From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)
Date: Tue, 4 May 2021 10:53:16 +0200 [thread overview]
Message-ID: <20210504085317.207369-7-kraxel@redhat.com> (raw)
In-Reply-To: <20210504085317.207369-1-kraxel@redhat.com>
Make sure the usb packet size is within the
bounds of the endpoint configuration.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
---
hw/usb/hcd-xhci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 46212b1e695a..7acfb8137bc9 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
qemu_sglist_destroy(&xfer->sgl);
return -1;
}
+ if (xfer->packet.iov.size > ep->max_packet_size) {
+ usb_packet_unmap(&xfer->packet, &xfer->sgl);
+ qemu_sglist_destroy(&xfer->sgl);
+ return -1;
+ }
DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
xfer->packet.pid, ep->dev->addr, ep->nr);
return 0;
--
2.31.1
next prev parent reply other threads:[~2021-05-04 9:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-04 8:53 [PULL 0/7] Usb 20210504 patches Gerd Hoffmann
2021-05-04 8:53 ` [PULL 1/7] hw/usb/host-stub: Remove unused header Gerd Hoffmann
2021-05-04 8:53 ` [PULL 2/7] hw/usb: Do not build USB subsystem if not required Gerd Hoffmann
2021-05-04 8:53 ` [PULL 3/7] usb/hid: avoid dynamic stack allocation Gerd Hoffmann
2021-05-04 8:53 ` [PULL 4/7] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) Gerd Hoffmann
2021-05-04 8:53 ` [PULL 5/7] usb/mtp: avoid dynamic stack allocation Gerd Hoffmann
2021-05-04 8:53 ` Gerd Hoffmann [this message]
2021-05-04 13:33 ` [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527) Remy Noel
2021-05-04 14:12 ` Gerd Hoffmann
2021-05-04 8:53 ` [PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527) Gerd Hoffmann
2021-05-05 13:05 ` [PULL 0/7] Usb 20210504 patches Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210504085317.207369-7-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).