206 lines
7.4 KiB
Diff
206 lines
7.4 KiB
Diff
From 3f67e2e7f135b8be4117f3c2960e78d894feaa03 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:11 +0200
|
|
Subject: usb/hid: avoid dynamic stack allocation
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use autofree heap allocation instead.
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Message-Id: <20210503132915.2335822-2-kraxel@redhat.com>
|
|
---
|
|
hw/usb/dev-hid.c | 2 +-
|
|
hw/usb/dev-wacom.c | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
|
|
index fc39bab79f..1c7ae97c30 100644
|
|
--- a/hw/usb/dev-hid.c
|
|
+++ b/hw/usb/dev-hid.c
|
|
@@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
|
|
{
|
|
USBHIDState *us = USB_HID(dev);
|
|
HIDState *hs = &us->hid;
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
int len = 0;
|
|
|
|
switch (p->pid) {
|
|
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
|
|
index b595048635..ed687bc9f1 100644
|
|
--- a/hw/usb/dev-wacom.c
|
|
+++ b/hw/usb/dev-wacom.c
|
|
@@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
|
|
static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
|
|
{
|
|
USBWacomState *s = (USBWacomState *) dev;
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
int len = 0;
|
|
|
|
switch (p->pid) {
|
|
--
|
|
cgit v1.2.2
|
|
|
|
From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:12 +0200
|
|
Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use autofree heap allocation instead.
|
|
|
|
Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
|
|
---
|
|
hw/usb/redirect.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
|
index 17f06f3417..6a75b0dc4a 100644
|
|
--- a/hw/usb/redirect.c
|
|
+++ b/hw/usb/redirect.c
|
|
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
|
|
.endpoint = ep,
|
|
.length = p->iov.size
|
|
};
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
/* No id, we look at the ep when receiving a status back */
|
|
usb_packet_copy(p, buf, p->iov.size);
|
|
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
|
|
@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
|
|
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
|
&bulk_packet, NULL, 0);
|
|
} else {
|
|
- uint8_t buf[size];
|
|
+ g_autofree uint8_t *buf = g_malloc(size);
|
|
usb_packet_copy(p, buf, size);
|
|
usbredir_log_data(dev, "bulk data out:", buf, size);
|
|
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
|
@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
|
|
USBPacket *p, uint8_t ep)
|
|
{
|
|
struct usb_redir_interrupt_packet_header interrupt_packet;
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
|
|
DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
|
|
p->iov.size, p->id);
|
|
--
|
|
cgit v1.2.2
|
|
|
|
From 06aa50c06c6392084244f8169d34b8e2d9c43ef2 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:13 +0200
|
|
Subject: usb/mtp: avoid dynamic stack allocation
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use autofree heap allocation instead.
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Message-Id: <20210503132915.2335822-4-kraxel@redhat.com>
|
|
---
|
|
hw/usb/dev-mtp.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
|
|
index bbb8274344..2a895a73b0 100644
|
|
--- a/hw/usb/dev-mtp.c
|
|
+++ b/hw/usb/dev-mtp.c
|
|
@@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
|
|
MTPObject *o)
|
|
{
|
|
MTPData *d = usb_mtp_data_alloc(c);
|
|
- uint32_t i = 0, handles[o->nchildren];
|
|
+ uint32_t i = 0;
|
|
+ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
|
|
MTPObject *iter;
|
|
|
|
trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);
|
|
--
|
|
cgit v1.2.2
|
|
|
|
From 3f8e5ae2a0cc0c482718a1c9ea111c94b7321b58 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:14 +0200
|
|
Subject: usb/xhci: sanity check packet size (CVE-2021-3527)
|
|
|
|
Make sure the usb packet size is within the
|
|
bounds of the endpoint configuration.
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
|
|
---
|
|
hw/usb/hcd-xhci.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|
index 46212b1e69..7acfb8137b 100644
|
|
--- a/hw/usb/hcd-xhci.c
|
|
+++ b/hw/usb/hcd-xhci.c
|
|
@@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
|
|
qemu_sglist_destroy(&xfer->sgl);
|
|
return -1;
|
|
}
|
|
+ if (xfer->packet.iov.size > ep->max_packet_size) {
|
|
+ usb_packet_unmap(&xfer->packet, &xfer->sgl);
|
|
+ qemu_sglist_destroy(&xfer->sgl);
|
|
+ return -1;
|
|
+ }
|
|
DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
|
|
xfer->packet.pid, ep->dev->addr, ep->nr);
|
|
return 0;
|
|
--
|
|
cgit v1.2.2
|
|
|
|
From 6d900b0752a72d1236a37dd31ff4a9e685e5ff56 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:15 +0200
|
|
Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527)
|
|
|
|
usb-host and usb-redirect try to batch bulk transfers by combining many
|
|
small usb packets into a single, large transfer request, to reduce the
|
|
overhead and improve performance.
|
|
|
|
This patch adds a size limit of 1 MiB for those combined packets to
|
|
restrict the host resources the guest can bind that way.
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
|
|
---
|
|
hw/usb/combined-packet.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
|
|
index 5d57e883dc..e56802f89a 100644
|
|
--- a/hw/usb/combined-packet.c
|
|
+++ b/hw/usb/combined-packet.c
|
|
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
|
|
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
|
|
next == NULL ||
|
|
/* Work around for Linux usbfs bulk splitting + migration */
|
|
- (totalsize == (16 * KiB - 36) && p->int_req)) {
|
|
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
|
|
+ /* Next package may grow combined package over 1MiB */
|
|
+ totalsize > 1 * MiB - ep->max_packet_size) {
|
|
usb_device_handle_data(ep->dev, first);
|
|
assert(first->status == USB_RET_ASYNC);
|
|
if (first->combined) {
|
|
--
|
|
cgit v1.2.2
|
|
|