mirror of https://github.com/proxmox/mirror_qemu
usb: fix u2f build
usb: fix ohci oob access and loop issues -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCgAGBQJfaGseAAoJEEy22O7T6HE4ZcUP/idasy/vHdsB2qqV7S3Qz579 VzHD1D9PLc3gJ3dKW9u8JEyIMRH+elkpriv/YaYsZS0mZtaIlZiyhJ0aNzEDkZ4r UDW4VlD9f3Se5YMf4PAWIFgMqUOsqplTRIwwqWjJ5R4hQARu6YoERBx5yOZ3Z9sr FBHjZkPTvs5VEc/lvQ5SiK1FDotks83+6llYx45xaNI4CaYDjZWdMD9nsiKwRATp uJ1D/2Tg3pQXlobh0zUk0yU2SqQtGUhkBNSeX0Urc4uRPi+3eCZF8aWW0EjfMcas NH+NeFzlc6rWk2XFJUhqgcaa9681q7DaXSWk8upiL6gff5V8CDVe8/hoPJ2ttB01 PaG8RDG9pD3GEgwj+YzwnsCSUpBKrF0Bqj5XIQ5GEtmhKbgiTuZ5iIDCP17yRx8x LufTW1FDXxgjHjMT6qkqsiCR6jKAvKsdHvyHcgvfWV0uMhllETCCM9KxCu1xtM3Y xwP4GH0vtrvq/J9mVYLcb2qPzMoWCwBQHcho24SlFi4ZTLSpdpRuMG2gRGUfy+3Y B+l90AUzW9OVw/2KPrxj8T1koIf7NJv6qUd1W1CEx1hZBWgpzDAKa7RtfukD9QNn eGt8dJcILvqTdU1xU//yzUExR7/AC98VIVbyq5J+e8vBd8pDT1uXu1uglBK+If0U 7+YGxB6Y4QCdu1sEvC3K =c3+E -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20200921-pull-request' into staging usb: fix u2f build usb: fix ohci oob access and loop issues # gpg: Signature made Mon 21 Sep 2020 09:58:06 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20200921-pull-request: hw: usb: hcd-ohci: check for processed TD before retire hw: usb: hcd-ohci: check len and frame_number variables usb: fix u2f build Signed-off-by: Peter Maydell <peter.maydell@linaro.org>master
commit
edf6ea6fbe
|
@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||||
the next ISO TD of the same ED */
|
the next ISO TD of the same ED */
|
||||||
trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
|
trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
|
||||||
frame_count);
|
frame_count);
|
||||||
|
if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
|
||||||
|
/* avoid infinite loop */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
|
OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
|
||||||
ed->head &= ~OHCI_DPTR_MASK;
|
ed->head &= ~OHCI_DPTR_MASK;
|
||||||
ed->head |= (iso_td.next & OHCI_DPTR_MASK);
|
ed->head |= (iso_td.next & OHCI_DPTR_MASK);
|
||||||
|
@ -731,7 +735,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||||
}
|
}
|
||||||
|
|
||||||
start_offset = iso_td.offset[relative_frame_number];
|
start_offset = iso_td.offset[relative_frame_number];
|
||||||
next_offset = iso_td.offset[relative_frame_number + 1];
|
if (relative_frame_number < frame_count) {
|
||||||
|
next_offset = iso_td.offset[relative_frame_number + 1];
|
||||||
|
} else {
|
||||||
|
next_offset = iso_td.be;
|
||||||
|
}
|
||||||
|
|
||||||
if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
|
if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
|
||||||
((relative_frame_number < frame_count) &&
|
((relative_frame_number < frame_count) &&
|
||||||
|
@ -764,7 +772,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* Last packet in the ISO TD */
|
/* Last packet in the ISO TD */
|
||||||
end_addr = iso_td.be;
|
end_addr = next_offset;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (start_addr > end_addr) {
|
||||||
|
trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
|
if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
|
||||||
|
@ -773,6 +786,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||||
} else {
|
} else {
|
||||||
len = end_addr - start_addr + 1;
|
len = end_addr - start_addr + 1;
|
||||||
}
|
}
|
||||||
|
if (len > sizeof(ohci->usb_buf)) {
|
||||||
|
len = sizeof(ohci->usb_buf);
|
||||||
|
}
|
||||||
|
|
||||||
if (len && dir != OHCI_TD_DIR_IN) {
|
if (len && dir != OHCI_TD_DIR_IN) {
|
||||||
if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
|
if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
|
||||||
|
@ -975,8 +991,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
|
||||||
if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
|
if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
|
||||||
len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
|
len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
|
||||||
} else {
|
} else {
|
||||||
|
if (td.cbp > td.be) {
|
||||||
|
trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
|
||||||
|
ohci_die(ohci);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
len = (td.be - td.cbp) + 1;
|
len = (td.be - td.cbp) + 1;
|
||||||
}
|
}
|
||||||
|
if (len > sizeof(ohci->usb_buf)) {
|
||||||
|
len = sizeof(ohci->usb_buf);
|
||||||
|
}
|
||||||
|
|
||||||
pktlen = len;
|
pktlen = len;
|
||||||
if (len && dir != OHCI_TD_DIR_IN) {
|
if (len && dir != OHCI_TD_DIR_IN) {
|
||||||
|
|
|
@ -200,7 +200,7 @@ static ssize_t u2f_emulated_read(const char *path, char *buffer,
|
||||||
int fd;
|
int fd;
|
||||||
ssize_t ret;
|
ssize_t ret;
|
||||||
|
|
||||||
fd = qemu_open(path, O_RDONLY);
|
fd = qemu_open_old(path, O_RDONLY);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -217,7 +217,7 @@ static bool u2f_emulated_setup_counter(const char *path,
|
||||||
int fd, ret;
|
int fd, ret;
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
|
|
||||||
fd = qemu_open(path, O_RDWR);
|
fd = qemu_open_old(path, O_RDWR);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue