qemu/hw/usb
David Hubbard 3c3c233677 hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT
This changes the ohci validation to not assert if invalid data is fed to the
ohci controller. The poc in https://bugs.launchpad.net/qemu/+bug/1907042 and
migrated to bug #303 does the following to feed it a SETUP pid (valid)
at an EndPt of 1 (invalid - all SETUP pids must be addressed to EndPt 0):

        uint32_t MaxPacket = 64;
        uint32_t TDFormat = 0;
        uint32_t Skip = 0;
        uint32_t Speed = 0;
        uint32_t Direction = 0;  /* #define OHCI_TD_DIR_SETUP 0 */
        uint32_t EndPt = 1;
        uint32_t FuncAddress = 0;
        ed->attr = (MaxPacket << 16) | (TDFormat << 15) | (Skip << 14)
                   | (Speed << 13) | (Direction << 11) | (EndPt << 7)
                   | FuncAddress;
        ed->tailp = /*TDQTailPntr= */ 0;
        ed->headp = ((/*TDQHeadPntr= */ &td[0]) & 0xfffffff0)
                   | (/* ToggleCarry= */ 0 << 1);
        ed->next_ed = (/* NextED= */ 0 & 0xfffffff0)

qemu-fuzz also caught the same issue in #1510. They are both fixed by this
patch.

With a tiny OS[1] that boots and executes the poc the repro shows the issue:

* OS that sends USB requests to a USB mass storage device
  but sends a SETUP with EndPt = 1
* qemu 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.19)
* qemu HEAD (4e66a0854)
* Actual OHCI controller (hardware)

Command line:
qemu-system-x86_64 -m 20 \
 -device pci-ohci,id=ohci \
 -drive if=none,format=raw,id=d,file=testmbr.raw \
 -device usb-storage,bus=ohci.0,drive=d \
 --trace "usb_*" --trace "ohci_*" -D qemu.log

Results are:

 qemu 6.2.0 | qemu HEAD | actual HW
------------+-----------+----------------
 assertion  | assertion | sets stall bit

The assertion message is:

> qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
> Aborted (core dumped)

Tip: if the flags "-serial pty -serial stdio" are added to the command line
the poc outputs its USB requests like this:

> Free mem 2M ohci port0 conn FS
> setup { 80 6 0 1 0 0 8 0 }
> ED info=80000 { mps=8 en=0 d=0 } tail=c20920
>   td0 c20880 nxt=c20960 f2000000 setup cbp=c20900 be=c20907       cbp=0 be=c20907
>   td1 c20960 nxt=c20980 f3140000    in cbp=c20908 be=c2090f       cbp=0 be=c2090f
>   td2 c20980 nxt=c20920 f3080000   out cbp=0 be=0                 cbp=0 be=0
>    rx { 12 1 0 2 0 0 0 8 }
> setup { 0 5 1 0 0 0 0 0 } tx {}
> ED info=80000 { mps=8 en=0 d=0 } tail=c20880
>   td0 c20920 nxt=c20960 f2000000 setup cbp=c20900 be=c20907       cbp=0 be=c20907
>   td1 c20960 nxt=c20880 f3100000    in cbp=0 be=0                 cbp=0 be=0
> setup { 80 6 0 1 0 0 12 0 }
> ED info=80081 { mps=8 en=0 d=1 } tail=c20960
>   td0 c20880 nxt=c209c0 f2000000 setup cbp=c20920 be=c20927
>   td1 c209c0 nxt=c209e0 f3140000    in cbp=c20928 be=c20939
>   td2 c209e0 nxt=c20960 f3080000   out cbp=0 be=0qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
> Aborted (core dumped)

[1] The OS disk image has been emailed to philmd@linaro.org, mjt@tls.msk.ru,
and kraxel@redhat.com:

* testBadSetup.img.xz
* sha256: 045b43f4396de02b149518358bf8025d5ba11091e86458875339fc649e6e5ac6

Signed-off-by: David Hubbard <dmamfmgm@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: authorship and signed-off-by tag names fixed up as
 per on-list agreement]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-05-31 11:26:00 +01:00
..
bus-stub.c hw/usb: move stubs out of stubs/ 2024-04-18 11:17:27 +02:00
bus.c hw/usb/bus.c: PCAP adding 0xA in Windows version 2024-03-01 08:27:33 +01:00
canokey.c hw/usb/canokey: change license to GPLv2+ 2023-07-25 17:24:12 +01:00
canokey.h hw/usb/canokey: change license to GPLv2+ 2023-07-25 17:24:12 +01:00
ccid-card-emulated.c hw/usb: spelling fixes 2023-08-31 19:47:43 +02:00
ccid-card-passthru.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
ccid.h
chipidea.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
combined-packet.c usb: limit combined packets to 1 MiB (CVE-2021-3527) 2021-05-05 15:06:01 +02:00
core.c
desc-msos.c hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
desc.c hw/usb: Silence compiler warnings in USB code when compiling with -Wshadow 2023-10-06 13:27:48 +02:00
desc.h usb: allow max 8192 bytes for desc 2022-01-13 10:22:37 +01:00
dev-audio.c usb-audio: Fix invalid values in AudioControl descriptors 2024-04-01 19:47:40 +03:00
dev-hid.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-hub.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-mtp.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-network.c hw/usb/dev-network: Remove unused struct 'rndis_config_parameter' 2024-05-09 00:07:21 +02:00
dev-serial.c
dev-smartcard-reader.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-storage-bot.c Don't include headers already included by qemu/osdep.h 2023-02-08 07:28:05 +01:00
dev-storage-classic.c usb-storage: Fix BlockConf defaults 2024-04-16 11:50:52 +01:00
dev-storage.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-uas.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-wacom.c hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
hcd-dwc2.c hw, target: Add ResetType argument to hold and exit phase methods 2024-04-25 10:21:06 +01:00
hcd-dwc2.h Clean up header guards that don't match their file name 2022-05-11 16:49:06 +02:00
hcd-dwc3.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-ehci-pci.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci-sysbus.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci.h hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-musb.c hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
hcd-ohci-pci.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-ohci-sysbus.c hw/usb: extract sysbus-ohci to a separate file 2024-02-27 09:37:25 +01:00
hcd-ohci.c hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT 2024-05-31 11:26:00 +01:00
hcd-ohci.h hw/usb/ohci: Use OHCIState type definition 2023-02-27 22:29:02 +01:00
hcd-uhci.c hw/usb/uhci: Rename NB_PORTS -> UHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-uhci.h hw/usb/uhci: Rename NB_PORTS -> UHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-xhci-nec.c hw/usb/xhci-nec: Replace container_of() by NEC_XHCI() QOM cast macro 2023-02-27 22:29:02 +01:00
hcd-xhci-pci.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-xhci-pci.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
hcd-xhci-sysbus.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-xhci-sysbus.h
hcd-xhci.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-xhci.h hw/usb: hcd-xhci-pci: Fix spec violation of IP flag for MSI/MSI-X 2021-05-28 09:10:20 +02:00
host-libusb.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
host.h
imx-usb-phy.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
Kconfig hw/usb: extract sysbus-ohci to a separate file 2024-02-27 09:37:25 +01:00
libhw.c dma: Let dma_memory_map() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
meson.build hw/usb: move stubs out of stubs/ 2024-04-18 11:17:27 +02:00
pcap.c
quirks-ftdi-ids.h hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
quirks-pl2303-ids.h hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
quirks.c
quirks.h hw/usb: spelling fixes 2023-08-31 19:47:43 +02:00
redirect.c migration 1st pull for 9.0 2024-01-05 13:35:25 +00:00
trace-events hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT 2024-05-31 11:26:00 +01:00
trace.h
tusb6010.c
u2f-emulated.c hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
u2f-passthru.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
u2f.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
u2f.h hw/usb/u2f: Declare QOM macros using OBJECT_DECLARE_TYPE() 2023-02-27 22:29:02 +01:00
vt82c686-uhci-pci.c hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts 2023-11-28 14:26:37 +01:00
xen-usb.c xen: register legacy backends via xen_backend_init 2024-05-10 15:45:15 +02:00
xlnx-usb-subsystem.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
xlnx-versal-usb2-ctrl-regs.c hw, target: Add ResetType argument to hold and exit phase methods 2024-04-25 10:21:06 +01:00