[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 21bc31: hw: xhci: check return value of 'usb_
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 21bc31: hw: xhci: check return value of 'usb_packet_map' |
|
Date: |
Mon, 31 Aug 2020 14:30:32 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 21bc31524e8ca487e976f713b878d7338ee00df2
https://github.com/qemu/qemu/commit/21bc31524e8ca487e976f713b878d7338ee00df2
Author: Li Qiang <liq3ea@163.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/hcd-xhci.c
Log Message:
-----------
hw: xhci: check return value of 'usb_packet_map'
Currently we don't check the return value of 'usb_packet_map',
this will cause an UAF issue. This is LP#1891341.
Following is the reproducer provided in:
-->https://bugs.launchpad.net/qemu/+bug/1891341
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c009f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffff3655
writeq 0x9f0d000000002000 0xff2f9e0000000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x06
write 0x17278 0x1 0x34
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c051a0100000000
write 0x34001d 0x1 0x13
write 0x340026 0x1 0x30
write 0x340028 0x1 0x08
write 0x34002c 0x1 0xfe
write 0x34002d 0x1 0x08
write 0x340037 0x1 0x5e
write 0x34003a 0x1 0x05
write 0x34003d 0x1 0x05
write 0x34004d 0x1 0x13
writeq 0x9f0d000000002000 0xff00010100400009
EOF
This patch fixes this.
Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-id: 20200812153139.15146-1-liq3ea@163.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: dd8525472a17bc7f21aa6024aaa19ad53d28750a
https://github.com/qemu/qemu/commit/dd8525472a17bc7f21aa6024aaa19ad53d28750a
Author: Li Qiang <liq3ea@163.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
hw: ehci: destroy sglist in error path
This may cause resource leak.
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-Id: <20200812161712.29361-1-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 2fdb42d840400d58f2e706ecca82c142b97bcbd6
https://github.com/qemu/qemu/commit/2fdb42d840400d58f2e706ecca82c142b97bcbd6
Author: Li Qiang <liq3ea@163.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
hw: ehci: check return value of 'usb_packet_map'
If 'usb_packet_map' fails, we should stop to process the usb
request.
Signed-off-by: Li Qiang <liq3ea@163.com>
Message-Id: <20200812161727.29412-1-liq3ea@163.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 10b2d90c947e557a2ec5c58919d2b5ad3c400c50
https://github.com/qemu/qemu/commit/10b2d90c947e557a2ec5c58919d2b5ad3c400c50
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
ehci: drop pointless warn_report for guest bugs.
We have a tracepoint at the same place which can be enabled if needed.
Buglink: https://bugzilla.redhat.com//show_bug.cgi?id=1859236
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200722072613.10390-1-kraxel@redhat.com>
Commit: 84b6c23629df888f1c11cace155704a97a239f7c
https://github.com/qemu/qemu/commit/84b6c23629df888f1c11cace155704a97a239f7c
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/dev-hid.c
M hw/usb/dev-wacom.c
A include/hw/usb/hid.h
Log Message:
-----------
hw/usb: Regroup USB HID protocol values
Group some HID values that are used pretty much everywhere when
dealing with HID devices.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200812094135.20550-2-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 785f558b6a3e741ac484fc2c93b090c88f3ff44b
https://github.com/qemu/qemu/commit/785f558b6a3e741ac484fc2c93b090c88f3ff44b
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A docs/u2f.txt
Log Message:
-----------
docs: Add USB U2F key device documentation
Add USB U2F key device documentation:
- USB U2F key device
- Building
- Using u2f-emulated
- Using u2f-passthru
- Libu2f-emu
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-3-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 80e267f1d17c7fe0f08a0f666e9d7e68a3ccf4d8
https://github.com/qemu/qemu/commit/80e267f1d17c7fe0f08a0f666e9d7e68a3ccf4d8
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A hw/usb/u2f.h
Log Message:
-----------
hw/usb: Add U2F key base class
This patch adds the specification for the U2F key base class.
Used to group the common characteristics, this device class will be
inherited by its two variants, corresponding to the two modes:
passthrough and emulated
This prepares the U2F devices hierarchy which is as follow:
USB device -> u2f-key -> {u2f-passthru, u2f-emulated}.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-4-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: bb014a810b565dfe14ad3e85175b9ec299105058
https://github.com/qemu/qemu/commit/bb014a810b565dfe14ad3e85175b9ec299105058
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A hw/usb/u2f.c
Log Message:
-----------
hw/usb: Add U2F key base class implementation
This patch adds the U2F key base class implementation.
The U2F key base mainly takes care of the HID interfacing with guest.
On the one hand, it retrieves the guest U2FHID packets and transmits
them to the variant associated according to the mode: pass-through
or emulated.
On the other hand, it provides the public API used by its variants to
send U2FHID packets to the guest.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-5-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 299976b050bfad5005df81380dfeb2df39bf580c
https://github.com/qemu/qemu/commit/299976b050bfad5005df81380dfeb2df39bf580c
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A hw/usb/u2f-passthru.c
Log Message:
-----------
hw/usb: Add U2F key passthru mode
This patch adds the U2F key pass-through mode.
The pass-through mode consists of passing all requests made from the
guest to the physical security key connected to the host machine and
vice versa.
In addition, the dedicated pass-through allows to have a U2F security key
shared on several guests which is not possible with a simple host device
assignment pass-through.
The pass-through mode is associated with a device inheriting from
u2f-key base.
To work, it needs the path to a U2F hidraw, obtained from the Qemu
command line, and passed by the user:
qemu -usb -device u2f-passthru,hidraw=/dev/hidrawX
Autoscan and U2F compatibility checking features are given at the end
of the patch series.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-6-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: a983b1135f683bf64237fd4860dd8151e5dc4eeb
https://github.com/qemu/qemu/commit/a983b1135f683bf64237fd4860dd8151e5dc4eeb
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A hw/usb/u2f-emulated.c
Log Message:
-----------
hw/usb: Add U2F key emulated mode
This patch adds the U2F key emulated mode.
The emulated mode consists of completely emulating the behavior of a
U2F device through software part. Libu2f-emu is used for that.
The emulated mode is associated with a device inheriting from
u2f-key base.
To work, an emulated U2F device must have differents elements which
can be given in different ways. This is detailed in docs/u2f.txt.
The Ephemeral one is the simplest way to configure, it lets the device
generate all the elements it needs for a single use of the lifetime
of the device:
qemu -usb -device u2f-emulated
For more information about libu2f-emu see this page:
https://github.com/MattGorko/libu2f-emu.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-7-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 0a40bcb740aabf5e9504168dee039d5b9f242c41
https://github.com/qemu/qemu/commit/0a40bcb740aabf5e9504168dee039d5b9f242c41
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M configure
M hw/usb/Kconfig
M hw/usb/meson.build
M meson.build
M meson_options.txt
Log Message:
-----------
meson: Add U2F key to meson
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-8-cesar.belley@lse.epita.fr
[ fixes suggested by paolo ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 15e557b716c1795e311c31f56bfa168f107f3ce7
https://github.com/qemu/qemu/commit/15e557b716c1795e311c31f56bfa168f107f3ce7
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M docs/system/usb.rst
Log Message:
-----------
docs/system: Add U2F key to the USB devices examples
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-9-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: c81737e537d63ff9641792c95a88bb15386c1a1e
https://github.com/qemu/qemu/commit/c81737e537d63ff9641792c95a88bb15386c1a1e
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M docs/qdev-device-use.txt
Log Message:
-----------
docs/qdev-device-use.txt: Add USB U2F key to the QDEV devices examples
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-10-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: dea01f66811b6963f306a7dcffe001fb4637662f
https://github.com/qemu/qemu/commit/dea01f66811b6963f306a7dcffe001fb4637662f
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
A scripts/u2f-setup-gen.py
Log Message:
-----------
scripts: Add u2f-setup-gen script
This patch adds the script used to generate setup directories, needed
for the device u2f-emulated configuration in directory mode:
python u2f-setup-gen.py $DIR
qemu -usb -device u2f-emulated,dir=$DIR
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-11-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 4ee40a6b98c02b72fc5dd262df9d3ac8680d767b
https://github.com/qemu/qemu/commit/4ee40a6b98c02b72fc5dd262df9d3ac8680d767b
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/u2f-passthru.c
Log Message:
-----------
hw/usb: Add U2F device check to passthru mode
This patchs adds a check to verify that the device passed through the
hidraw property is a U2F device.
The check is done by ensuring that the first values of the report
descriptor (USAGE PAGE and USAGE) correspond to those of a U2F device.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-12-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: d7c1523f58190936ed08d30389399a941994d148
https://github.com/qemu/qemu/commit/d7c1523f58190936ed08d30389399a941994d148
Author: César Belley <cesar.belley@lse.epita.fr>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M docs/u2f.txt
M hw/usb/meson.build
M hw/usb/u2f-passthru.c
Log Message:
-----------
hw/usb: Add U2F device autoscan to passthru mode
This patch adds an autoscan to let u2f-passthru choose the first U2F
device it finds.
The autoscan is performed using libudev with an enumeration of all the
hidraw devices present on the host.
The first device which happens to be a U2F device is taken to do the
passtru.
Signed-off-by: César Belley <cesar.belley@lse.epita.fr>
Message-id: 20200826114209.28821-13-cesar.belley@lse.epita.fr
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 202d69a715a4b1824dcd7ec1683d027ed2bae6d3
https://github.com/qemu/qemu/commit/202d69a715a4b1824dcd7ec1683d027ed2bae6d3
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/host-libusb.c
Log Message:
-----------
usb-host: workaround libusb bug
libusb_get_device_speed() does not work for
libusb_wrap_sys_device() devices in v1.0.23.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1871090
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20200824110057.32089-1-kraxel@redhat.com
Commit: b946434f2659a182afc17e155be6791ebfb302eb
https://github.com/qemu/qemu/commit/b946434f2659a182afc17e155be6791ebfb302eb
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M hw/usb/core.c
Log Message:
-----------
usb: fix setup_len init (CVE-2020-14364)
Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.
This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.
Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
Commit: 2f4c51c0f384d7888a04b4815861e6d5fd244d75
https://github.com/qemu/qemu/commit/2f4c51c0f384d7888a04b4815861e6d5fd244d75
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-08-31 (Mon, 31 Aug 2020)
Changed paths:
M configure
M docs/qdev-device-use.txt
M docs/system/usb.rst
A docs/u2f.txt
M hw/usb/Kconfig
M hw/usb/core.c
M hw/usb/dev-hid.c
M hw/usb/dev-wacom.c
M hw/usb/hcd-ehci.c
M hw/usb/hcd-xhci.c
M hw/usb/host-libusb.c
M hw/usb/meson.build
A hw/usb/u2f-emulated.c
A hw/usb/u2f-passthru.c
A hw/usb/u2f.c
A hw/usb/u2f.h
A include/hw/usb/hid.h
M meson.build
M meson_options.txt
A scripts/u2f-setup-gen.py
Log Message:
-----------
Merge remote-tracking branch 'remotes/kraxel/tags/usb-20200831-pull-request'
into staging
usb: usb_packet_map fixes for ehci and xhci.
usb: setup_len fix (CVE-2020-14364).
usb: u2f key support (GSoC).
* v2: 32bit build fixed.
* v3: libu2f-emu dependency fixed.
# gpg: Signature made Mon 31 Aug 2020 09:32:49 BST
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/usb-20200831-pull-request:
usb: fix setup_len init (CVE-2020-14364)
usb-host: workaround libusb bug
hw/usb: Add U2F device autoscan to passthru mode
hw/usb: Add U2F device check to passthru mode
scripts: Add u2f-setup-gen script
docs/qdev-device-use.txt: Add USB U2F key to the QDEV devices examples
docs/system: Add U2F key to the USB devices examples
meson: Add U2F key to meson
hw/usb: Add U2F key emulated mode
hw/usb: Add U2F key passthru mode
hw/usb: Add U2F key base class implementation
hw/usb: Add U2F key base class
docs: Add USB U2F key device documentation
hw/usb: Regroup USB HID protocol values
ehci: drop pointless warn_report for guest bugs.
hw: ehci: check return value of 'usb_packet_map'
hw: ehci: destroy sglist in error path
hw: xhci: check return value of 'usb_packet_map'
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/4bc08c61416c...2f4c51c0f384
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 21bc31: hw: xhci: check return value of 'usb_packet_map',
Peter Maydell <=