|
| From: | Remy Noel |
| Subject: | Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527) |
| Date: | Tue, 4 May 2021 15:33:27 +0200 |
Hello On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
Make sure the usb packet size is within the
bounds of the endpoint configuration.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
---
hw/usb/hcd-xhci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 46212b1e695a..7acfb8137bc9 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
qemu_sglist_destroy(&xfer->sgl);
return -1;
}
+ if (xfer->packet.iov.size > ep->max_packet_size) {
+ usb_packet_unmap(&xfer->packet, &xfer->sgl);
+ qemu_sglist_destroy(&xfer->sgl);
+ return -1;
+ }
DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
xfer->packet.pid, ep->dev->addr, ep->nr);
return 0;
--
So im my user's case (using a usb-Display-port adapter) i managed to trigger this error.According to him. the his displays works without this patch (but i can see him sending usbredir packets of up to 9MB) but breaks without (which is expected.) I have trouble understanding whether this can be considered an illegitimate xhci use case (i'm very unfamiliar with it), but i don't see any burst working if we drop any buffer chain bigger than a single endpoint packet size.
I'm strill struggling to emulate SuperSpeed Bulk transfers from the vm in order to have a reproducer though.
By the way, the call to qemu_sglist_destroy seems unnecessary to me since usb_packet_unmap calls it already.
Cheers Remy
| [Prev in Thread] | Current Thread | [Next in Thread] |