From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Darren Kenny" <darren.kenny@oracle.com>,
"Bandan Das" <bsd@redhat.com>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Markus Armbruster" <armbru@redhat.com>,
"Akihiko Odaki" <akihiko.odaki@gmail.com>,
"Alexandre Ratchov" <alex@caoua.org>,
"Laurent Vivier" <lvivier@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Qiang Liu" <cyruscyliu@gmail.com>,
"Gaoning Pan" <pgn@zju.edu.cn>
Subject: [PULL 12/24] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero
Date: Tue, 27 Sep 2022 10:19:00 +0200 [thread overview]
Message-ID: <20220927081912.180983-13-kraxel@redhat.com> (raw)
In-Reply-To: <20220927081912.180983-1-kraxel@redhat.com>
From: Qiang Liu <cyruscyliu@gmail.com>
An abort happens in ohci_frame_boundary() when ohci->done is 0 [1].
``` c
static void ohci_frame_boundary(void *opaque)
{
// ...
if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
if (!ohci->done)
abort(); <----------------------------------------- [1]
```
This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/,
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and
https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with
the latest QEMU.
This happends due to crafted ED with putting ISO_TD at physical address 0.
Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal
memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count
[4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f,
suppose 1), we then control the value of relative_frame_number to be 1 [6]. The
control flow goes to [7] where ohci->done is 0. Have returned from
ohci_service_iso_td(), ohci_frame_boundary() will abort() [1].
``` c
static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
{
// ...
addr = ed->head & OHCI_DPTR_MASK; // <--------------------- [2]
if (ohci_read_iso_td(ohci, addr, &iso_td)) { // <-------- [3]
// ...
starting_frame = OHCI_BM(iso_td.flags, TD_SF); // <-------- [4]
frame_count = OHCI_BM(iso_td.flags, TD_FC); // <-------- [5]
relative_frame_number = USUB(ohci->frame_number, starting_frame);
// <-------- [6]
if (relative_frame_number < 0) {
return 1;
} else if (relative_frame_number > frame_count) {
// ...
ohci->done = addr; // <-------- [7]
// ...
}
```
As only (afaik) a guest root user can manipulate ED, TD and the physical memory,
this assertion failure is not a security bug.
The idea to fix this issue is to drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is 0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.
Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545
Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html
Buglink: https://bugs.launchpad.net/qemu/+bug/1911216
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220826051557.119570-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/hcd-ohci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 895b29fb8657..72bdde92617c 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -571,6 +571,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
addr = ed->head & OHCI_DPTR_MASK;
+ if (addr == 0) {
+ ohci_die(ohci);
+ return 1;
+ }
+
if (ohci_read_iso_td(ohci, addr, &iso_td)) {
trace_usb_ohci_iso_td_read_failed(addr);
ohci_die(ohci);
@@ -858,6 +863,11 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
int completion;
addr = ed->head & OHCI_DPTR_MASK;
+ if (addr == 0) {
+ ohci_die(ohci);
+ return 1;
+ }
+
/* See if this TD has already been submitted to the device. */
completion = (addr == ohci->async_td);
if (completion && !ohci->async_complete) {
--
2.37.3
next prev parent reply other threads:[~2022-09-27 8:52 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 8:18 [PULL 00/24] Kraxel 20220927 patches Gerd Hoffmann
2022-09-27 8:18 ` [PULL 01/24] ui/console: Get tab completion working again in the SDL monitor vc Gerd Hoffmann
2022-09-27 8:18 ` [PULL 02/24] ui/cocoa: Run qemu_init in the main thread Gerd Hoffmann
2022-09-27 8:18 ` [PULL 03/24] Revert "main-loop: Disable block backend global state assertion on Cocoa" Gerd Hoffmann
2022-09-27 8:18 ` [PULL 04/24] meson: Allow to enable gtk and sdl while cocoa is enabled Gerd Hoffmann
2022-09-27 8:18 ` [PULL 05/24] ui: add some vdagent related traces Gerd Hoffmann
2022-09-27 8:18 ` [PULL 06/24] ui/clipboard: fix serial priority Gerd Hoffmann
2022-09-27 8:18 ` [PULL 07/24] ui/vdagent: always reset the clipboard serial on caps Gerd Hoffmann
2022-09-27 8:18 ` [PULL 08/24] ui/clipboard: reset the serial state on reset Gerd Hoffmann
2022-09-27 8:18 ` [PULL 09/24] ui/vdagent: fix serial reset of guest agent Gerd Hoffmann
2022-09-27 8:18 ` [PULL 10/24] ui/console: fix three double frees in png_save() Gerd Hoffmann
2022-09-27 8:18 ` [PULL 11/24] hw/usb/hcd-xhci: Check whether DMA accesses fail Gerd Hoffmann
2022-09-27 8:19 ` Gerd Hoffmann [this message]
2022-09-27 8:19 ` [PULL 13/24] usb/msd: move usb_msd_packet_complete() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 14/24] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert Gerd Hoffmann
2022-09-27 8:19 ` [PULL 15/24] hcd-xhci: drop operation with secondary stream arrays enabled Gerd Hoffmann
2022-09-27 8:19 ` [PULL 16/24] usbnet: Add missing usb_wakeup() call in usbnet_receive() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 17/24] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request Gerd Hoffmann
2022-09-27 8:19 ` [PULL 18/24] usbnet: Detect short packets as sent by the xHCI controller Gerd Hoffmann
2022-09-27 8:19 ` [PULL 19/24] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode Gerd Hoffmann
2022-09-27 8:19 ` [PULL 20/24] audio: Add sndio backend Gerd Hoffmann
2022-09-27 8:19 ` [PULL 21/24] Revert "audio: Log context for audio bug" Gerd Hoffmann
2022-09-27 8:19 ` [PULL 22/24] audio: remove abort() in audio_bug() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 23/24] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Gerd Hoffmann
2022-09-27 8:19 ` [PULL 24/24] virtio-gpu: update scanout if there is any area covered by the rect Gerd Hoffmann
2022-09-27 15:04 ` [PULL 00/24] Kraxel 20220927 patches Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220927081912.180983-13-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=Qiuhao.Li@outlook.com \
--cc=akihiko.odaki@gmail.com \
--cc=alex@caoua.org \
--cc=alxndr@bu.edu \
--cc=armbru@redhat.com \
--cc=bsd@redhat.com \
--cc=cyruscyliu@gmail.com \
--cc=darren.kenny@oracle.com \
--cc=eblake@redhat.com \
--cc=f4bug@amsat.org \
--cc=lvivier@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pgn@zju.edu.cn \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.