qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)

From: Gerd Hoffmann
Subject: Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)
Date: Tue, 4 May 2021 16:12:11 +0200 
On Tue, May 04, 2021 at 03:33:27PM +0200, Remy Noel wrote:
> Hello
> 
> On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
> > Make sure the usb packet size is within the
> > bounds of the endpoint configuration.
> > 
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
> > ---
> > hw/usb/hcd-xhci.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> > 
> > diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
> > index 46212b1e695a..7acfb8137bc9 100644
> > --- a/hw/usb/hcd-xhci.c
> > +++ b/hw/usb/hcd-xhci.c
> > @@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
> >         qemu_sglist_destroy(&xfer->sgl);
> >         return -1;
> >     }
> > +    if (xfer->packet.iov.size > ep->max_packet_size) {
> > +        usb_packet_unmap(&xfer->packet, &xfer->sgl);
> > +        qemu_sglist_destroy(&xfer->sgl);
> > +        return -1;
> > +    }
> >     DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
> >             xfer->packet.pid, ep->dev->addr, ep->nr);
> >     return 0;
> > --
> So im my user's case (using a usb-Display-port adapter) i managed to trigger
> this error.

Oh.

What is the packet size (xfer->packet.iov.size)?
Can I get an 'lsusb -v' for the device in question?

take care,
  Gerd
reply via email to
[Prev in Thread] Current Thread [Next in Thread]