From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MlS7s-0005et-8x for qemu-devel@nongnu.org; Wed, 09 Sep 2009 14:42:40 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MlS7r-0005dY-7u for qemu-devel@nongnu.org; Wed, 09 Sep 2009 14:42:39 -0400 Received: from [199.232.76.173] (port=53903 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MlS7q-0005dJ-Uy for qemu-devel@nongnu.org; Wed, 09 Sep 2009 14:42:39 -0400 Received: from b.jim.sh ([75.150.123.26]:45494 helo=psychosis.jim.sh) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1MlS7q-0005oA-Di for qemu-devel@nongnu.org; Wed, 09 Sep 2009 14:42:38 -0400 Received: from psychosis.jim.sh (localhost [127.0.0.1]) by psychosis.jim.sh (8.14.3/8.14.3/Debian-5) with ESMTP id n89IgZXg017058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 9 Sep 2009 14:42:35 -0400 Received: (from jim@localhost) by psychosis.jim.sh (8.14.3/8.14.3/Submit) id n89IgYKK017057 for qemu-devel@nongnu.org; Wed, 9 Sep 2009 14:42:34 -0400 Date: Wed, 9 Sep 2009 14:42:34 -0400 From: Jim Paris Sender: jim@jim.sh Message-ID: <20090909184234.GA16987@psychosis.jim.sh> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [RESEND] [PATCH] usb-linux.c: fix buffer overflow List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org =46rom 0865ed67a30a1bde463a8db2baab8b6dbb0fcff5 Mon Sep 17 00:00:00 2001 =46rom: Jim Paris Date: Mon, 24 Aug 2009 14:56:12 -0400 Subject: [PATCH] usb-linux.c: fix buffer overflow In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and length to the kernel. However, the length was provided by the caller of dev->handle_packet, and is not checked, so the kernel might provide too much data and overflow our buffer. For example, hw/usb-uhci.c could set the length to 2047. hw/usb-ohci.c looks like it might go up to 4096 or 8192. This causes a qemu crash, as reported here: http://www.mail-archive.com/kvm@vger.kernel.org/msg18447.html This patch increases the usb-linux.c buffer size to 2048 to fix the specific device reported, and adds a check to avoid the overflow in any case. Signed-off-by: Jim Paris --- Increasing the buffer to 2048 is all that's necessary to fix the original bug report. It might make sense to increase the buffer size more (hw/usb-musb.c has some comments about 32k buffers). I don't understand all of the USB code too well, so the rest of the patch might not be optimal -- maybe it's OK to just cap the length before we pass it to the kernel, and then let async_complete_control notice that the transferred length was less than requested,=20 rather than failing the request completely? usb-linux.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/usb-linux.c b/usb-linux.c index 043f6b6..eb1c5f0 100644 --- a/usb-linux.c +++ b/usb-linux.c @@ -115,7 +115,7 @@ struct ctrl_struct { uint16_t offset; uint8_t state; struct usb_ctrlrequest req; - uint8_t buffer[1024]; + uint8_t buffer[2048]; }; =20 typedef struct USBHostDevice { @@ -552,6 +552,7 @@ static int usb_host_handle_control(USBHostDevice *s, US= BPacket *p) struct usbdevfs_urb *urb; AsyncURB *aurb; int ret, value, index; + int buffer_len; =20 /*=20 * Process certain standard device requests. @@ -580,6 +581,13 @@ static int usb_host_handle_control(USBHostDevice *s, U= SBPacket *p) =20 /* The rest are asynchronous */ =20 + buffer_len =3D 8 + s->ctrl.len; + if (buffer_len > sizeof(s->ctrl.buffer)) { + fprintf(stderr, "husb: ctrl buffer too small (%u > %lu)\n", + buffer_len, sizeof(s->ctrl.buffer)); + return USB_RET_STALL; + } + aurb =3D async_alloc(); aurb->hdev =3D s; aurb->packet =3D p; @@ -596,7 +604,7 @@ static int usb_host_handle_control(USBHostDevice *s, US= BPacket *p) urb->endpoint =3D p->devep; =20 urb->buffer =3D &s->ctrl.req; - urb->buffer_length =3D 8 + s->ctrl.len; + urb->buffer_length =3D buffer_len; =20 urb->usercontext =3D s; =20 --=20 1.6.1.3