qemu/hw/usb
Gerd Hoffmann b946434f26 usb: fix setup_len init (CVE-2020-14364)
Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
2020-08-31 08:23:39 +02:00
..
bus.c error: Eliminate error_propagate() manually 2020-07-10 15:18:08 +02:00
ccid-card-emulated.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ccid-card-passthru.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
ccid.h qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
chipidea.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
combined-packet.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
core.c usb: fix setup_len init (CVE-2020-14364) 2020-08-31 08:23:39 +02:00
desc-msos.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.h all: Clean up includes 2016-02-23 12:43:05 +00:00
dev-audio.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-hid.c hw/usb: Regroup USB HID protocol values 2020-08-31 08:10:47 +02:00
dev-hub.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-mtp.c usb/dev-mtp: Fix Error double free after inotify failure 2020-07-02 06:25:28 +02:00
dev-network.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-serial.c usb: Convert uses of usb_create() 2020-06-15 22:05:28 +02:00
dev-smartcard-reader.c qdev: Drop qbus_set_hotplug_handler() parameter @errp 2020-07-02 06:25:29 +02:00
dev-storage.c usb: fix storage regression 2020-07-16 10:20:27 +02:00
dev-uas.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
dev-wacom.c hw/usb: Regroup USB HID protocol values 2020-08-31 08:10:47 +02:00
hcd-dwc2.c hcd-dwc2: Rename USB_*CLASS macros for consistency 2020-08-27 14:04:54 -04:00
hcd-dwc2.h hcd-dwc2: Rename USB_*CLASS macros for consistency 2020-08-27 14:04:54 -04:00
hcd-ehci-pci.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-ehci-sysbus.c hw/arm/allwinner-h3: add USB host controller 2020-03-12 16:27:33 +00:00
hcd-ehci.c ehci: drop pointless warn_report for guest bugs. 2020-08-31 08:10:47 +02:00
hcd-ehci.h qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-musb.c exec/cpu-common: Move MUSB specific typedefs to 'hw/usb/hcd-musb.h' 2020-06-12 11:20:15 -04:00
hcd-ohci-pci.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-ohci.c hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file 2020-02-21 16:07:02 +00:00
hcd-ohci.h hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI to include file 2020-02-21 16:07:02 +00:00
hcd-uhci.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-xhci-nec.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-xhci.c hw: xhci: check return value of 'usb_packet_map' 2020-08-31 08:10:47 +02:00
hcd-xhci.h osdep: Make MIN/MAX evaluate arguments only once 2020-06-26 09:39:39 -04:00
host-libusb.c usb-host: workaround libusb bug 2020-08-31 08:23:39 +02:00
host-stub.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
host.h usb-host: move legacy cmd line bits 2013-02-19 12:30:05 +01:00
imx-usb-phy.c hw/usb: Add basic i.MX USB Phy support 2020-03-17 11:23:14 +00:00
Kconfig meson: Add U2F key to meson 2020-08-31 08:23:10 +02:00
libhw.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
meson.build hw/usb: Add U2F device autoscan to passthru mode 2020-08-31 08:23:39 +02:00
quirks-ftdi-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks-pl2303-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
quirks.h hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
redirect.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
trace-events usb: add hostdevice property to usb-host 2020-06-17 09:12:22 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tusb6010.c hw/usb: Move device-specific declarations to new 'hcd-musb.h' header 2020-06-12 11:20:14 -04:00
u2f-emulated.c hw/usb: Add U2F key emulated mode 2020-08-31 08:10:47 +02:00
u2f-passthru.c hw/usb: Add U2F device autoscan to passthru mode 2020-08-31 08:23:39 +02:00
u2f.c hw/usb: Add U2F key base class implementation 2020-08-31 08:10:47 +02:00
u2f.h hw/usb: Add U2F key base class 2020-08-31 08:10:47 +02:00
xen-usb.c xen: Fix and improve handling of device_add usb-host errors 2020-05-27 07:45:17 +02:00