* [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() @ 2020-10-12 15:03 Mauro Matteo Cascella 2020-10-12 20:34 ` Paul Zimmerman 0 siblings, 1 reply; 9+ messages in thread From: Mauro Matteo Cascella @ 2020-10-12 15:03 UTC (permalink / raw) To: qemu-devel; +Cc: gaoning.pgn, mcascell, linyi.lxw, kraxel, pauldzim Check the value of mps before it is used as divisor. Since HCCHAR_MPS is guest controllable, this prevents a malicious/buggy guest from crashing the QEMU process on the host. Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reported-by: Gaoning Pan <gaoning.pgn@antgroup.com> Reported-by: Xingwei Lin <linyi.lxw@antfin.com> --- hw/usb/hcd-dwc2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c index 97688d21bf..91476fd781 100644 --- a/hw/usb/hcd-dwc2.c +++ b/hw/usb/hcd-dwc2.c @@ -324,6 +324,12 @@ babble: } } + if (mps == 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Bad HCCHAR_MPS set to zero\n", __func__); + return; + } + tpcnt = actual / mps; if (actual % mps) { tpcnt++; -- 2.26.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-12 15:03 [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() Mauro Matteo Cascella @ 2020-10-12 20:34 ` Paul Zimmerman 2020-10-13 7:04 ` Gerd Hoffmann 0 siblings, 1 reply; 9+ messages in thread From: Paul Zimmerman @ 2020-10-12 20:34 UTC (permalink / raw) To: Mauro Matteo Cascella Cc: gaoning.pgn, linyi.lxw, QEMU Developers, Gerd Hoffmann On Mon, Oct 12, 2020 at 8:05 AM Mauro Matteo Cascella <mcascell@redhat.com> wrote: > > Check the value of mps before it is used as divisor. Since HCCHAR_MPS is guest > controllable, this prevents a malicious/buggy guest from crashing the QEMU > process on the host. > > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > Reported-by: Gaoning Pan <gaoning.pgn@antgroup.com> > Reported-by: Xingwei Lin <linyi.lxw@antfin.com> > --- > hw/usb/hcd-dwc2.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c > index 97688d21bf..91476fd781 100644 > --- a/hw/usb/hcd-dwc2.c > +++ b/hw/usb/hcd-dwc2.c > @@ -324,6 +324,12 @@ babble: > } > } > > + if (mps == 0) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "%s: Bad HCCHAR_MPS set to zero\n", __func__); > + return; > + } > + > tpcnt = actual / mps; > if (actual % mps) { > tpcnt++; > -- > 2.26.2 > Hi Mauro, I think it would be better to move this check earlier in the function, just after 'mps' is read from the register. Otherwise it can get assigned to 'tlen' and 'p->mps', and who knows what mischief an invalid value there might cause. After that, you can add my Reviewed-by: Paul Zimmerman <pauldzim@gmail.com> Thanks, Paul ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-12 20:34 ` Paul Zimmerman @ 2020-10-13 7:04 ` Gerd Hoffmann 2020-10-13 7:19 ` Paul Zimmerman 0 siblings, 1 reply; 9+ messages in thread From: Gerd Hoffmann @ 2020-10-13 7:04 UTC (permalink / raw) To: Paul Zimmerman Cc: gaoning.pgn, Mauro Matteo Cascella, QEMU Developers, linyi.lxw > > + if (mps == 0) { > > + qemu_log_mask(LOG_GUEST_ERROR, > > + "%s: Bad HCCHAR_MPS set to zero\n", __func__); > > + return; > > + } > I think it would be better to move this check earlier in the function, > just after 'mps' is read from the register. Otherwise it can get > assigned to 'tlen' and 'p->mps', and who knows what mischief an > invalid value there might cause. Makes sense. While being at it maybe handle len > DWC2_MAX_XFER_SIZE the same way, the assert looks like it can be triggered by the guest. Also: What would be the effect of simply returning here? Would dwc2 emulation simply stop processing queues? Should we maybe raise an error IRQ? What will real dwc2 hardware do in this case? take care, Gerd ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-13 7:04 ` Gerd Hoffmann @ 2020-10-13 7:19 ` Paul Zimmerman 2020-10-13 8:41 ` Gerd Hoffmann 2020-10-14 12:06 ` Gerd Hoffmann 0 siblings, 2 replies; 9+ messages in thread From: Paul Zimmerman @ 2020-10-13 7:19 UTC (permalink / raw) To: Gerd Hoffmann Cc: gaoning.pgn, Mauro Matteo Cascella, QEMU Developers, linyi.lxw Hi Gerd, On Tue, Oct 13, 2020 at 12:04 AM Gerd Hoffmann <kraxel@redhat.com> wrote: > > > > + if (mps == 0) { > > > + qemu_log_mask(LOG_GUEST_ERROR, > > > + "%s: Bad HCCHAR_MPS set to zero\n", __func__); > > > + return; > > > + } > > > I think it would be better to move this check earlier in the function, > > just after 'mps' is read from the register. Otherwise it can get > > assigned to 'tlen' and 'p->mps', and who knows what mischief an > > invalid value there might cause. > > Makes sense. While being at it maybe handle len > DWC2_MAX_XFER_SIZE > the same way, the assert looks like it can be triggered by the guest. I sent you a patch to fix up several assert()s, including that one, about a month ago. Did you miss it? https://lore.kernel.org/qemu-devel/20200920021449.830-1-pauldzim@gmail.com > Also: What would be the effect of simply returning here? Would dwc2 > emulation simply stop processing queues? Should we maybe raise an > error IRQ? Not entirely sure, I imagine the emulation will just stop working. I can test it tomorrow. Also, can you give me a hint what an error IRQ is? Is that a Qemu thing, or do you mean we should emulate what the real core does in this case? > What will real dwc2 hardware do in this case? No idea. I don't think it's mentioned in the manual. -Paul > take care, > Gerd > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-13 7:19 ` Paul Zimmerman @ 2020-10-13 8:41 ` Gerd Hoffmann 2020-10-14 19:55 ` Mauro Matteo Cascella 2020-10-14 12:06 ` Gerd Hoffmann 1 sibling, 1 reply; 9+ messages in thread From: Gerd Hoffmann @ 2020-10-13 8:41 UTC (permalink / raw) To: Paul Zimmerman Cc: gaoning.pgn, Mauro Matteo Cascella, QEMU Developers, linyi.lxw On Tue, Oct 13, 2020 at 12:19:40AM -0700, Paul Zimmerman wrote: > I sent you a patch to fix up several assert()s, including that one, about a > month ago. Did you miss it? > https://lore.kernel.org/qemu-devel/20200920021449.830-1-pauldzim@gmail.com I'll check. There is a bunch of pending stuff in my qemu-patches mailbox I'll try to process this week ... > > Also: What would be the effect of simply returning here? Would dwc2 > > emulation simply stop processing queues? Should we maybe raise an > > error IRQ? > > Not entirely sure, I imagine the emulation will just stop working. I can > test it tomorrow. Also, can you give me a hint what an error IRQ is? > Is that a Qemu thing, or do you mean we should emulate what the > real core does in this case? Same real hardware does. ehci for example has the USBSTS_ERRINT bit in the IRQ status register to signal errors. take care, Gerd ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-13 8:41 ` Gerd Hoffmann @ 2020-10-14 19:55 ` Mauro Matteo Cascella 2020-10-15 7:35 ` Paul Zimmerman 0 siblings, 1 reply; 9+ messages in thread From: Mauro Matteo Cascella @ 2020-10-14 19:55 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: gaoning.pgn, linyi.lxw, QEMU Developers, Paul Zimmerman On Tue, Oct 13, 2020 at 10:41 AM Gerd Hoffmann <kraxel@redhat.com> wrote: > > On Tue, Oct 13, 2020 at 12:19:40AM -0700, Paul Zimmerman wrote: > > I sent you a patch to fix up several assert()s, including that one, about a > > month ago. Did you miss it? > > https://lore.kernel.org/qemu-devel/20200920021449.830-1-pauldzim@gmail.com > > I'll check. There is a bunch of pending stuff in my qemu-patches > mailbox I'll try to process this week ... > > > > Also: What would be the effect of simply returning here? Would dwc2 > > > emulation simply stop processing queues? Should we maybe raise an > > > error IRQ? > > > > Not entirely sure, I imagine the emulation will just stop working. I can > > test it tomorrow. Also, can you give me a hint what an error IRQ is? > > Is that a Qemu thing, or do you mean we should emulate what the > > real core does in this case? > > Same real hardware does. ehci for example has the USBSTS_ERRINT bit in > the IRQ status register to signal errors. > > take care, > Gerd > I'll send a new version of the patch with the check moved earlier in the function, as suggested by Paul. If raising an error turns out to be the right thing to do, I think other checks may need to be updated in addition to this one. Hence we can possibly address that in a later patch. Thanks a lot for your comments. -- Mauro Matteo Cascella, Red Hat Product Security 6F78 E20B 5935 928C F0A8 1A9D 4E55 23B8 BB34 10B0 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-14 19:55 ` Mauro Matteo Cascella @ 2020-10-15 7:35 ` Paul Zimmerman 2020-10-15 10:17 ` Gerd Hoffmann 0 siblings, 1 reply; 9+ messages in thread From: Paul Zimmerman @ 2020-10-15 7:35 UTC (permalink / raw) To: Mauro Matteo Cascella Cc: gaoning.pgn, linyi.lxw, Gerd Hoffmann, QEMU Developers On Wed, Oct 14, 2020 at 12:55 PM Mauro Matteo Cascella <mcascell@redhat.com> wrote: > > On Tue, Oct 13, 2020 at 10:41 AM Gerd Hoffmann <kraxel@redhat.com> wrote: > > > > > > Also: What would be the effect of simply returning here? Would dwc2 > > > > emulation simply stop processing queues? Should we maybe raise an > > > > error IRQ? > > > > > > Not entirely sure, I imagine the emulation will just stop working. I can > > > test it tomorrow. Also, can you give me a hint what an error IRQ is? > > > Is that a Qemu thing, or do you mean we should emulate what the > > > real core does in this case? > > > > Same real hardware does. ehci for example has the USBSTS_ERRINT bit in > > the IRQ status register to signal errors. So I tested this patch (modified as I suggested) in two ways. First, I hacked up the dwc_otg driver in the Raspbian kernel to always set the 'mps' field to zero. Then I booted the 2019-09-26-raspbian-buster Raspbian image with 4 usb devices, keyboard, tablet, storage, and network. In this test, the first USB device failed to enumerate, giving the kernel error message "usb 1-1: device descriptor read/64, error -110". The kernel retried the enumeration several times, finally giving the message "usb usb1-port1: unable to enumerate usb device". After that, there was no more USB activity shown in the kernel log. Otherwise the kernel seemed to keep running normally and the raspi emulation continued to run. In the second test, I changed the hack to only zero the 'mps' field for bulk transfers. In that case, the non-bulk devices (keyboard, tablet) continued to operate normally. The bulk devices (storage, network) enumerated fine, but after that they failed to work, with various error messages in the kernel log. Again the kernel seemed to keep running normally and the raspi emulation continued to run. So I think the patch works fine, and I don't think we need to do anything fancier. - Paul > > > > take care, > > Gerd > > > > I'll send a new version of the patch with the check moved earlier in > the function, as suggested by Paul. If raising an error turns out to > be the right thing to do, I think other checks may need to be updated > in addition to this one. Hence we can possibly address that in a later > patch. Thanks a lot for your comments. > > -- > Mauro Matteo Cascella, Red Hat Product Security > 6F78 E20B 5935 928C F0A8 1A9D 4E55 23B8 BB34 10B0 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-15 7:35 ` Paul Zimmerman @ 2020-10-15 10:17 ` Gerd Hoffmann 0 siblings, 0 replies; 9+ messages in thread From: Gerd Hoffmann @ 2020-10-15 10:17 UTC (permalink / raw) To: Paul Zimmerman Cc: gaoning.pgn, Mauro Matteo Cascella, QEMU Developers, linyi.lxw Hi, > So I think the patch works fine, and I don't think we need to do > anything fancier. Cool, thanks for checking. take care, Gerd ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() 2020-10-13 7:19 ` Paul Zimmerman 2020-10-13 8:41 ` Gerd Hoffmann @ 2020-10-14 12:06 ` Gerd Hoffmann 1 sibling, 0 replies; 9+ messages in thread From: Gerd Hoffmann @ 2020-10-14 12:06 UTC (permalink / raw) To: Paul Zimmerman Cc: gaoning.pgn, Mauro Matteo Cascella, QEMU Developers, linyi.lxw Hi, > I sent you a patch to fix up several assert()s, including that one, about a > month ago. Did you miss it? > https://lore.kernel.org/qemu-devel/20200920021449.830-1-pauldzim@gmail.com Seems I missed that, or deleted by accident. Added to qemu queue now. thanks, Gerd ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-10-15 10:18 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-10-12 15:03 [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() Mauro Matteo Cascella 2020-10-12 20:34 ` Paul Zimmerman 2020-10-13 7:04 ` Gerd Hoffmann 2020-10-13 7:19 ` Paul Zimmerman 2020-10-13 8:41 ` Gerd Hoffmann 2020-10-14 19:55 ` Mauro Matteo Cascella 2020-10-15 7:35 ` Paul Zimmerman 2020-10-15 10:17 ` Gerd Hoffmann 2020-10-14 12:06 ` Gerd Hoffmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).