diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2021-05-10 19:55:06 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2021-05-10 19:55:06 +0100 |
| commit | e4f3ede95ce813d5705c65e1c0e1c80c70739ebb (patch) | |
| tree | 016c7cd9d083ce5ac4304ba6d09c99cbd4c9214f /hw | |
| parent | e58c7a3bba3076890592f02d2b0e596bf191b5c2 (diff) | |
| parent | 05a40b172e4d691371534828078be47e7fff524c (diff) | |
Merge remote-tracking branch 'remotes/kraxel/tags/usb-20210505-pull-request' into staging
usb: fix some memory allocation issues (CVE-2021-3527).
usb: add stubs, allow building without usb subsystem.
# gpg: Signature made Wed 05 May 2021 14:07:02 BST
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/usb-20210505-pull-request:
usb: limit combined packets to 1 MiB (CVE-2021-3527)
usb/mtp: avoid dynamic stack allocation
usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
usb/hid: avoid dynamic stack allocation
hw/usb: Do not build USB subsystem if not required
hw/usb/host-stub: Remove unused header
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/usb/combined-packet.c | 4 | ||||
| -rw-r--r-- | hw/usb/dev-hid.c | 2 | ||||
| -rw-r--r-- | hw/usb/dev-mtp.c | 3 | ||||
| -rw-r--r-- | hw/usb/dev-wacom.c | 2 | ||||
| -rw-r--r-- | hw/usb/host-stub.c | 1 | ||||
| -rw-r--r-- | hw/usb/meson.build | 9 | ||||
| -rw-r--r-- | hw/usb/redirect.c | 6 |
7 files changed, 13 insertions, 14 deletions
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c index 5d57e883dc..e56802f89a 100644 --- a/hw/usb/combined-packet.c +++ b/hw/usb/combined-packet.c @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || next == NULL || /* Work around for Linux usbfs bulk splitting + migration */ - (totalsize == (16 * KiB - 36) && p->int_req)) { + (totalsize == (16 * KiB - 36) && p->int_req) || + /* Next package may grow combined package over 1MiB */ + totalsize > 1 * MiB - ep->max_packet_size) { usb_device_handle_data(ep->dev, first); assert(first->status == USB_RET_ASYNC); if (first->combined) { diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c index fc39bab79f..1c7ae97c30 100644 --- a/hw/usb/dev-hid.c +++ b/hw/usb/dev-hid.c @@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) { USBHIDState *us = USB_HID(dev); HIDState *hs = &us->hid; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); int len = 0; switch (p->pid) { diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index bbb8274344..2a895a73b0 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c, MTPObject *o) { MTPData *d = usb_mtp_data_alloc(c); - uint32_t i = 0, handles[o->nchildren]; + uint32_t i = 0; + g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren); MTPObject *iter; trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path); diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c index b595048635..ed687bc9f1 100644 --- a/hw/usb/dev-wacom.c +++ b/hw/usb/dev-wacom.c @@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) { USBWacomState *s = (USBWacomState *) dev; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); int len = 0; switch (p->pid) { diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c index 538ed29684..80809ceba5 100644 --- a/hw/usb/host-stub.c +++ b/hw/usb/host-stub.c @@ -31,7 +31,6 @@ */ #include "qemu/osdep.h" -#include "ui/console.h" #include "hw/usb.h" #include "monitor/monitor.h" diff --git a/hw/usb/meson.build b/hw/usb/meson.build index fb7a74e73a..f357270d0b 100644 --- a/hw/usb/meson.build +++ b/hw/usb/meson.build @@ -1,17 +1,14 @@ hw_usb_modules = {} # usb subsystem core -softmmu_ss.add(files( +softmmu_ss.add(when: 'CONFIG_USB', if_true: files( 'bus.c', 'combined-packet.c', 'core.c', - 'pcap.c', - 'libhw.c' -)) - -softmmu_ss.add(when: 'CONFIG_USB', if_true: files( 'desc.c', 'desc-msos.c', + 'libhw.c', + 'pcap.c', )) # usb host adapters diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 17f06f3417..6a75b0dc4a 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, .endpoint = ep, .length = p->iov.size }; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); /* No id, we look at the ep when receiving a status back */ usb_packet_copy(p, buf, p->iov.size); usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { - uint8_t buf[size]; + g_autofree uint8_t *buf = g_malloc(size); usb_packet_copy(p, buf, size); usbredir_log_data(dev, "bulk data out:", buf, size); usbredirparser_send_bulk_packet(dev->parser, p->id, @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, USBPacket *p, uint8_t ep) { struct usb_redir_interrupt_packet_header interrupt_packet; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, p->iov.size, p->id); |