|
From: | Remy Noel |
Subject: | Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527) |
Date: | Tue, 4 May 2021 15:33:27 +0200 |
Hello On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
Make sure the usb packet size is within the bounds of the endpoint configuration. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-Id: <20210503132915.2335822-5-kraxel@redhat.com> --- hw/usb/hcd-xhci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 46212b1e695a..7acfb8137bc9 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer) qemu_sglist_destroy(&xfer->sgl); return -1; } + if (xfer->packet.iov.size > ep->max_packet_size) { + usb_packet_unmap(&xfer->packet, &xfer->sgl); + qemu_sglist_destroy(&xfer->sgl); + return -1; + } DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", xfer->packet.pid, ep->dev->addr, ep->nr); return 0; --
So im my user's case (using a usb-Display-port adapter) i managed to trigger this error.According to him. the his displays works without this patch (but i can see him sending usbredir packets of up to 9MB) but breaks without (which is expected.) I have trouble understanding whether this can be considered an illegitimate xhci use case (i'm very unfamiliar with it), but i don't see any burst working if we drop any buffer chain bigger than a single endpoint packet size.
I'm strill struggling to emulate SuperSpeed Bulk transfers from the vm in order to have a reproducer though.
By the way, the call to qemu_sglist_destroy seems unnecessary to me since usb_packet_unmap calls it already.
Cheers Remy
[Prev in Thread] | Current Thread | [Next in Thread] |