[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)
From: |
Gerd Hoffmann |
Subject: |
Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527) |
Date: |
Tue, 4 May 2021 16:12:11 +0200 |
On Tue, May 04, 2021 at 03:33:27PM +0200, Remy Noel wrote:
> Hello
>
> On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
> > Make sure the usb packet size is within the
> > bounds of the endpoint configuration.
> >
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
> > ---
> > hw/usb/hcd-xhci.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
> > index 46212b1e695a..7acfb8137bc9 100644
> > --- a/hw/usb/hcd-xhci.c
> > +++ b/hw/usb/hcd-xhci.c
> > @@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
> > qemu_sglist_destroy(&xfer->sgl);
> > return -1;
> > }
> > + if (xfer->packet.iov.size > ep->max_packet_size) {
> > + usb_packet_unmap(&xfer->packet, &xfer->sgl);
> > + qemu_sglist_destroy(&xfer->sgl);
> > + return -1;
> > + }
> > DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
> > xfer->packet.pid, ep->dev->addr, ep->nr);
> > return 0;
> > --
> So im my user's case (using a usb-Display-port adapter) i managed to trigger
> this error.
Oh.
What is the packet size (xfer->packet.iov.size)?
Can I get an 'lsusb -v' for the device in question?
take care,
Gerd
- [PULL 0/7] Usb 20210504 patches, Gerd Hoffmann, 2021/05/04
- [PULL 1/7] hw/usb/host-stub: Remove unused header, Gerd Hoffmann, 2021/05/04
- [PULL 3/7] usb/hid: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/04
- [PULL 2/7] hw/usb: Do not build USB subsystem if not required, Gerd Hoffmann, 2021/05/04
- [PULL 5/7] usb/mtp: avoid dynamic stack allocation, Gerd Hoffmann, 2021/05/04
- [PULL 4/7] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Gerd Hoffmann, 2021/05/04
- [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527), Gerd Hoffmann, 2021/05/04
- [PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527), Gerd Hoffmann, 2021/05/04
- Re: [PULL 0/7] Usb 20210504 patches, Gerd Hoffmann, 2021/05/05