From: Gerd Hoffmann <kraxel@redhat.com>
To: Remy Noel <remy.noel@blade-group.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)
Date: Tue, 4 May 2021 16:12:11 +0200 [thread overview]
Message-ID: <20210504141211.hmevpsfq3bc5j2kq@sirius.home.kraxel.org> (raw)
In-Reply-To: <20210504133327.wh4ncydrs5jvwhrh@gmail.com>
On Tue, May 04, 2021 at 03:33:27PM +0200, Remy Noel wrote:
> Hello
>
> On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
> > Make sure the usb packet size is within the
> > bounds of the endpoint configuration.
> >
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
> > ---
> > hw/usb/hcd-xhci.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
> > index 46212b1e695a..7acfb8137bc9 100644
> > --- a/hw/usb/hcd-xhci.c
> > +++ b/hw/usb/hcd-xhci.c
> > @@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
> > qemu_sglist_destroy(&xfer->sgl);
> > return -1;
> > }
> > + if (xfer->packet.iov.size > ep->max_packet_size) {
> > + usb_packet_unmap(&xfer->packet, &xfer->sgl);
> > + qemu_sglist_destroy(&xfer->sgl);
> > + return -1;
> > + }
> > DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
> > xfer->packet.pid, ep->dev->addr, ep->nr);
> > return 0;
> > --
> So im my user's case (using a usb-Display-port adapter) i managed to trigger
> this error.
Oh.
What is the packet size (xfer->packet.iov.size)?
Can I get an 'lsusb -v' for the device in question?
take care,
Gerd
next prev parent reply other threads:[~2021-05-04 14:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-04 8:53 [PULL 0/7] Usb 20210504 patches Gerd Hoffmann
2021-05-04 8:53 ` [PULL 1/7] hw/usb/host-stub: Remove unused header Gerd Hoffmann
2021-05-04 8:53 ` [PULL 2/7] hw/usb: Do not build USB subsystem if not required Gerd Hoffmann
2021-05-04 8:53 ` [PULL 3/7] usb/hid: avoid dynamic stack allocation Gerd Hoffmann
2021-05-04 8:53 ` [PULL 4/7] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) Gerd Hoffmann
2021-05-04 8:53 ` [PULL 5/7] usb/mtp: avoid dynamic stack allocation Gerd Hoffmann
2021-05-04 8:53 ` [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527) Gerd Hoffmann
2021-05-04 13:33 ` Remy Noel
2021-05-04 14:12 ` Gerd Hoffmann [this message]
2021-05-04 8:53 ` [PULL 7/7] usb: limit combined packets to 1 MiB (CVE-2021-3527) Gerd Hoffmann
2021-05-05 13:05 ` [PULL 0/7] Usb 20210504 patches Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210504141211.hmevpsfq3bc5j2kq@sirius.home.kraxel.org \
--to=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=remy.noel@blade-group.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).