vitalif
/
mirror_qemu
mirror of https://github.com/proxmox/mirror_qemu
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror_qemu/hw/usb
History
Li Qiang 21bc31524e hw: xhci: check return value of 'usb_packet_map' 
Currently we don't check the return value of 'usb_packet_map',
this will cause an UAF issue. This is LP#1891341.
Following is the reproducer provided in:
-->https://bugs.launchpad.net/qemu/+bug/1891341

cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c009f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffff3655
writeq 0x9f0d000000002000 0xff2f9e0000000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x06
write 0x17278 0x1 0x34
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c051a0100000000
write 0x34001d 0x1 0x13
write 0x340026 0x1 0x30
write 0x340028 0x1 0x08
write 0x34002c 0x1 0xfe
write 0x34002d 0x1 0x08
write 0x340037 0x1 0x5e
write 0x34003a 0x1 0x05
write 0x34003d 0x1 0x05
write 0x34004d 0x1 0x13
writeq 0x9f0d000000002000 0xff00010100400009
EOF

This patch fixes this.

Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-id: 20200812153139.15146-1-liq3ea@163.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 		2020-08-31 08:10:47 +02:00
..
Kconfig hw: Only compile the usb-dwc2 controller if it is really needed 2020-07-24 16:15:28 +02:00
bus.c error: Eliminate error_propagate() manually 2020-07-10 15:18:08 +02:00
ccid-card-emulated.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ccid-card-passthru.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
ccid.h qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
chipidea.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
combined-packet.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
core.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
desc-msos.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.h all: Clean up includes 2016-02-23 12:43:05 +00:00
dev-audio.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-hid.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-hub.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-mtp.c usb/dev-mtp: Fix Error double free after inotify failure 2020-07-02 06:25:28 +02:00
dev-network.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-serial.c usb: Convert uses of usb_create() 2020-06-15 22:05:28 +02:00
dev-smartcard-reader.c qdev: Drop qbus_set_hotplug_handler() parameter @errp 2020-07-02 06:25:29 +02:00
dev-storage.c usb: fix storage regression 2020-07-16 10:20:27 +02:00
dev-uas.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-wacom.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-dwc2.c hcd-dwc2: Rename USB_*CLASS macros for consistency 2020-08-27 14:04:54 -04:00
hcd-dwc2.h hcd-dwc2: Rename USB_*CLASS macros for consistency 2020-08-27 14:04:54 -04:00
hcd-ehci-pci.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-ehci-sysbus.c hw/arm/allwinner-h3: add USB host controller 2020-03-12 16:27:33 +00:00
hcd-ehci.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-ehci.h qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-musb.c exec/cpu-common: Move MUSB specific typedefs to 'hw/usb/hcd-musb.h' 2020-06-12 11:20:15 -04:00
hcd-ohci-pci.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-ohci.c hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file 2020-02-21 16:07:02 +00:00
hcd-ohci.h hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file 2020-02-21 16:07:02 +00:00
hcd-uhci.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-xhci-nec.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-xhci.c hw: xhci: check return value of 'usb_packet_map' 2020-08-31 08:10:47 +02:00
hcd-xhci.h osdep: Make MIN/MAX evaluate arguments only once 2020-06-26 09:39:39 -04:00
host-libusb.c usb: fix usb-host build on windows. 2020-07-13 11:46:51 +02:00
host-stub.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
host.h usb-host: move legacy cmd line bits 2013-02-19 12:30:05 +01:00
imx-usb-phy.c hw/usb: Add basic i.MX USB Phy support 2020-03-17 11:23:14 +00:00
libhw.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
meson.build meson: convert hw/usb 2020-08-21 06:30:26 -04:00
quirks-ftdi-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks-pl2303-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
quirks.h hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
redirect.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
trace-events usb: add hostdevice property to usb-host 2020-06-17 09:12:22 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tusb6010.c hw/usb: Move device-specific declarations to new 'hcd-musb.h' header 2020-06-12 11:20:14 -04:00
xen-usb.c xen: Fix and improve handling of device_add usb-host errors 2020-05-27 07:45:17 +02:00