[Qemu-commits] [qemu/qemu] 80eecd: usb: check USB configuration descript

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 80eecd: usb: check USB configuration descript

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] 80eecd: usb: check USB configuration descriptor object
Date:	Tue, 23 Feb 2016 04:00:05 -0800

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 80eecda8e5d09c442c24307f340840a5b70ea3b9
      
https://github.com/qemu/qemu/commit/80eecda8e5d09c442c24307f340840a5b70ea3b9
  Author: Prasad J Pandit <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/usb/dev-network.c

  Log Message:
  -----------
  usb: check USB configuration descriptor object

When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 14ec7b2c5bc0e7b0f7097211d349b57450f09d02
      
https://github.com/qemu/qemu/commit/14ec7b2c5bc0e7b0f7097211d349b57450f09d02
  Author: Peter Maydell <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/timer/Makefile.objs
    R hw/timer/tusb6010.c
    M hw/usb/Makefile.objs
    A hw/usb/tusb6010.c

  Log Message:
  -----------
  tusb6010: move from hw/timer to hw/usb

The TUSB6010 is a USB controller (as the name suggests). Move it from
hw/timer (where it was accidentally filed in 2013 when we moved
everything out of hw/) to hw/usb.

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 64c9bc181fc78275596649f591302d72df2d3071
      
https://github.com/qemu/qemu/commit/64c9bc181fc78275596649f591302d72df2d3071
  Author: Prasad J Pandit <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/usb/core.c

  Log Message:
  -----------
  usb: check RNDIS message length

When processing remote NDIS control message packets, the USB Net
device emulator uses a fixed length(4096) data buffer. The incoming
packet length could exceed this limit. Add a check to avoid it.

Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e
      
https://github.com/qemu/qemu/commit/fe3c546c5ff2a6210f9a4d8561cc64051ca8603e
  Author: Prasad J Pandit <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/usb/dev-network.c

  Log Message:
  -----------
  usb: check RNDIS buffer offsets & length

When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.

Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 5f77e06baa84323e5bbc96c2c7f4fe627078b210
      
https://github.com/qemu/qemu/commit/5f77e06baa84323e5bbc96c2c7f4fe627078b210
  Author: Gonglei <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/usb/hcd-uhci.c

  Log Message:
  -----------
  usb: add pid check at the first of uhci_handle_td()

pid can be gotten from uhci device memory in uhci_handle_td(),
so the guest can trigger assert qemu if we get an invalid pid.
And the uhci spec 2.1.2 tells us The Host Controller sets Host
Controller Process Error bit to 1 when it detects a fatal error
and indicates that the Host Controller suffered a consistency
check failure while processing a Transfer Descriptor. An example
of a consistency check failure would be finding an illegal PID
field while processing the packet header portion of the TD.
When this error occurs, the Host Controller clears the Run/Stop
bit in the Command register to prevent further schedule execution.

We'd better to set UHCI_STS_HCPERR and kick an interrupt, check
the pid value at the first of uhci_handle_td function.

https://bugzilla.redhat.com/show_bug.cgi?id=1070027

Signed-off-by: Gonglei <address@hidden>
Message-id: address@hidden

[ applied minor codestyle fix ]

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: fa1298c2d623522eda7b4f1f721fcb935abb7360
      
https://github.com/qemu/qemu/commit/fa1298c2d623522eda7b4f1f721fcb935abb7360
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/usb/hcd-ohci.c

  Log Message:
  -----------
  ohci: allocate timer only once.

Allocate timer once, at init time, instead of allocating/freeing
it all the time when starting/stopping the bus.  Simplifies the
code, also fixes bugs (memory leak) due to missing checks whenever
the time is already allocated or not.

Cc: Prasad J Pandit <address@hidden>
Reported-by: Zuozhi Fzz <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: ea6e4981bfb33aeb0035088b883a159de1483cba
      
https://github.com/qemu/qemu/commit/ea6e4981bfb33aeb0035088b883a159de1483cba
  Author: Peter Maydell <address@hidden>
  Date:   2016-02-23 (Tue, 23 Feb 2016)

  Changed paths:
    M hw/timer/Makefile.objs
    R hw/timer/tusb6010.c
    M hw/usb/Makefile.objs
    M hw/usb/core.c
    M hw/usb/dev-network.c
    M hw/usb/hcd-ohci.c
    M hw/usb/hcd-uhci.c
    A hw/usb/tusb6010.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160223-1' into 
staging

usb: misc bugfixes.

# gpg: Signature made Tue 23 Feb 2016 10:53:01 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"

* remotes/kraxel/tags/pull-usb-20160223-1:
  ohci: allocate timer only once.
  usb: add pid check at the first of uhci_handle_td()
  usb: check RNDIS buffer offsets & length
  usb: check RNDIS message length
  tusb6010: move from hw/timer to hw/usb
  usb: check USB configuration descriptor object

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/8eb779e4223a...ea6e4981bfb3

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] 80eecd: usb: check USB configuration descriptor object, GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] 287564: qemu-img: initialize MapEntry object
Next by Date: [Qemu-commits] [qemu/qemu] 1ef26b: cpu: Clean up includes
Previous by thread: [Qemu-commits] [qemu/qemu] 287564: qemu-img: initialize MapEntry object
Next by thread: [Qemu-commits] [qemu/qemu] 1ef26b: cpu: Clean up includes
Index(es):
- Date
- Thread