From 69958d8a3d9535f43a457044b2b277c3c6a5ef3d Mon Sep 17 00:00:00 2001 From: Paul Zimmerman Date: Sat, 19 Sep 2020 19:14:49 -0700 Subject: [PATCH 1/3] usb: hcd-dwc2: change assert()s to qemu_log_mask(LOG_GUEST_ERROR...) Change several assert()s to qemu_log_mask(LOG_GUEST_ERROR...), to prevent the guest from causing Qemu to assert. Also fix up several existing qemu_log_mask()s to include the function name in the message. Suggested-by: Peter Maydell Signed-off-by: Paul Zimmerman Message-id: 20200920021449.830-1-pauldzim@gmail.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-dwc2.c | 100 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 81 insertions(+), 19 deletions(-) diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c index 97688d21bf..64c23c1ed0 100644 --- a/hw/usb/hcd-dwc2.c +++ b/hw/usb/hcd-dwc2.c @@ -238,7 +238,12 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev, pid = get_field(hctsiz, TSIZ_SC_MC_PID); pcnt = get_field(hctsiz, TSIZ_PKTCNT); len = get_field(hctsiz, TSIZ_XFERSIZE); - assert(len <= DWC2_MAX_XFER_SIZE); + if (len > DWC2_MAX_XFER_SIZE) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: HCTSIZ transfer size too large\n", __func__); + return; + } + chan = index >> 3; p = &s->packet[chan]; @@ -663,7 +668,12 @@ static uint64_t dwc2_glbreg_read(void *ptr, hwaddr addr, int index, DWC2State *s = ptr; uint32_t val; - assert(addr <= GINTSTS2); + if (addr > GINTSTS2) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return 0; + } + val = s->glbreg[index]; switch (addr) { @@ -690,7 +700,12 @@ static void dwc2_glbreg_write(void *ptr, hwaddr addr, int index, uint64_t val, uint32_t old; int iflg = 0; - assert(addr <= GINTSTS2); + if (addr > GINTSTS2) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return; + } + mmio = &s->glbreg[index]; old = *mmio; @@ -715,27 +730,34 @@ static void dwc2_glbreg_write(void *ptr, hwaddr addr, int index, uint64_t val, val &= ~GRSTCTL_DMAREQ; if (!(old & GRSTCTL_TXFFLSH) && (val & GRSTCTL_TXFFLSH)) { /* TODO - TX fifo flush */ - qemu_log_mask(LOG_UNIMP, "Tx FIFO flush not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: Tx FIFO flush not implemented\n", + __func__); } if (!(old & GRSTCTL_RXFFLSH) && (val & GRSTCTL_RXFFLSH)) { /* TODO - RX fifo flush */ - qemu_log_mask(LOG_UNIMP, "Rx FIFO flush not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: Rx FIFO flush not implemented\n", + __func__); } if (!(old & GRSTCTL_IN_TKNQ_FLSH) && (val & GRSTCTL_IN_TKNQ_FLSH)) { /* TODO - device IN token queue flush */ - qemu_log_mask(LOG_UNIMP, "Token queue flush not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: Token queue flush not implemented\n", + __func__); } if (!(old & GRSTCTL_FRMCNTRRST) && (val & GRSTCTL_FRMCNTRRST)) { /* TODO - host frame counter reset */ - qemu_log_mask(LOG_UNIMP, "Frame counter reset not implemented\n"); + qemu_log_mask(LOG_UNIMP, + "%s: Frame counter reset not implemented\n", + __func__); } if (!(old & GRSTCTL_HSFTRST) && (val & GRSTCTL_HSFTRST)) { /* TODO - host soft reset */ - qemu_log_mask(LOG_UNIMP, "Host soft reset not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: Host soft reset not implemented\n", + __func__); } if (!(old & GRSTCTL_CSFTRST) && (val & GRSTCTL_CSFTRST)) { /* TODO - core soft reset */ - qemu_log_mask(LOG_UNIMP, "Core soft reset not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: Core soft reset not implemented\n", + __func__); } /* don't allow clearing of self-clearing bits */ val |= old & (GRSTCTL_TXFFLSH | GRSTCTL_RXFFLSH | @@ -774,7 +796,12 @@ static uint64_t dwc2_fszreg_read(void *ptr, hwaddr addr, int index, DWC2State *s = ptr; uint32_t val; - assert(addr == HPTXFSIZ); + if (addr != HPTXFSIZ) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return 0; + } + val = s->fszreg[index]; trace_usb_dwc2_fszreg_read(addr, val); @@ -789,7 +816,12 @@ static void dwc2_fszreg_write(void *ptr, hwaddr addr, int index, uint64_t val, uint32_t *mmio; uint32_t old; - assert(addr == HPTXFSIZ); + if (addr != HPTXFSIZ) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return; + } + mmio = &s->fszreg[index]; old = *mmio; @@ -810,7 +842,12 @@ static uint64_t dwc2_hreg0_read(void *ptr, hwaddr addr, int index, DWC2State *s = ptr; uint32_t val; - assert(addr >= HCFG && addr <= HPRT0); + if (addr < HCFG || addr > HPRT0) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return 0; + } + val = s->hreg0[index]; switch (addr) { @@ -837,7 +874,12 @@ static void dwc2_hreg0_write(void *ptr, hwaddr addr, int index, uint64_t val, int prst = 0; int iflg = 0; - assert(addr >= HCFG && addr <= HPRT0); + if (addr < HCFG || addr > HPRT0) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return; + } + mmio = &s->hreg0[index]; old = *mmio; @@ -923,7 +965,12 @@ static uint64_t dwc2_hreg1_read(void *ptr, hwaddr addr, int index, DWC2State *s = ptr; uint32_t val; - assert(addr >= HCCHAR(0) && addr <= HCDMAB(DWC2_NB_CHAN - 1)); + if (addr < HCCHAR(0) || addr > HCDMAB(DWC2_NB_CHAN - 1)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return 0; + } + val = s->hreg1[index]; trace_usb_dwc2_hreg1_read(addr, hreg1nm[index & 7], addr >> 5, val); @@ -941,7 +988,12 @@ static void dwc2_hreg1_write(void *ptr, hwaddr addr, int index, uint64_t val, int enflg = 0; int disflg = 0; - assert(addr >= HCCHAR(0) && addr <= HCDMAB(DWC2_NB_CHAN - 1)); + if (addr < HCCHAR(0) || addr > HCDMAB(DWC2_NB_CHAN - 1)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return; + } + mmio = &s->hreg1[index]; old = *mmio; @@ -1008,7 +1060,12 @@ static uint64_t dwc2_pcgreg_read(void *ptr, hwaddr addr, int index, DWC2State *s = ptr; uint32_t val; - assert(addr >= PCGCTL && addr <= PCGCCTL1); + if (addr < PCGCTL || addr > PCGCCTL1) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return 0; + } + val = s->pcgreg[index]; trace_usb_dwc2_pcgreg_read(addr, pcgregnm[index], val); @@ -1023,7 +1080,12 @@ static void dwc2_pcgreg_write(void *ptr, hwaddr addr, int index, uint32_t *mmio; uint32_t old; - assert(addr >= PCGCTL && addr <= PCGCCTL1); + if (addr < PCGCTL || addr > PCGCCTL1) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset 0x%"HWADDR_PRIx"\n", + __func__, addr); + return; + } + mmio = &s->pcgreg[index]; old = *mmio; @@ -1108,7 +1170,7 @@ static uint64_t dwc2_hreg2_read(void *ptr, hwaddr addr, unsigned size) { /* TODO - implement FIFOs to support slave mode */ trace_usb_dwc2_hreg2_read(addr, addr >> 12, 0); - qemu_log_mask(LOG_UNIMP, "FIFO read not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: FIFO read not implemented\n", __func__); return 0; } @@ -1119,7 +1181,7 @@ static void dwc2_hreg2_write(void *ptr, hwaddr addr, uint64_t val, /* TODO - implement FIFOs to support slave mode */ trace_usb_dwc2_hreg2_write(addr, addr >> 12, orig, 0, val); - qemu_log_mask(LOG_UNIMP, "FIFO write not implemented\n"); + qemu_log_mask(LOG_UNIMP, "%s: FIFO write not implemented\n", __func__); } static const MemoryRegionOps dwc2_mmio_hreg2_ops = { From ccee80c68db14b3e965582a19393992b5c2b97f4 Mon Sep 17 00:00:00 2001 From: Anthony PERARD Date: Wed, 14 Oct 2020 11:41:06 +0100 Subject: [PATCH 2/3] usb/hcd-ehci: Fix error handling on missing device for iTD The EHCI Host Controller emulation attempt to locate the device associated with a periodic isochronous transfer description (iTD) and when this fail the host controller is reset. But according the EHCI spec 1.0 section 5.15.2.4 Host System Error, the host controller is supposed to reset itself only when it failed to communicate with the Host (Operating System), like when there's an error on the PCI bus. If a transaction fails, there's nothing in the spec that say to reset the host controller. This patch rework the error path so that the host controller can keep working when the OS setup a bogus transaction, it also revert to the behavior of the EHCI emulation to before commits: e94682f1fe ("ehci: check device is not NULL before calling usb_ep_get()") 7011baece2 ("usb: remove unnecessary NULL device check from usb_ep_get()") The issue has been found while trying to passthrough a USB device to a Windows Server 2012 Xen guest via "usb-ehci", which prevent the USB device from working in Windows. ("usb-ehci" alone works, windows only setup this weird periodic iTD to device 127 endpoint 15 when the USB device is passthrough.) Signed-off-by: Anthony PERARD Message-id: 20201014104106.2962640-1-anthony.perard@citrix.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-ehci.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 2b995443fb..ae7f20c502 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1447,24 +1447,25 @@ static int ehci_process_itd(EHCIState *ehci, dev = ehci_find_device(ehci, devaddr); if (dev == NULL) { ehci_trace_guest_bug(ehci, "no device found"); - qemu_sglist_destroy(&ehci->isgl); - return -1; - } - pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT; - ep = usb_ep_get(dev, pid, endp); - if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { - usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, - (itd->transact[i] & ITD_XACT_IOC) != 0); - if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { - qemu_sglist_destroy(&ehci->isgl); - return -1; - } - usb_handle_packet(dev, &ehci->ipacket); - usb_packet_unmap(&ehci->ipacket, &ehci->isgl); - } else { - DPRINTF("ISOCH: attempt to addess non-iso endpoint\n"); - ehci->ipacket.status = USB_RET_NAK; + ehci->ipacket.status = USB_RET_NODEV; ehci->ipacket.actual_length = 0; + } else { + pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT; + ep = usb_ep_get(dev, pid, endp); + if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { + usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, + (itd->transact[i] & ITD_XACT_IOC) != 0); + if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { + qemu_sglist_destroy(&ehci->isgl); + return -1; + } + usb_handle_packet(dev, &ehci->ipacket); + usb_packet_unmap(&ehci->ipacket, &ehci->isgl); + } else { + DPRINTF("ISOCH: attempt to addess non-iso endpoint\n"); + ehci->ipacket.status = USB_RET_NAK; + ehci->ipacket.actual_length = 0; + } } qemu_sglist_destroy(&ehci->isgl); From bea2a9e3e00b275dc40cfa09c760c715b8753e03 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 15 Oct 2020 09:59:57 +0200 Subject: [PATCH 3/3] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() Check the value of mps to avoid potential divide-by-zero later in the function. Since HCCHAR_MPS is guest controllable, this prevents a malicious/buggy guest from crashing the QEMU process on the host. Signed-off-by: Mauro Matteo Cascella Reviewed-by: Paul Zimmerman Reported-by: Gaoning Pan Reported-by: Xingwei Lin Message-id: 20201015075957.268823-1-mcascell@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-dwc2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c index 64c23c1ed0..e1d96acf7e 100644 --- a/hw/usb/hcd-dwc2.c +++ b/hw/usb/hcd-dwc2.c @@ -250,6 +250,12 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev, trace_usb_dwc2_handle_packet(chan, dev, &p->packet, epnum, types[eptype], dirs[epdir], mps, len, pcnt); + if (mps == 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Bad HCCHAR_MPS set to zero\n", __func__); + return; + } + if (eptype == USB_ENDPOINT_XFER_CONTROL && pid == TSIZ_SC_MC_PID_SETUP) { pid = USB_TOKEN_SETUP; } else {