hw/usb/combined-packet.c | 4 +++- hw/usb/dev-hid.c | 2 +- hw/usb/dev-mtp.c | 3 ++- hw/usb/dev-wacom.c | 2 +- hw/usb/hcd-xhci.c | 5 +++++ hw/usb/redirect.c | 4 ++-- 6 files changed, 14 insertions(+), 6 deletions(-)
Gerd Hoffmann (5): usb/hid: avoid dynamic stack allocation usb/redir: avoid dynamic stack allocation (CVE-2021-3527) usb/mtp: avoid dynamic stack allocation usb/xhci: sanity check packet size usb: limit combined packets to 1 MiB hw/usb/combined-packet.c | 4 +++- hw/usb/dev-hid.c | 2 +- hw/usb/dev-mtp.c | 3 ++- hw/usb/dev-wacom.c | 2 +- hw/usb/hcd-xhci.c | 5 +++++ hw/usb/redirect.c | 4 ++-- 6 files changed, 14 insertions(+), 6 deletions(-) -- 2.30.2
On 5/3/21 11:14 AM, Gerd Hoffmann wrote:
>
>
> Gerd Hoffmann (5):
> usb/hid: avoid dynamic stack allocation
> usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
> usb/mtp: avoid dynamic stack allocation
> usb/xhci: sanity check packet size
> usb: limit combined packets to 1 MiB
What about enabling -Wvla by default?
-Wvla
Warn if a variable-length array is used in the code.
Most of our variable-length stack alloc could use some
LENGTH_MAX definition or use the heap:
[2/1072] Compiling C object libqemuutil.a.p/util_iov.c.o
FAILED: libqemuutil.a.p/util_iov.c.o
util/iov.c: In function ‘qemu_iovec_clone’:
util/iov.c:626:5: error: ISO C90 forbids variable length array
‘sortelems’ [-Werror=vla]
626 | IOVectorSortElem sortelems[src->niov];
| ^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
[125/1072] Compiling C object libio.fa.p/io_channel-websock.c.o
FAILED: libio.fa.p/io_channel-websock.c.o
io/channel-websock.c: In function
‘qio_channel_websock_handshake_send_res_ok’:
io/channel-websock.c:350:23: error: ISO C90 forbids array ‘combined_key’
whose size cannot be evaluated [-Werror=vla]
350 | QIO_CHANNEL_WEBSOCK_GUID_LEN + 1];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
[177/1072] Compiling C object libblock.fa.p/block_vpc.c.o
FAILED: libblock.fa.p/block_vpc.c.o
block/vpc.c: In function ‘get_image_offset’:
block/vpc.c:512:9: error: ISO C90 forbids variable length array ‘bitmap’
[-Werror=vla]
512 | uint8_t bitmap[s->bitmap_size];
| ^~~~~~~
block/vpc.c: In function ‘alloc_block’:
block/vpc.c:559:5: error: ISO C90 forbids variable length array ‘bitmap’
[-Werror=vla]
559 | uint8_t bitmap[s->bitmap_size];
| ^~~~~~~
cc1: all warnings being treated as errors
[278/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-hextile.c.o
FAILED: libcommon.fa.p/ui_vnc-enc-hextile.c.o
In file included from ui/vnc-enc-hextile.c:37:
ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_32’:
ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable
length array ‘data’ [-Werror=vla]
28 | uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16];
| ^~~~~~~
In file included from ui/vnc-enc-hextile.c:42:
ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_generic_32’:
ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable
length array ‘data’ [-Werror=vla]
28 | uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16];
| ^~~~~~~
cc1: all warnings being treated as errors
[283/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-tight.c.o
FAILED: libcommon.fa.p/ui_vnc-enc-tight.c.o
ui/vnc-enc-tight.c: In function ‘send_palette_rect’:
ui/vnc-enc-tight.c:1101:9: error: ISO C90 forbids variable length array
‘header’ [-Werror=vla]
1101 | uint32_t header[palette_size(palette)];
| ^~~~~~~~
ui/vnc-enc-tight.c:1118:9: error: ISO C90 forbids variable length array
‘header’ [-Werror=vla]
1118 | uint16_t header[palette_size(palette)];
| ^~~~~~~~
cc1: all warnings being treated as errors
[353/1072] Compiling C object libcommon.fa.p/net_dump.c.o
FAILED: libcommon.fa.p/net_dump.c.o
net/dump.c: In function ‘dump_receive_iov’:
net/dump.c:71:12: error: ISO C90 forbids variable length array ‘dumpiov’
[-Werror=vla]
71 | struct iovec dumpiov[cnt + 1];
| ^~~~~
cc1: all warnings being treated as errors
[375/1072] Compiling C object libcommon.fa.p/net_tap.c.o
FAILED: libcommon.fa.p/net_tap.c.o
net/tap.c: In function ‘tap_receive_iov’:
net/tap.c:123:12: error: ISO C90 forbids variable length array
‘iov_copy’ [-Werror=vla]
123 | struct iovec iov_copy[iovcnt + 1];
| ^~~~~
cc1: all warnings being treated as errors
[451/1072] Compiling C object libcommon.fa.p/hw_block_nvme.c.o
FAILED: libcommon.fa.p/hw_block_nvme.c.o
hw/block/nvme.c: In function ‘nvme_map_prp’:
hw/block/nvme.c:655:13: error: ISO C90 forbids variable length array
‘prp_list’ [-Werror=vla]
655 | uint64_t prp_list[n->max_prp_ents];
| ^~~~~~~~
hw/block/nvme.c: In function ‘nvme_map_sgl’:
hw/block/nvme.c:817:5: error: ISO C90 forbids variable length array
‘segment’ [-Werror=vla]
817 | NvmeSglDescriptor segment[SEG_CHUNK_SIZE], *sgld, *last_sgld;
| ^~~~~~~~~~~~~~~~~
hw/block/nvme.c: In function ‘nvme_dsm’:
hw/block/nvme.c:2513:9: error: ISO C90 forbids variable length array
‘range’ [-Werror=vla]
2513 | NvmeDsmRange range[nr];
| ^~~~~~~~~~~~
cc1: all warnings being treated as errors
[653/1072] Compiling C object libcommon.fa.p/hw_net_e1000e_core.c.o
FAILED: libcommon.fa.p/hw_net_e1000e_core.c.o
hw/net/e1000e_core.c: In function ‘e1000e_receive_iov’:
hw/net/e1000e_core.c:1632:5: error: ISO C90 forbids variable length
array ‘min_buf’ [-Werror=vla]
1632 | uint8_t min_buf[min_buf_size];
| ^~~~~~~
cc1: all warnings being treated as errors
[663/1072] Compiling C object libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o
FAILED: libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o
hw/net/rocker/rocker_of_dpa.c: In function ‘of_dpa_ig’:
hw/net/rocker/rocker_of_dpa.c:1046:12: error: ISO C90 forbids variable
length array ‘iov_copy’ [-Werror=vla]
1046 | struct iovec iov_copy[iovcnt + 2];
| ^~~~~
cc1: all warnings being treated as errors
[778/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-ohci.c.o
FAILED: libcommon.fa.p/hw_usb_hcd-ohci.c.o
hw/usb/hcd-ohci.c: In function ‘ohci_td_pkt’:
hw/usb/hcd-ohci.c:903:5: error: ISO C90 forbids variable length array
‘tmp’ [-Werror=vla]
903 | char tmp[3 * width + 1];
| ^~~~
cc1: all warnings being treated as errors
[787/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-xhci.c.o
FAILED: libcommon.fa.p/hw_usb_hcd-xhci.c.o
hw/usb/hcd-xhci.c: In function ‘xhci_get_port_bandwidth’:
hw/usb/hcd-xhci.c:2385:5: error: ISO C90 forbids variable length array
‘bw_ctx’ [-Werror=vla]
2385 | uint8_t bw_ctx[xhci->numports+1];
| ^~~~~~~
cc1: all warnings being treated as errors
[791/1072] Compiling C object libcommon.fa.p/hw_usb_dev-hid.c.o
FAILED: libcommon.fa.p/hw_usb_dev-hid.c.o
hw/usb/dev-hid.c: In function ‘usb_hid_handle_data’:
hw/usb/dev-hid.c:659:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
659 | uint8_t buf[p->iov.size];
| ^~~~~~~
cc1: all warnings being treated as errors
[794/1072] Compiling C object libcommon.fa.p/hw_usb_dev-wacom.c.o
FAILED: libcommon.fa.p/hw_usb_dev-wacom.c.o
hw/usb/dev-wacom.c: In function ‘usb_wacom_handle_data’:
hw/usb/dev-wacom.c:304:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
304 | uint8_t buf[p->iov.size];
| ^~~~~~~
cc1: all warnings being treated as errors
[807/1072] Compiling C object libcommon.fa.p/hw_usb_dev-mtp.c.o
FAILED: libcommon.fa.p/hw_usb_dev-mtp.c.o
hw/usb/dev-mtp.c: In function ‘usb_mtp_get_object_handles’:
hw/usb/dev-mtp.c:910:5: error: ISO C90 forbids variable length array
‘handles’ [-Werror=vla]
910 | uint32_t i = 0, handles[o->nchildren];
| ^~~~~~~~
cc1: all warnings being treated as errors
[818/1072] Compiling C object libcommon.fa.p/chardev_baum.c.o
FAILED: libcommon.fa.p/chardev_baum.c.o
chardev/baum.c: In function ‘baum_write_packet’:
chardev/baum.c:299:5: error: ISO C90 forbids variable length array
‘io_buf’ [-Werror=vla]
299 | uint8_t io_buf[1 + 2 * len], *cur = io_buf;
| ^~~~~~~
chardev/baum.c: In function ‘baum_eat_packet’:
chardev/baum.c:383:9: error: ISO C90 forbids variable length array
‘cells’ [-Werror=vla]
383 | uint8_t cells[baum->x * baum->y], c;
| ^~~~~~~
chardev/baum.c:384:9: error: ISO C90 forbids variable length array
‘text’ [-Werror=vla]
384 | uint8_t text[baum->x * baum->y];
| ^~~~~~~
chardev/baum.c:385:9: error: ISO C90 forbids variable length array
‘zero’ [-Werror=vla]
385 | uint8_t zero[baum->x * baum->y];
| ^~~~~~~
cc1: all warnings being treated as errors
[825/1072] Compiling C object libcommon.fa.p/hw_usb_redirect.c.o
FAILED: libcommon.fa.p/hw_usb_redirect.c.o
hw/usb/redirect.c: In function ‘usbredir_handle_iso_data’:
hw/usb/redirect.c:623:13: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
623 | uint8_t buf[p->iov.size];
| ^~~~~~~
hw/usb/redirect.c: In function ‘usbredir_handle_bulk_data’:
hw/usb/redirect.c:821:9: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
821 | uint8_t buf[size];
| ^~~~~~~
hw/usb/redirect.c: In function ‘usbredir_handle_interrupt_out_data’:
hw/usb/redirect.c:926:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
926 | uint8_t buf[p->iov.size];
| ^~~~~~~
cc1: all warnings being treated as errors
[830/1072] Compiling C object libcommon.fa.p/ui_curses.c.o
FAILED: libcommon.fa.p/ui_curses.c.o
ui/curses.c: In function ‘curses_update’:
ui/curses.c:68:5: error: ISO C90 forbids variable length array
‘curses_line’ [-Werror=vla]
68 | cchar_t curses_line[width];
| ^~~~~~~
cc1: all warnings being treated as errors
[852/1072] Compiling C object libcommon.fa.p/ui_spice-display.c.o
FAILED: libcommon.fa.p/ui_spice-display.c.o
ui/spice-display.c: In function ‘qemu_spice_create_update’:
ui/spice-display.c:191:5: error: ISO C90 forbids variable length array
‘dirty_top’ [-Werror=vla]
191 | int dirty_top[blocks];
| ^~~
cc1: all warnings being treated as errors
[987/1072] Compiling C object
libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o
FAILED: libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o
hw/block/dataplane/virtio-blk.c: In function ‘notify_guest_bh’:
hw/block/dataplane/virtio-blk.c:63:5: error: ISO C90 forbids variable
length array ‘bitmap’ [-Werror=vla]
63 | unsigned long bitmap[BITS_TO_LONGS(nvqs)];
| ^~~~~~~~
cc1: all warnings being treated as errors
[1066/1072] Compiling C object
libqemu-arm-softmmu.fa.p/accel_tcg_translate-all.c.o
ninja: build stopped: cannot make progress due to previous errors.
© 2016 - 2024 Red Hat, Inc.