Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3

From:	Mauro Matteo Cascella
Subject:	Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
Date:	Mon, 3 May 2021 16:25:40 +0200

On Mon, May 3, 2021 at 3:29 PM Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> Use autofree heap allocation instead.
>
> Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/usb/redirect.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
> index 17f06f34179a..6a75b0dc4ab2 100644
> --- a/hw/usb/redirect.c
> +++ b/hw/usb/redirect.c
> @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, 
> USBPacket *p,
>                  .endpoint = ep,
>                  .length = p->iov.size
>              };
> -            uint8_t buf[p->iov.size];
> +            g_autofree uint8_t *buf = g_malloc(p->iov.size);
>              /* No id, we look at the ep when receiving a status back */
>              usb_packet_copy(p, buf, p->iov.size);
>              usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
> @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice 
> *dev, USBPacket *p,
>          usbredirparser_send_bulk_packet(dev->parser, p->id,
>                                          &bulk_packet, NULL, 0);
>      } else {
> -        uint8_t buf[size];
> +        g_autofree uint8_t *buf = g_malloc(size);
>          usb_packet_copy(p, buf, size);
>          usbredir_log_data(dev, "bulk data out:", buf, size);
>          usbredirparser_send_bulk_packet(dev->parser, p->id,
> @@ -923,7 +923,7 @@ static void 
> usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
>                                                 USBPacket *p, uint8_t ep)
>  {
>      struct usb_redir_interrupt_packet_header interrupt_packet;
> -    uint8_t buf[p->iov.size];
> +    g_autofree uint8_t *buf = g_malloc(p->iov.size);
>
>      DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
>              p->iov.size, p->id);
> --
> 2.30.2
>

Nitpick: I would probably reference CVE-2021-3527 in patch 4/5 and 5/5
as well. Just to avoid someone from cherry-picking this patch only,
not actually fixing the root cause of the CVE.

Regards.

--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/5] usb: fix some memory allocation issues., Gerd Hoffmann, 2021/05/03
- [PATCH v2 1/5] usb/hid: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/03
  - Re: [PATCH v2 1/5] usb/hid: avoid dynamic stack allocation, Philippe Mathieu-Daudé, 2021/05/03
- [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Gerd Hoffmann, 2021/05/03
  - Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Philippe Mathieu-Daudé, 2021/05/03
  - Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Mauro Matteo Cascella <=
- [PATCH v2 3/5] usb/mtp: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/03
  - Re: [PATCH v2 3/5] usb/mtp: avoid dynamic stack allocation, Philippe Mathieu-Daudé, 2021/05/03
- [PATCH v2 4/5] usb/xhci: sanity check packet size, Gerd Hoffmann, 2021/05/03
- [PATCH v2 5/5] usb: limit combined packets to 1 MiB, Gerd Hoffmann, 2021/05/03

Prev by Date: Re: Adjustments of NVDIMM devices and future data safety
Next by Date: Re: [PATCH 2/2] block: Fix Transaction leak in bdrv_reopen_multiple()
Previous by thread: Re: [PATCH v2 2/5] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
Next by thread: [PATCH v2 3/5] usb/mtp: avoid dynamic stack allocation
Index(es):
- Date
- Thread