hw/usb/combined-packet.c | 4 +++- hw/usb/dev-hid.c | 2 +- hw/usb/dev-mtp.c | 3 ++- hw/usb/dev-wacom.c | 2 +- hw/usb/hcd-xhci.c | 5 +++++ hw/usb/redirect.c | 4 ++-- 6 files changed, 14 insertions(+), 6 deletions(-)
Gerd Hoffmann (5): usb/hid: avoid dynamic stack allocation usb/redir: avoid dynamic stack allocation (CVE-2021-3527) usb/mtp: avoid dynamic stack allocation usb/xhci: sanity check packet size usb: limit combined packets to 1 MiB hw/usb/combined-packet.c | 4 +++- hw/usb/dev-hid.c | 2 +- hw/usb/dev-mtp.c | 3 ++- hw/usb/dev-wacom.c | 2 +- hw/usb/hcd-xhci.c | 5 +++++ hw/usb/redirect.c | 4 ++-- 6 files changed, 14 insertions(+), 6 deletions(-) -- 2.30.2
On 5/3/21 11:14 AM, Gerd Hoffmann wrote: > > > Gerd Hoffmann (5): > usb/hid: avoid dynamic stack allocation > usb/redir: avoid dynamic stack allocation (CVE-2021-3527) > usb/mtp: avoid dynamic stack allocation > usb/xhci: sanity check packet size > usb: limit combined packets to 1 MiB What about enabling -Wvla by default? -Wvla Warn if a variable-length array is used in the code. Most of our variable-length stack alloc could use some LENGTH_MAX definition or use the heap: [2/1072] Compiling C object libqemuutil.a.p/util_iov.c.o FAILED: libqemuutil.a.p/util_iov.c.o util/iov.c: In function ‘qemu_iovec_clone’: util/iov.c:626:5: error: ISO C90 forbids variable length array ‘sortelems’ [-Werror=vla] 626 | IOVectorSortElem sortelems[src->niov]; | ^~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors [125/1072] Compiling C object libio.fa.p/io_channel-websock.c.o FAILED: libio.fa.p/io_channel-websock.c.o io/channel-websock.c: In function ‘qio_channel_websock_handshake_send_res_ok’: io/channel-websock.c:350:23: error: ISO C90 forbids array ‘combined_key’ whose size cannot be evaluated [-Werror=vla] 350 | QIO_CHANNEL_WEBSOCK_GUID_LEN + 1]; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors [177/1072] Compiling C object libblock.fa.p/block_vpc.c.o FAILED: libblock.fa.p/block_vpc.c.o block/vpc.c: In function ‘get_image_offset’: block/vpc.c:512:9: error: ISO C90 forbids variable length array ‘bitmap’ [-Werror=vla] 512 | uint8_t bitmap[s->bitmap_size]; | ^~~~~~~ block/vpc.c: In function ‘alloc_block’: block/vpc.c:559:5: error: ISO C90 forbids variable length array ‘bitmap’ [-Werror=vla] 559 | uint8_t bitmap[s->bitmap_size]; | ^~~~~~~ cc1: all warnings being treated as errors [278/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-hextile.c.o FAILED: libcommon.fa.p/ui_vnc-enc-hextile.c.o In file included from ui/vnc-enc-hextile.c:37: ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_32’: ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable length array ‘data’ [-Werror=vla] 28 | uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16]; | ^~~~~~~ In file included from ui/vnc-enc-hextile.c:42: ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_generic_32’: ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable length array ‘data’ [-Werror=vla] 28 | uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16]; | ^~~~~~~ cc1: all warnings being treated as errors [283/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-tight.c.o FAILED: libcommon.fa.p/ui_vnc-enc-tight.c.o ui/vnc-enc-tight.c: In function ‘send_palette_rect’: ui/vnc-enc-tight.c:1101:9: error: ISO C90 forbids variable length array ‘header’ [-Werror=vla] 1101 | uint32_t header[palette_size(palette)]; | ^~~~~~~~ ui/vnc-enc-tight.c:1118:9: error: ISO C90 forbids variable length array ‘header’ [-Werror=vla] 1118 | uint16_t header[palette_size(palette)]; | ^~~~~~~~ cc1: all warnings being treated as errors [353/1072] Compiling C object libcommon.fa.p/net_dump.c.o FAILED: libcommon.fa.p/net_dump.c.o net/dump.c: In function ‘dump_receive_iov’: net/dump.c:71:12: error: ISO C90 forbids variable length array ‘dumpiov’ [-Werror=vla] 71 | struct iovec dumpiov[cnt + 1]; | ^~~~~ cc1: all warnings being treated as errors [375/1072] Compiling C object libcommon.fa.p/net_tap.c.o FAILED: libcommon.fa.p/net_tap.c.o net/tap.c: In function ‘tap_receive_iov’: net/tap.c:123:12: error: ISO C90 forbids variable length array ‘iov_copy’ [-Werror=vla] 123 | struct iovec iov_copy[iovcnt + 1]; | ^~~~~ cc1: all warnings being treated as errors [451/1072] Compiling C object libcommon.fa.p/hw_block_nvme.c.o FAILED: libcommon.fa.p/hw_block_nvme.c.o hw/block/nvme.c: In function ‘nvme_map_prp’: hw/block/nvme.c:655:13: error: ISO C90 forbids variable length array ‘prp_list’ [-Werror=vla] 655 | uint64_t prp_list[n->max_prp_ents]; | ^~~~~~~~ hw/block/nvme.c: In function ‘nvme_map_sgl’: hw/block/nvme.c:817:5: error: ISO C90 forbids variable length array ‘segment’ [-Werror=vla] 817 | NvmeSglDescriptor segment[SEG_CHUNK_SIZE], *sgld, *last_sgld; | ^~~~~~~~~~~~~~~~~ hw/block/nvme.c: In function ‘nvme_dsm’: hw/block/nvme.c:2513:9: error: ISO C90 forbids variable length array ‘range’ [-Werror=vla] 2513 | NvmeDsmRange range[nr]; | ^~~~~~~~~~~~ cc1: all warnings being treated as errors [653/1072] Compiling C object libcommon.fa.p/hw_net_e1000e_core.c.o FAILED: libcommon.fa.p/hw_net_e1000e_core.c.o hw/net/e1000e_core.c: In function ‘e1000e_receive_iov’: hw/net/e1000e_core.c:1632:5: error: ISO C90 forbids variable length array ‘min_buf’ [-Werror=vla] 1632 | uint8_t min_buf[min_buf_size]; | ^~~~~~~ cc1: all warnings being treated as errors [663/1072] Compiling C object libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o FAILED: libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o hw/net/rocker/rocker_of_dpa.c: In function ‘of_dpa_ig’: hw/net/rocker/rocker_of_dpa.c:1046:12: error: ISO C90 forbids variable length array ‘iov_copy’ [-Werror=vla] 1046 | struct iovec iov_copy[iovcnt + 2]; | ^~~~~ cc1: all warnings being treated as errors [778/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-ohci.c.o FAILED: libcommon.fa.p/hw_usb_hcd-ohci.c.o hw/usb/hcd-ohci.c: In function ‘ohci_td_pkt’: hw/usb/hcd-ohci.c:903:5: error: ISO C90 forbids variable length array ‘tmp’ [-Werror=vla] 903 | char tmp[3 * width + 1]; | ^~~~ cc1: all warnings being treated as errors [787/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-xhci.c.o FAILED: libcommon.fa.p/hw_usb_hcd-xhci.c.o hw/usb/hcd-xhci.c: In function ‘xhci_get_port_bandwidth’: hw/usb/hcd-xhci.c:2385:5: error: ISO C90 forbids variable length array ‘bw_ctx’ [-Werror=vla] 2385 | uint8_t bw_ctx[xhci->numports+1]; | ^~~~~~~ cc1: all warnings being treated as errors [791/1072] Compiling C object libcommon.fa.p/hw_usb_dev-hid.c.o FAILED: libcommon.fa.p/hw_usb_dev-hid.c.o hw/usb/dev-hid.c: In function ‘usb_hid_handle_data’: hw/usb/dev-hid.c:659:5: error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla] 659 | uint8_t buf[p->iov.size]; | ^~~~~~~ cc1: all warnings being treated as errors [794/1072] Compiling C object libcommon.fa.p/hw_usb_dev-wacom.c.o FAILED: libcommon.fa.p/hw_usb_dev-wacom.c.o hw/usb/dev-wacom.c: In function ‘usb_wacom_handle_data’: hw/usb/dev-wacom.c:304:5: error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla] 304 | uint8_t buf[p->iov.size]; | ^~~~~~~ cc1: all warnings being treated as errors [807/1072] Compiling C object libcommon.fa.p/hw_usb_dev-mtp.c.o FAILED: libcommon.fa.p/hw_usb_dev-mtp.c.o hw/usb/dev-mtp.c: In function ‘usb_mtp_get_object_handles’: hw/usb/dev-mtp.c:910:5: error: ISO C90 forbids variable length array ‘handles’ [-Werror=vla] 910 | uint32_t i = 0, handles[o->nchildren]; | ^~~~~~~~ cc1: all warnings being treated as errors [818/1072] Compiling C object libcommon.fa.p/chardev_baum.c.o FAILED: libcommon.fa.p/chardev_baum.c.o chardev/baum.c: In function ‘baum_write_packet’: chardev/baum.c:299:5: error: ISO C90 forbids variable length array ‘io_buf’ [-Werror=vla] 299 | uint8_t io_buf[1 + 2 * len], *cur = io_buf; | ^~~~~~~ chardev/baum.c: In function ‘baum_eat_packet’: chardev/baum.c:383:9: error: ISO C90 forbids variable length array ‘cells’ [-Werror=vla] 383 | uint8_t cells[baum->x * baum->y], c; | ^~~~~~~ chardev/baum.c:384:9: error: ISO C90 forbids variable length array ‘text’ [-Werror=vla] 384 | uint8_t text[baum->x * baum->y]; | ^~~~~~~ chardev/baum.c:385:9: error: ISO C90 forbids variable length array ‘zero’ [-Werror=vla] 385 | uint8_t zero[baum->x * baum->y]; | ^~~~~~~ cc1: all warnings being treated as errors [825/1072] Compiling C object libcommon.fa.p/hw_usb_redirect.c.o FAILED: libcommon.fa.p/hw_usb_redirect.c.o hw/usb/redirect.c: In function ‘usbredir_handle_iso_data’: hw/usb/redirect.c:623:13: error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla] 623 | uint8_t buf[p->iov.size]; | ^~~~~~~ hw/usb/redirect.c: In function ‘usbredir_handle_bulk_data’: hw/usb/redirect.c:821:9: error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla] 821 | uint8_t buf[size]; | ^~~~~~~ hw/usb/redirect.c: In function ‘usbredir_handle_interrupt_out_data’: hw/usb/redirect.c:926:5: error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla] 926 | uint8_t buf[p->iov.size]; | ^~~~~~~ cc1: all warnings being treated as errors [830/1072] Compiling C object libcommon.fa.p/ui_curses.c.o FAILED: libcommon.fa.p/ui_curses.c.o ui/curses.c: In function ‘curses_update’: ui/curses.c:68:5: error: ISO C90 forbids variable length array ‘curses_line’ [-Werror=vla] 68 | cchar_t curses_line[width]; | ^~~~~~~ cc1: all warnings being treated as errors [852/1072] Compiling C object libcommon.fa.p/ui_spice-display.c.o FAILED: libcommon.fa.p/ui_spice-display.c.o ui/spice-display.c: In function ‘qemu_spice_create_update’: ui/spice-display.c:191:5: error: ISO C90 forbids variable length array ‘dirty_top’ [-Werror=vla] 191 | int dirty_top[blocks]; | ^~~ cc1: all warnings being treated as errors [987/1072] Compiling C object libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o FAILED: libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o hw/block/dataplane/virtio-blk.c: In function ‘notify_guest_bh’: hw/block/dataplane/virtio-blk.c:63:5: error: ISO C90 forbids variable length array ‘bitmap’ [-Werror=vla] 63 | unsigned long bitmap[BITS_TO_LONGS(nvqs)]; | ^~~~~~~~ cc1: all warnings being treated as errors [1066/1072] Compiling C object libqemu-arm-softmmu.fa.p/accel_tcg_translate-all.c.o ninja: build stopped: cannot make progress due to previous errors.
© 2016 - 2024 Red Hat, Inc.