[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 07/47] uas: add stream number sanity checks.
From: |
Michael Roth |
Subject: |
[PATCH 07/47] uas: add stream number sanity checks. |
Date: |
Tue, 14 Dec 2021 18:00:45 -0600 |
From: Gerd Hoffmann <kraxel@redhat.com>
The device uses the guest-supplied stream number unchecked, which can
lead to guest-triggered out-of-band access to the UASDevice->data3 and
UASDevice->status3 fields. Add the missing checks.
Fixes: CVE-2021-3713
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reported-by: Chen Zhe <chenzhe@huawei.com>
Reported-by: Tan Jingguo <tanjingguo@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
(cherry picked from commit 13b250b12ad3c59114a6a17d59caf073ce45b33a)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/usb/dev-uas.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
index 263056231c..f6309a5ebf 100644
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@@ -840,6 +840,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
}
break;
case UAS_PIPE_ID_STATUS:
+ if (p->stream > UAS_MAX_STREAMS) {
+ goto err_stream;
+ }
if (p->stream) {
QTAILQ_FOREACH(st, &uas->results, next) {
if (st->stream == p->stream) {
@@ -867,6 +870,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
break;
case UAS_PIPE_ID_DATA_IN:
case UAS_PIPE_ID_DATA_OUT:
+ if (p->stream > UAS_MAX_STREAMS) {
+ goto err_stream;
+ }
if (p->stream) {
req = usb_uas_find_request(uas, p->stream);
} else {
@@ -902,6 +908,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
p->status = USB_RET_STALL;
break;
}
+
+err_stream:
+ error_report("%s: invalid stream %d", __func__, p->stream);
+ p->status = USB_RET_STALL;
+ return;
}
static void usb_uas_unrealize(USBDevice *dev)
--
2.25.1
- [PATCH 41/47] chardev/wctable: don't free the instance in wctablet_chr_finalize, (continued)
- [PATCH 41/47] chardev/wctable: don't free the instance in wctablet_chr_finalize, Michael Roth, 2021/12/14
- [PATCH 42/47] hw/block/fdc: Extract blk_create_empty_drive(), Michael Roth, 2021/12/14
- [PATCH 43/47] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196, Michael Roth, 2021/12/14
- [PATCH 44/47] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196, Michael Roth, 2021/12/14
- [PATCH 45/47] virtio-blk: Fix clean up of host notifiers for single MR transaction., Michael Roth, 2021/12/14
- [PATCH 46/47] net: vmxnet3: validate configuration values during activate (CVE-2021-20203), Michael Roth, 2021/12/14
- [PATCH 47/47] e1000: fix tx re-entrancy problem, Michael Roth, 2021/12/14
- [PATCH 04/47] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/12/14
- [PATCH 05/47] hmp: Unbreak "change vnc", Michael Roth, 2021/12/14
- [PATCH 06/47] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/12/14
- [PATCH 07/47] uas: add stream number sanity checks.,
Michael Roth <=
- [PATCH 08/47] vhost-user: fix duplicated notifier MR init, Michael Roth, 2021/12/14
- Re: [PATCH 00/47] Patch Round-up for stable 6.1.1, freeze on 2021-12-21, Daniel P . Berrangé, 2021/12/15
- Re: [PATCH 00/47] Patch Round-up for stable 6.1.1, freeze on 2021-12-21, Michael Roth, 2021/12/20