mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
21bc31524e
qemu/hw
History
Li Qiang 21bc31524e hw: xhci: check return value of 'usb_packet_map' 
Currently we don't check the return value of 'usb_packet_map',
this will cause an UAF issue. This is LP#1891341.
Following is the reproducer provided in:
-->https://bugs.launchpad.net/qemu/+bug/1891341

cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c009f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffff3655
writeq 0x9f0d000000002000 0xff2f9e0000000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x06
write 0x17278 0x1 0x34
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c051a0100000000
write 0x34001d 0x1 0x13
write 0x340026 0x1 0x30
write 0x340028 0x1 0x08
write 0x34002c 0x1 0xfe
write 0x34002d 0x1 0x08
write 0x340037 0x1 0x5e
write 0x34003a 0x1 0x05
write 0x34003d 0x1 0x05
write 0x34004d 0x1 0x13
writeq 0x9f0d000000002000 0xff00010100400009
EOF

This patch fixes this.

Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-id: 20200812153139.15146-1-liq3ea@163.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-08-31 08:10:47 +02:00
..
9pfs 9pfs: Fix severe performance issue of Treaddir requests. 2020-08-24 16:39:53 +01:00
acpi Introduce a new flag for i440fx to disable PCI hotplug on the root bus 2020-08-27 08:29:08 -04:00
adc meson: convert hw/adc 2020-08-21 06:30:32 -04:00
alpha meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
arm target-arm queue: 2020-08-28 15:14:40 +01:00
audio meson: convert hw/audio 2020-08-21 06:30:32 -04:00
avr meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
block Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
char sclpconsole: Use TYPE_* constants 2020-08-27 14:21:48 -04:00
core target-arm queue: 2020-08-28 15:14:40 +01:00
cpu hw/cpu/a9mpcore: Verify the machine use Cortex-A9 cores 2020-08-24 10:01:40 +01:00
cris meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
display nubus: Rename class type checking macros 2020-08-27 14:04:55 -04:00
dma i8257: Move QOM macro to header 2020-08-27 14:04:54 -04:00
gpio meson: convert hw/gpio 2020-08-21 06:30:31 -04:00
hppa artist out of bounds fixes 2020-08-26 22:23:53 +01:00
hyperv vmbus: Move QOM macros to vmbus.h 2020-08-27 14:04:54 -04:00
i2c meson: convert hw/i2c 2020-08-21 06:30:30 -04:00
i386 Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
ide ahci: Move QOM macro to header 2020-08-27 14:04:54 -04:00
input pckbd: Move QOM macro to header 2020-08-27 14:04:54 -04:00
intc nios2_iic: Use TYPE_ALTERA_IIC constant 2020-08-27 14:21:48 -04:00
ipack meson: convert hw/ipack 2020-08-21 06:30:30 -04:00
ipmi meson: convert hw/ipmi 2020-08-21 06:30:29 -04:00
isa piix: Move QOM macros to header 2020-08-27 14:04:55 -04:00
lm32 hw/sd/milkymist: Do not create SD card within the SD host controller 2020-08-21 16:22:43 +02:00
m68k meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
mem meson: convert hw/mem 2020-08-21 06:30:26 -04:00
microblaze meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
mips meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
misc target-arm queue: 2020-08-28 15:14:40 +01:00
moxie meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
net target-arm queue: 2020-08-28 15:14:40 +01:00
nios2 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
nubus meson: convert hw/nubus 2020-08-21 06:30:25 -04:00
nvram ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
openrisc meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
pci meson: convert hw/pci 2020-08-21 06:30:28 -04:00
pci-bridge meson: convert hw/pci-bridge 2020-08-21 06:30:28 -04:00
pci-host ppce500: Use TYPE_PPC_E500_PCI_BRIDGE constant 2020-08-27 14:21:48 -04:00
pcmcia pxa2xx: Move QOM macros to header 2020-08-27 14:04:55 -04:00
ppc ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
rdma meson: convert hw/rdma 2020-08-21 06:30:29 -04:00
riscv opentitan: Rename memmap enum constants 2020-08-27 14:04:54 -04:00
rtc meson: convert hw/rtc 2020-08-21 06:30:27 -04:00
rx meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
s390x s390-virtio-ccw: Rename S390_MACHINE_CLASS macro 2020-08-27 14:04:55 -04:00
scsi Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
sd target-arm queue: 2020-08-28 15:14:40 +01:00
semihosting meson: convert hw/semihosting 2020-08-21 06:30:25 -04:00
sh4 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
smbios hw/smbios: add options for type 4 max-speed and current-speed 2020-08-27 08:29:13 -04:00
sparc ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
sparc64 ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
ssi meson: convert hw/ssi 2020-08-21 06:30:27 -04:00
timer meson: convert hw/timer 2020-08-21 06:30:27 -04:00
tpm meson: convert hw/tpm 2020-08-21 06:30:27 -04:00
tricore meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
unicore32 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
usb hw: xhci: check return value of 'usb_packet_map' 2020-08-31 08:10:47 +02:00
vfio vfio/pci: Move QOM macros to header 2020-08-27 14:04:55 -04:00
virtio vhost-user-blk-pci: default num_queues to -smp N 2020-08-27 08:29:13 -04:00
watchdog meson: convert hw/watchdog 2020-08-21 06:30:26 -04:00
xen meson: convert hw/xen 2020-08-21 06:30:24 -04:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa target/xtensa: implement NMI support 2020-08-21 12:48:14 -07:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
meson.build meson: convert hw/arch* 2020-08-21 06:30:33 -04:00