[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527)
From: |
Gerd Hoffmann |
Subject: |
[PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527) |
Date: |
Tue, 4 May 2021 10:53:17 +0200 |
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
---
hw/usb/combined-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dcb5..e56802f89a32 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
next == NULL ||
/* Work around for Linux usbfs bulk splitting + migration */
- (totalsize == (16 * KiB - 36) && p->int_req)) {
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
+ /* Next package may grow combined package over 1MiB */
+ totalsize > 1 * MiB - ep->max_packet_size) {
usb_device_handle_data(ep->dev, first);
assert(first->status == USB_RET_ASYNC);
if (first->combined) {
--
2.31.1
- [PULL 0/7] Usb 20210504 patches, Gerd Hoffmann, 2021/05/04
- [PULL 1/7] hw/usb/host-stub: Remove unused header, Gerd Hoffmann, 2021/05/04
- [PULL 3/7] usb/hid: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/04
- [PULL 2/7] hw/usb: Do not build USB subsystem if not required, Gerd Hoffmann, 2021/05/04
- [PULL 5/7] usb/mtp: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/04
- [PULL 4/7] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Gerd Hoffmann, 2021/05/04
- [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527), Gerd Hoffmann, 2021/05/04
- [PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527),
Gerd Hoffmann <=
- Re: [PULL 0/7] Usb 20210504 patches, Gerd Hoffmann, 2021/05/05