qemu/hw
Gerd Hoffmann b946434f26 usb: fix setup_len init (CVE-2020-14364)
Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
2020-08-31 08:23:39 +02:00
..
9pfs 9pfs: Fix severe performance issue of Treaddir requests. 2020-08-24 16:39:53 +01:00
acpi Introduce a new flag for i440fx to disable PCI hotplug on the root bus 2020-08-27 08:29:08 -04:00
adc meson: convert hw/adc 2020-08-21 06:30:32 -04:00
alpha meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
arm target-arm queue: 2020-08-28 15:14:40 +01:00
audio meson: convert hw/audio 2020-08-21 06:30:32 -04:00
avr meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
block Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
char sclpconsole: Use TYPE_* constants 2020-08-27 14:21:48 -04:00
core target-arm queue: 2020-08-28 15:14:40 +01:00
cpu hw/cpu/a9mpcore: Verify the machine use Cortex-A9 cores 2020-08-24 10:01:40 +01:00
cris meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
display nubus: Rename class type checking macros 2020-08-27 14:04:55 -04:00
dma i8257: Move QOM macro to header 2020-08-27 14:04:54 -04:00
gpio meson: convert hw/gpio 2020-08-21 06:30:31 -04:00
hppa artist out of bounds fixes 2020-08-26 22:23:53 +01:00
hyperv vmbus: Move QOM macros to vmbus.h 2020-08-27 14:04:54 -04:00
i2c meson: convert hw/i2c 2020-08-21 06:30:30 -04:00
i386 Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
ide ahci: Move QOM macro to header 2020-08-27 14:04:54 -04:00
input pckbd: Move QOM macro to header 2020-08-27 14:04:54 -04:00
intc nios2_iic: Use TYPE_ALTERA_IIC constant 2020-08-27 14:21:48 -04:00
ipack meson: convert hw/ipack 2020-08-21 06:30:30 -04:00
ipmi meson: convert hw/ipmi 2020-08-21 06:30:29 -04:00
isa piix: Move QOM macros to header 2020-08-27 14:04:55 -04:00
lm32 hw/sd/milkymist: Do not create SD card within the SD host controller 2020-08-21 16:22:43 +02:00
m68k meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
mem meson: convert hw/mem 2020-08-21 06:30:26 -04:00
microblaze meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
mips meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
misc target-arm queue: 2020-08-28 15:14:40 +01:00
moxie meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
net target-arm queue: 2020-08-28 15:14:40 +01:00
nios2 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
nubus meson: convert hw/nubus 2020-08-21 06:30:25 -04:00
nvram ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
openrisc meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
pci meson: convert hw/pci 2020-08-21 06:30:28 -04:00
pci-bridge meson: convert hw/pci-bridge 2020-08-21 06:30:28 -04:00
pci-host ppce500: Use TYPE_PPC_E500_PCI_BRIDGE constant 2020-08-27 14:21:48 -04:00
pcmcia pxa2xx: Move QOM macros to header 2020-08-27 14:04:55 -04:00
ppc ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
rdma meson: convert hw/rdma 2020-08-21 06:30:29 -04:00
riscv opentitan: Rename memmap enum constants 2020-08-27 14:04:54 -04:00
rtc meson: convert hw/rtc 2020-08-21 06:30:27 -04:00
rx meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
s390x s390-virtio-ccw: Rename S390_MACHINE_CLASS macro 2020-08-27 14:04:55 -04:00
scsi Machine queue + QOM fixes and cleanups 2020-08-28 11:05:08 +01:00
sd target-arm queue: 2020-08-28 15:14:40 +01:00
semihosting meson: convert hw/semihosting 2020-08-21 06:30:25 -04:00
sh4 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
smbios hw/smbios: add options for type 4 max-speed and current-speed 2020-08-27 08:29:13 -04:00
sparc ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
sparc64 ppc patch queue 2020-08-18 2020-08-24 09:35:21 +01:00
ssi meson: convert hw/ssi 2020-08-21 06:30:27 -04:00
timer meson: convert hw/timer 2020-08-21 06:30:27 -04:00
tpm meson: convert hw/tpm 2020-08-21 06:30:27 -04:00
tricore meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
unicore32 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
usb usb: fix setup_len init (CVE-2020-14364) 2020-08-31 08:23:39 +02:00
vfio vfio/pci: Move QOM macros to header 2020-08-27 14:04:55 -04:00
virtio vhost-user-blk-pci: default num_queues to -smp N 2020-08-27 08:29:13 -04:00
watchdog meson: convert hw/watchdog 2020-08-21 06:30:26 -04:00
xen meson: convert hw/xen 2020-08-21 06:30:24 -04:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa target/xtensa: implement NMI support 2020-08-21 12:48:14 -07:00
Kconfig
meson.build meson: convert hw/arch* 2020-08-21 06:30:33 -04:00