From 4ee40a6b98c02b72fc5dd262df9d3ac8680d767b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Belley?= Date: Wed, 26 Aug 2020 13:42:08 +0200 Subject: hw/usb: Add U2F device check to passthru mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patchs adds a check to verify that the device passed through the hidraw property is a U2F device. The check is done by ensuring that the first values of the report descriptor (USAGE PAGE and USAGE) correspond to those of a U2F device. Signed-off-by: César Belley Message-id: 20200826114209.28821-12-cesar.belley@lse.epita.fr Signed-off-by: Gerd Hoffmann --- hw/usb/u2f-passthru.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'hw') diff --git a/hw/usb/u2f-passthru.c b/hw/usb/u2f-passthru.c index 52b4467077..74d4ae6e92 100644 --- a/hw/usb/u2f-passthru.c +++ b/hw/usb/u2f-passthru.c @@ -34,6 +34,12 @@ #include "u2f.h" +#ifdef CONFIG_LIBUDEV +#include +#endif +#include +#include + #define NONCE_SIZE 8 #define BROADCAST_CID 0xFFFFFFFF #define TRANSACTION_TIMEOUT 120000 @@ -344,6 +350,34 @@ static void u2f_passthru_recv_from_guest(U2FKeyState *base, } } +static bool u2f_passthru_is_u2f_device(int fd) +{ + int ret, rdesc_size; + struct hidraw_report_descriptor rdesc; + const uint8_t u2f_hid_report_desc_header[] = { + 0x06, 0xd0, 0xf1, /* Usage Page (FIDO) */ + 0x09, 0x01, /* Usage (FIDO) */ + }; + + /* Get report descriptor size */ + ret = ioctl(fd, HIDIOCGRDESCSIZE, &rdesc_size); + if (ret < 0 || rdesc_size < sizeof(u2f_hid_report_desc_header)) { + return false; + } + + /* Get report descriptor */ + memset(&rdesc, 0x0, sizeof(rdesc)); + rdesc.size = rdesc_size; + ret = ioctl(fd, HIDIOCGRDESC, &rdesc); + if (ret < 0) { + return false; + } + + /* Header bytes cover specific U2F rdesc values */ + return memcmp(u2f_hid_report_desc_header, rdesc.value, + sizeof(u2f_hid_report_desc_header)) == 0; +} + static void u2f_passthru_unrealize(U2FKeyState *base) { U2FPassthruState *key = PASSTHRU_U2F_KEY(base); @@ -368,6 +402,13 @@ static void u2f_passthru_realize(U2FKeyState *base, Error **errp) key->hidraw); return; } + + if (!u2f_passthru_is_u2f_device(fd)) { + qemu_close(fd); + error_setg(errp, "%s: Passed hidraw does not represent " + "a U2F HID device", TYPE_U2F_PASSTHRU); + return; + } key->hidraw_fd = fd; u2f_passthru_reset(key); } -- cgit v1.2.3