }\n@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,\n     item->delay_ms = delay_ms;\n     item->timer = timer;\n     QTAILQ_INSERT_TAIL(queue, item, node);\n+    queue_count++;\n \n     if (start_timer) {\n         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)\n@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,\n     item->src = src;\n     item->evt = evt;\n     QTAILQ_INSERT_TAIL(queue, item, node);\n+    queue_count++;\n }\n \n static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)\n@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)\n \n     item->type = QEMU_INPUT_QUEUE_SYNC;\n     QTAILQ_INSERT_TAIL(queue, item, node);\n+    queue_count++;\n }\n \n void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)\n@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)\n         qemu_input_event_send(src, evt);\n         qemu_input_event_sync();\n         qapi_free_InputEvent(evt);\n-    } else {\n+    } else if (queue_count < queue_limit) {\n         qemu_input_queue_event(&kbd_queue, src, evt);\n         qemu_input_queue_sync(&kbd_queue);\n     }\n@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)\n         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,\n                                  &kbd_queue);\n     }\n-    qemu_input_queue_delay(&kbd_queue, kbd_timer,\n-                           delay_ms ? delay_ms : kbd_default_delay_ms);\n+    if (queue_count < queue_limit) {\n+        qemu_input_queue_delay(&kbd_queue, kbd_timer,\n+                               delay_ms ? delay_ms : kbd_default_delay_ms);\n+    }\n }\n \n InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)\n","prefixes":["72/79"]}