From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Prasad J Pandit" <pjp@fedoraproject.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
qemu-devel@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>
Cc: "Gerd Hoffmann" <kraxel@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Arash Tohidi Chafi" <tohidi.arash@gmail.com>
Subject: [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion
Date: Thu, 14 Feb 2019 21:19:32 +0100 [thread overview]
Message-ID: <20190214201939.494-3-philmd@redhat.com> (raw)
In-Reply-To: <20190214201939.494-1-philmd@redhat.com>
The right side of the comparison is the return value of can_read():
VSCARD_IN_SIZE - card->vscard_in_pos.
Since the 'size' argument of chardev::read() is bound to
what chardev::can_read() returns, this condition can never happen.
Add an assertion, which will always fail if card->vscard_in_pos >=
VSCARD_IN_SIZE), since size > 0.
This is a quick fix for CVE-2018-18438 "Integer overflow in
ccid_card_vscard_read() allows memory corruption".
Fixes: CVE-2018-18438
Reported-by: Arash Tohidi Chafi <tohidi.arash@gmail.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
hw/usb/ccid-card-passthru.c | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
index 8bb1314f49..1676b5fc05 100644
--- a/hw/usb/ccid-card-passthru.c
+++ b/hw/usb/ccid-card-passthru.c
@@ -264,24 +264,12 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
}
}
-static void ccid_card_vscard_drop_connection(PassthruState *card)
-{
- qemu_chr_fe_deinit(&card->cs, true);
- card->vscard_in_pos = card->vscard_in_hdr = 0;
-}
-
static void ccid_card_vscard_read(void *opaque, const uint8_t *buf, int size)
{
PassthruState *card = opaque;
VSCMsgHeader *hdr;
- if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
- error_report("no room for data: pos %u + size %d > %" PRId64 "."
- " dropping connection.",
- card->vscard_in_pos, size, VSCARD_IN_SIZE);
- ccid_card_vscard_drop_connection(card);
- return;
- }
+ assert(size <= VSCARD_IN_SIZE - card->vscard_in_pos);
assert(card->vscard_in_hdr < VSCARD_IN_SIZE);
memcpy(card->vscard_in_data + card->vscard_in_pos, buf, size);
card->vscard_in_pos += size;
--
2.20.1
next prev parent reply other threads:[~2019-02-14 20:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 20:19 [Qemu-devel] [PATCH v2 0/9] ccid-card-passthru: check buffer size parameter Philippe Mathieu-Daudé
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 1/9] ccid-card-passthru: Move assertion in read() to can_read() Philippe Mathieu-Daudé
2019-02-14 21:18 ` Eric Blake
2019-02-15 8:44 ` Wei Yang
2019-02-15 11:02 ` Marc-André Lureau
2019-02-14 20:19 ` Philippe Mathieu-Daudé [this message]
2019-02-15 10:59 ` [Qemu-devel] [PATCH v2 2/9] ccid-card-passthru: Replace never trigger if statement by an assertion Marc-André Lureau
2019-02-18 22:10 ` Philippe Mathieu-Daudé
2019-02-21 11:04 ` P J P
2019-02-21 11:09 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 3/9] ccid-card-passthru: Assert on a stricter expression Philippe Mathieu-Daudé
2019-02-15 8:47 ` Wei Yang
2019-02-15 11:15 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 4/9] ccid-card-passthru: Let the chardev::read() be more generic Philippe Mathieu-Daudé
2019-02-15 11:43 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 5/9] ccid-card-passthru: Replace assert() by QEMU_BUILD_BUG_ON() Philippe Mathieu-Daudé
2019-02-15 11:44 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 6/9] ccid-card-passthru: Simplify the if() condition Philippe Mathieu-Daudé
2019-02-15 11:49 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 7/9] ccid-card-passthru: Use QERR_MISSING_PARAMETER Philippe Mathieu-Daudé
2019-02-14 21:22 ` Eric Blake
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 8/9] ccid-card-passthru: Use size_t to hold size argument Philippe Mathieu-Daudé
2019-02-15 11:51 ` Marc-André Lureau
2019-02-14 20:19 ` [Qemu-devel] [PATCH v2 9/9] ccid-card-passthru: Use size_t for index Philippe Mathieu-Daudé
2019-02-15 11:52 ` Marc-André Lureau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190214201939.494-3-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=tohidi.arash@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).