mirror of https://gitee.com/openkylin/qemu.git
usb: fix some memory allocation issues (CVE-2021-3527).
usb: add stubs, allow building without usb subsystem. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmCSmHYACgkQTLbY7tPo cTgaCg/+JhqQOxrDQyti57OjS0JEneuqxZLzBcrqarXssEx2q2hG4aV/CHbPguLh MmTHAwNp1ncCgQ7f95obF+zqpSTjDy42gsmR7CNBXxV2BhNt8exDvJjcAZ/4xy6T qFdQ9/VSMghmgR5rOnZ9ecf7DMdnvfQy/Bn96FUP5baGpi4Bgg1eM5yTbe81l5Q4 frj83p5CNfJ/6kk9rCCT2WLLxpm8qFxXQy5JBOM80iJeupc59mZ/l6d+GMTnZYB9 SsIp1Kvh3NKLqkRZFMohrjCkGkEADMknPv126Mev5ZP3WIoS4LsUK0Gyqvi+MVoV KWf33ZLVqKnsKw1nfb6LMwWy9r7+IK9EV2bxsoo/3xd9f0PT95nwZhLDtmzMfxq/ uKpt+/1uEkQB3f7WrVzYw74bdOIu7w497Q4f3hRZ/8ohB+/QNZkFSHaf24Htt7CZ 0hsB8WB7RmfdUz+ndPmbnzOizHeDy/hQT/IaF92nLG69YpBE8/ZyGX/HDqOUzClJ mMN6z5EyzXG3bssH3iP50+hufRe9xHZw4Jm/QI+4rg5sIH+tPDKvks98tGMIQC1h fh/SQNWucVJs5cmcr+n36bUOT7fGe3dy28NseU1XhIy3jcQGm9u0t9XFbC7kPoNO du722597UGWxMOtGK40TE9i377124lum/ZPGpGD34NXR1Z7meNM= =5oCQ -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20210505-pull-request' into staging usb: fix some memory allocation issues (CVE-2021-3527). usb: add stubs, allow building without usb subsystem. # gpg: Signature made Wed 05 May 2021 14:07:02 BST # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20210505-pull-request: usb: limit combined packets to 1 MiB (CVE-2021-3527) usb/mtp: avoid dynamic stack allocation usb/redir: avoid dynamic stack allocation (CVE-2021-3527) usb/hid: avoid dynamic stack allocation hw/usb: Do not build USB subsystem if not required hw/usb/host-stub: Remove unused header Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
commit
e4f3ede95c
|
@ -1827,6 +1827,7 @@ USB
|
|||
M: Gerd Hoffmann <kraxel@redhat.com>
|
||||
S: Maintained
|
||||
F: hw/usb/*
|
||||
F: stubs/usb-dev-stub.c
|
||||
F: tests/qtest/usb-*-test.c
|
||||
F: docs/usb2.txt
|
||||
F: docs/usb-storage.txt
|
||||
|
|
|
@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
|
|||
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
|
||||
next == NULL ||
|
||||
/* Work around for Linux usbfs bulk splitting + migration */
|
||||
(totalsize == (16 * KiB - 36) && p->int_req)) {
|
||||
(totalsize == (16 * KiB - 36) && p->int_req) ||
|
||||
/* Next package may grow combined package over 1MiB */
|
||||
totalsize > 1 * MiB - ep->max_packet_size) {
|
||||
usb_device_handle_data(ep->dev, first);
|
||||
assert(first->status == USB_RET_ASYNC);
|
||||
if (first->combined) {
|
||||
|
|
|
@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
|
|||
{
|
||||
USBHIDState *us = USB_HID(dev);
|
||||
HIDState *hs = &us->hid;
|
||||
uint8_t buf[p->iov.size];
|
||||
g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
||||
int len = 0;
|
||||
|
||||
switch (p->pid) {
|
||||
|
|
|
@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
|
|||
MTPObject *o)
|
||||
{
|
||||
MTPData *d = usb_mtp_data_alloc(c);
|
||||
uint32_t i = 0, handles[o->nchildren];
|
||||
uint32_t i = 0;
|
||||
g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
|
||||
MTPObject *iter;
|
||||
|
||||
trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);
|
||||
|
|
|
@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
|
|||
static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
|
||||
{
|
||||
USBWacomState *s = (USBWacomState *) dev;
|
||||
uint8_t buf[p->iov.size];
|
||||
g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
||||
int len = 0;
|
||||
|
||||
switch (p->pid) {
|
||||
|
|
|
@ -31,7 +31,6 @@
|
|||
*/
|
||||
|
||||
#include "qemu/osdep.h"
|
||||
#include "ui/console.h"
|
||||
#include "hw/usb.h"
|
||||
#include "monitor/monitor.h"
|
||||
|
||||
|
|
|
@ -1,17 +1,14 @@
|
|||
hw_usb_modules = {}
|
||||
|
||||
# usb subsystem core
|
||||
softmmu_ss.add(files(
|
||||
softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
|
||||
'bus.c',
|
||||
'combined-packet.c',
|
||||
'core.c',
|
||||
'pcap.c',
|
||||
'libhw.c'
|
||||
))
|
||||
|
||||
softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
|
||||
'desc.c',
|
||||
'desc-msos.c',
|
||||
'libhw.c',
|
||||
'pcap.c',
|
||||
))
|
||||
|
||||
# usb host adapters
|
||||
|
|
|
@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
|
|||
.endpoint = ep,
|
||||
.length = p->iov.size
|
||||
};
|
||||
uint8_t buf[p->iov.size];
|
||||
g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
||||
/* No id, we look at the ep when receiving a status back */
|
||||
usb_packet_copy(p, buf, p->iov.size);
|
||||
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
|
||||
|
@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
|
|||
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
||||
&bulk_packet, NULL, 0);
|
||||
} else {
|
||||
uint8_t buf[size];
|
||||
g_autofree uint8_t *buf = g_malloc(size);
|
||||
usb_packet_copy(p, buf, size);
|
||||
usbredir_log_data(dev, "bulk data out:", buf, size);
|
||||
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
||||
|
@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
|
|||
USBPacket *p, uint8_t ep)
|
||||
{
|
||||
struct usb_redir_interrupt_packet_header interrupt_packet;
|
||||
uint8_t buf[p->iov.size];
|
||||
g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
||||
|
||||
DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
|
||||
p->iov.size, p->id);
|
||||
|
|
|
@ -50,6 +50,7 @@ if have_block
|
|||
endif
|
||||
if have_system
|
||||
stub_ss.add(files('semihost.c'))
|
||||
stub_ss.add(files('usb-dev-stub.c'))
|
||||
stub_ss.add(files('xen-hw-stub.c'))
|
||||
else
|
||||
stub_ss.add(files('qdev.c'))
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
/*
|
||||
* QEMU USB device emulation stubs
|
||||
*
|
||||
* Copyright (C) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||
*
|
||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
#include "qemu/osdep.h"
|
||||
#include "qemu/error-report.h"
|
||||
#include "sysemu/sysemu.h"
|
||||
#include "monitor/monitor.h"
|
||||
#include "hw/usb.h"
|
||||
|
||||
USBDevice *usbdevice_create(const char *driver)
|
||||
{
|
||||
error_report("Support for USB devices not built-in");
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void hmp_info_usb(Monitor *mon, const QDict *qdict)
|
||||
{
|
||||
monitor_printf(mon, "Support for USB devices not built-in\n");
|
||||
}
|
Loading…
Reference in New Issue