From nobody Sun Nov 16 06:00:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1598602451; cv=none; d=zohomail.com; s=zohoarc; b=EkEDRG5TDwtJ1x6AwyW+L3G+Q62F3QaXnzohQpLO2VM/+o8Al1+/xOzF5bfiwKc2UTkIa69Zy//1efGKKp0YgPpRH7C+zmwqLK/jlgNMlvoelbgWKdKW51GRdFzQ0/4DMgpBAs8Vc5ixbsgpjcWRtgaVkJ6Jouch+iWebv2fzHo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1598602451; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=mVf/UE+JMYlpL1srU0dpkzi9EtkgTXpYauLVVSsyaJo=; b=FYrH9ApMfHdMiPTjJxBOJjY5EK2WuCTSmMweuTnGGrCD52dglavqTFBmW9RI/1gZkhuSMnDn3hcQhpFHaF8UUd4oSSAHxtnog/oslNtXcYJuthQJ/IyUbOy7z1tuXqyTdjuPCL6jJGUUIIVQdXAX6pv8UiGm3tD35fCbPKeFF6M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1598602451271360.6327099258376; Fri, 28 Aug 2020 01:14:11 -0700 (PDT) Received: from localhost ([::1]:52716 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kBZWU-0002mJ-22 for importer@patchew.org; Fri, 28 Aug 2020 04:14:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57840) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kBZRW-0000cb-QG for qemu-devel@nongnu.org; Fri, 28 Aug 2020 04:09:02 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:57279 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kBZRS-0003RU-2k for qemu-devel@nongnu.org; Fri, 28 Aug 2020 04:09:02 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-231-Z38kNKmfPkyfqDfgVX3_ng-1; Fri, 28 Aug 2020 04:08:51 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 22DA110082E5; Fri, 28 Aug 2020 08:08:50 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-112-54.ams2.redhat.com [10.36.112.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id C1CBD747BD; Fri, 28 Aug 2020 08:08:46 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id E26E99C90; Fri, 28 Aug 2020 10:08:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598602136; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mVf/UE+JMYlpL1srU0dpkzi9EtkgTXpYauLVVSsyaJo=; b=WnMISFp/M5AmwqItzkRaw7f7oTWpflmFy5NH302D+x2iB8BulTZ6MQIJPQvLKcD6NHdOuK Popa4exBgDN3xYjveqYavK/6GIqS8b/DZj50kjPadbSF2bwoOlNNYjWCze/7kd0/huHFgH ZMl3mBjRh/yjQQ8RAZABefKAYgWxq0o= X-MC-Unique: Z38kNKmfPkyfqDfgVX3_ng-1 From: Gerd Hoffmann To: qemu-devel@nongnu.org Subject: [PULL 01/18] hw: xhci: check return value of 'usb_packet_map' Date: Fri, 28 Aug 2020 10:08:28 +0200 Message-Id: <20200828080845.28287-2-kraxel@redhat.com> In-Reply-To: <20200828080845.28287-1-kraxel@redhat.com> References: <20200828080845.28287-1-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0.001 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=207.211.31.120; envelope-from=kraxel@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/28 00:28:43 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.959, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eduardo Habkost , Li Qiang , Alexander Bulekov , Gerd Hoffmann , Cleber Rosa , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" From: Li Qiang Currently we don't check the return value of 'usb_packet_map', this will cause an UAF issue. This is LP#1891341. Following is the reproducer provided in: -->https://bugs.launchpad.net/qemu/+bug/1891341 cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ -trace usb\* -device usb-audio -device usb-storage,drive=3Dmydrive \ -drive id=3Dmydrive,file=3Dnull-co://,size=3D2M,format=3Draw,if=3Dnone \ -nodefaults -nographic -qtest stdio outl 0xcf8 0x80001016 outl 0xcfc 0x3c009f0d outl 0xcf8 0x80001004 outl 0xcfc 0xc77695e writel 0x9f0d000000000040 0xffff3655 writeq 0x9f0d000000002000 0xff2f9e0000000000 write 0x1d 0x1 0x27 write 0x2d 0x1 0x2e write 0x17232 0x1 0x03 write 0x17254 0x1 0x06 write 0x17278 0x1 0x34 write 0x3d 0x1 0x27 write 0x40 0x1 0x2e write 0x41 0x1 0x72 write 0x42 0x1 0x01 write 0x4d 0x1 0x2e write 0x4f 0x1 0x01 writeq 0x9f0d000000002000 0x5c051a0100000000 write 0x34001d 0x1 0x13 write 0x340026 0x1 0x30 write 0x340028 0x1 0x08 write 0x34002c 0x1 0xfe write 0x34002d 0x1 0x08 write 0x340037 0x1 0x5e write 0x34003a 0x1 0x05 write 0x34003d 0x1 0x05 write 0x34004d 0x1 0x13 writeq 0x9f0d000000002000 0xff00010100400009 EOF This patch fixes this. Buglink: https://bugs.launchpad.net/qemu/+bug/1891341 Reported-by: Alexander Bulekov Signed-off-by: Li Qiang Message-id: 20200812153139.15146-1-liq3ea@163.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-xhci.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 67a18fe2b64c..46a2186d912a 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1615,7 +1615,10 @@ static int xhci_setup_packet(XHCITransfer *xfer) xhci_xfer_create_sgl(xfer, dir =3D=3D USB_TOKEN_IN); /* Also sets int_= req */ usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid, xfer->trbs[0].addr, false, xfer->int_req); - usb_packet_map(&xfer->packet, &xfer->sgl); + if (usb_packet_map(&xfer->packet, &xfer->sgl)) { + qemu_sglist_destroy(&xfer->sgl); + return -1; + } DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", xfer->packet.pid, ep->dev->addr, ep->nr); return 0; --=20 2.27.0