From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Li Qiang" <liq3ea@163.com>, "Alexander Bulekov" <alxndr@bu.edu>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Cleber Rosa" <crosa@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: [PULL 01/18] hw: xhci: check return value of 'usb_packet_map'
Date: Wed, 26 Aug 2020 16:52:22 +0200 [thread overview]
Message-ID: <20200826145239.6077-2-kraxel@redhat.com> (raw)
In-Reply-To: <20200826145239.6077-1-kraxel@redhat.com>
From: Li Qiang <liq3ea@163.com>
Currently we don't check the return value of 'usb_packet_map',
this will cause an UAF issue. This is LP#1891341.
Following is the reproducer provided in:
-->https://bugs.launchpad.net/qemu/+bug/1891341
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c009f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffff3655
writeq 0x9f0d000000002000 0xff2f9e0000000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x06
write 0x17278 0x1 0x34
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c051a0100000000
write 0x34001d 0x1 0x13
write 0x340026 0x1 0x30
write 0x340028 0x1 0x08
write 0x34002c 0x1 0xfe
write 0x34002d 0x1 0x08
write 0x340037 0x1 0x5e
write 0x34003a 0x1 0x05
write 0x34003d 0x1 0x05
write 0x34004d 0x1 0x13
writeq 0x9f0d000000002000 0xff00010100400009
EOF
This patch fixes this.
Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-id: 20200812153139.15146-1-liq3ea@163.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/hcd-xhci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 67a18fe2b64c..46a2186d912a 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1615,7 +1615,10 @@ static int xhci_setup_packet(XHCITransfer *xfer)
xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
xfer->trbs[0].addr, false, xfer->int_req);
- usb_packet_map(&xfer->packet, &xfer->sgl);
+ if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
+ qemu_sglist_destroy(&xfer->sgl);
+ return -1;
+ }
DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
xfer->packet.pid, ep->dev->addr, ep->nr);
return 0;
--
2.27.0
next prev parent reply other threads:[~2020-08-26 15:01 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-26 14:52 [PULL 00/18] Usb 20200826 patches Gerd Hoffmann
2020-08-26 14:52 ` Gerd Hoffmann [this message]
2020-08-26 14:52 ` [PULL 02/18] hw: ehci: destroy sglist in error path Gerd Hoffmann
2020-08-26 14:52 ` [PULL 03/18] hw: ehci: check return value of 'usb_packet_map' Gerd Hoffmann
2020-08-26 14:52 ` [PULL 04/18] ehci: drop pointless warn_report for guest bugs Gerd Hoffmann
2020-08-26 14:52 ` [PULL 05/18] hw/usb: Regroup USB HID protocol values Gerd Hoffmann
2020-08-26 14:52 ` [PULL 06/18] docs: Add USB U2F key device documentation Gerd Hoffmann
2020-08-26 14:52 ` [PULL 07/18] hw/usb: Add U2F key base class Gerd Hoffmann
2020-08-26 14:52 ` [PULL 08/18] hw/usb: Add U2F key base class implementation Gerd Hoffmann
2020-08-26 14:52 ` [PULL 09/18] hw/usb: Add U2F key passthru mode Gerd Hoffmann
2020-08-26 14:52 ` [PULL 10/18] hw/usb: Add U2F key emulated mode Gerd Hoffmann
2020-08-26 14:52 ` [PULL 11/18] meson: Add U2F key to meson Gerd Hoffmann
2020-08-26 14:52 ` [PULL 12/18] docs/system: Add U2F key to the USB devices examples Gerd Hoffmann
2020-08-26 14:52 ` [PULL 13/18] docs/qdev-device-use.txt: Add USB U2F key to the QDEV " Gerd Hoffmann
2020-08-26 14:52 ` [PULL 14/18] scripts: Add u2f-setup-gen script Gerd Hoffmann
2020-08-26 14:52 ` [PULL 15/18] hw/usb: Add U2F device check to passthru mode Gerd Hoffmann
2020-08-26 14:52 ` [PULL 16/18] hw/usb: Add U2F device autoscan " Gerd Hoffmann
2020-08-26 14:52 ` [PULL 17/18] usb-host: workaround libusb bug Gerd Hoffmann
2020-08-26 14:52 ` [PULL 18/18] usb: fix setup_len init (CVE-2020-14364) Gerd Hoffmann
2020-08-26 16:05 ` [PULL 00/18] Usb 20200826 patches Peter Maydell
-- strict thread matches above, loose matches on Subject: below --
2020-08-28 8:08 [PULL 00/18] Usb 20200828 patches Gerd Hoffmann
2020-08-28 8:08 ` [PULL 01/18] hw: xhci: check return value of 'usb_packet_map' Gerd Hoffmann
2020-08-31 8:32 [PULL 00/18] Usb 20200831 patches Gerd Hoffmann
2020-08-31 8:32 ` [PULL 01/18] hw: xhci: check return value of 'usb_packet_map' Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200826145239.6077-2-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=crosa@redhat.com \
--cc=ehabkost@redhat.com \
--cc=liq3ea@163.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).