[PATCH 0/5] usb: fix some memory allocation issues.

Gerd Hoffmann posted 5 patches 2 weeks, 1 day ago
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20210503091446.2137206-1-kraxel@redhat.com
Maintainers: Gerd Hoffmann <kraxel@redhat.com>
hw/usb/combined-packet.c | 4 +++-
hw/usb/dev-hid.c         | 2 +-
hw/usb/dev-mtp.c         | 3 ++-
hw/usb/dev-wacom.c       | 2 +-
hw/usb/hcd-xhci.c        | 5 +++++
hw/usb/redirect.c        | 4 ++--
6 files changed, 14 insertions(+), 6 deletions(-)

[PATCH 0/5] usb: fix some memory allocation issues.

Posted by Gerd Hoffmann 2 weeks, 1 day ago

Gerd Hoffmann (5):
  usb/hid: avoid dynamic stack allocation
  usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
  usb/mtp: avoid dynamic stack allocation
  usb/xhci: sanity check packet size
  usb: limit combined packets to 1 MiB

 hw/usb/combined-packet.c | 4 +++-
 hw/usb/dev-hid.c         | 2 +-
 hw/usb/dev-mtp.c         | 3 ++-
 hw/usb/dev-wacom.c       | 2 +-
 hw/usb/hcd-xhci.c        | 5 +++++
 hw/usb/redirect.c        | 4 ++--
 6 files changed, 14 insertions(+), 6 deletions(-)

-- 
2.30.2



Re: [PATCH 0/5] usb: fix some memory allocation issues.

Posted by Philippe Mathieu-Daudé 2 weeks, 1 day ago
On 5/3/21 11:14 AM, Gerd Hoffmann wrote:
> 
> 
> Gerd Hoffmann (5):
>   usb/hid: avoid dynamic stack allocation
>   usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
>   usb/mtp: avoid dynamic stack allocation
>   usb/xhci: sanity check packet size
>   usb: limit combined packets to 1 MiB

What about enabling -Wvla by default?

  -Wvla
        Warn if a variable-length array is used in the code.

Most of our variable-length stack alloc could use some
LENGTH_MAX definition or use the heap:

[2/1072] Compiling C object libqemuutil.a.p/util_iov.c.o
FAILED: libqemuutil.a.p/util_iov.c.o
util/iov.c: In function ‘qemu_iovec_clone’:
util/iov.c:626:5: error: ISO C90 forbids variable length array
‘sortelems’ [-Werror=vla]
  626 |     IOVectorSortElem sortelems[src->niov];
      |     ^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
[125/1072] Compiling C object libio.fa.p/io_channel-websock.c.o
FAILED: libio.fa.p/io_channel-websock.c.o
io/channel-websock.c: In function
‘qio_channel_websock_handshake_send_res_ok’:
io/channel-websock.c:350:23: error: ISO C90 forbids array ‘combined_key’
whose size cannot be evaluated [-Werror=vla]
  350 |                       QIO_CHANNEL_WEBSOCK_GUID_LEN + 1];
      |                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
[177/1072] Compiling C object libblock.fa.p/block_vpc.c.o
FAILED: libblock.fa.p/block_vpc.c.o
block/vpc.c: In function ‘get_image_offset’:
block/vpc.c:512:9: error: ISO C90 forbids variable length array ‘bitmap’
[-Werror=vla]
  512 |         uint8_t bitmap[s->bitmap_size];
      |         ^~~~~~~
block/vpc.c: In function ‘alloc_block’:
block/vpc.c:559:5: error: ISO C90 forbids variable length array ‘bitmap’
[-Werror=vla]
  559 |     uint8_t bitmap[s->bitmap_size];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[278/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-hextile.c.o
FAILED: libcommon.fa.p/ui_vnc-enc-hextile.c.o
In file included from ui/vnc-enc-hextile.c:37:
ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_32’:
ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable
length array ‘data’ [-Werror=vla]
   28 |     uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16];
      |     ^~~~~~~
In file included from ui/vnc-enc-hextile.c:42:
ui/vnc-enc-hextile-template.h: In function ‘send_hextile_tile_generic_32’:
ui/vnc-enc-hextile-template.h:28:5: error: ISO C90 forbids variable
length array ‘data’ [-Werror=vla]
   28 |     uint8_t data[(vs->client_pf.bytes_per_pixel + 2) * 16 * 16];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[283/1072] Compiling C object libcommon.fa.p/ui_vnc-enc-tight.c.o
FAILED: libcommon.fa.p/ui_vnc-enc-tight.c.o
ui/vnc-enc-tight.c: In function ‘send_palette_rect’:
ui/vnc-enc-tight.c:1101:9: error: ISO C90 forbids variable length array
‘header’ [-Werror=vla]
 1101 |         uint32_t header[palette_size(palette)];
      |         ^~~~~~~~
ui/vnc-enc-tight.c:1118:9: error: ISO C90 forbids variable length array
‘header’ [-Werror=vla]
 1118 |         uint16_t header[palette_size(palette)];
      |         ^~~~~~~~
cc1: all warnings being treated as errors
[353/1072] Compiling C object libcommon.fa.p/net_dump.c.o
FAILED: libcommon.fa.p/net_dump.c.o
net/dump.c: In function ‘dump_receive_iov’:
net/dump.c:71:12: error: ISO C90 forbids variable length array ‘dumpiov’
[-Werror=vla]
   71 |     struct iovec dumpiov[cnt + 1];
      |            ^~~~~
cc1: all warnings being treated as errors
[375/1072] Compiling C object libcommon.fa.p/net_tap.c.o
FAILED: libcommon.fa.p/net_tap.c.o
net/tap.c: In function ‘tap_receive_iov’:
net/tap.c:123:12: error: ISO C90 forbids variable length array
‘iov_copy’ [-Werror=vla]
  123 |     struct iovec iov_copy[iovcnt + 1];
      |            ^~~~~
cc1: all warnings being treated as errors
[451/1072] Compiling C object libcommon.fa.p/hw_block_nvme.c.o
FAILED: libcommon.fa.p/hw_block_nvme.c.o
hw/block/nvme.c: In function ‘nvme_map_prp’:
hw/block/nvme.c:655:13: error: ISO C90 forbids variable length array
‘prp_list’ [-Werror=vla]
  655 |             uint64_t prp_list[n->max_prp_ents];
      |             ^~~~~~~~
hw/block/nvme.c: In function ‘nvme_map_sgl’:
hw/block/nvme.c:817:5: error: ISO C90 forbids variable length array
‘segment’ [-Werror=vla]
  817 |     NvmeSglDescriptor segment[SEG_CHUNK_SIZE], *sgld, *last_sgld;
      |     ^~~~~~~~~~~~~~~~~
hw/block/nvme.c: In function ‘nvme_dsm’:
hw/block/nvme.c:2513:9: error: ISO C90 forbids variable length array
‘range’ [-Werror=vla]
 2513 |         NvmeDsmRange range[nr];
      |         ^~~~~~~~~~~~
cc1: all warnings being treated as errors
[653/1072] Compiling C object libcommon.fa.p/hw_net_e1000e_core.c.o
FAILED: libcommon.fa.p/hw_net_e1000e_core.c.o
hw/net/e1000e_core.c: In function ‘e1000e_receive_iov’:
hw/net/e1000e_core.c:1632:5: error: ISO C90 forbids variable length
array ‘min_buf’ [-Werror=vla]
 1632 |     uint8_t min_buf[min_buf_size];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[663/1072] Compiling C object libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o
FAILED: libcommon.fa.p/hw_net_rocker_rocker_of_dpa.c.o
hw/net/rocker/rocker_of_dpa.c: In function ‘of_dpa_ig’:
hw/net/rocker/rocker_of_dpa.c:1046:12: error: ISO C90 forbids variable
length array ‘iov_copy’ [-Werror=vla]
 1046 |     struct iovec iov_copy[iovcnt + 2];
      |            ^~~~~
cc1: all warnings being treated as errors
[778/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-ohci.c.o
FAILED: libcommon.fa.p/hw_usb_hcd-ohci.c.o
hw/usb/hcd-ohci.c: In function ‘ohci_td_pkt’:
hw/usb/hcd-ohci.c:903:5: error: ISO C90 forbids variable length array
‘tmp’ [-Werror=vla]
  903 |     char tmp[3 * width + 1];
      |     ^~~~
cc1: all warnings being treated as errors
[787/1072] Compiling C object libcommon.fa.p/hw_usb_hcd-xhci.c.o
FAILED: libcommon.fa.p/hw_usb_hcd-xhci.c.o
hw/usb/hcd-xhci.c: In function ‘xhci_get_port_bandwidth’:
hw/usb/hcd-xhci.c:2385:5: error: ISO C90 forbids variable length array
‘bw_ctx’ [-Werror=vla]
 2385 |     uint8_t bw_ctx[xhci->numports+1];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[791/1072] Compiling C object libcommon.fa.p/hw_usb_dev-hid.c.o
FAILED: libcommon.fa.p/hw_usb_dev-hid.c.o
hw/usb/dev-hid.c: In function ‘usb_hid_handle_data’:
hw/usb/dev-hid.c:659:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
  659 |     uint8_t buf[p->iov.size];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[794/1072] Compiling C object libcommon.fa.p/hw_usb_dev-wacom.c.o
FAILED: libcommon.fa.p/hw_usb_dev-wacom.c.o
hw/usb/dev-wacom.c: In function ‘usb_wacom_handle_data’:
hw/usb/dev-wacom.c:304:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
  304 |     uint8_t buf[p->iov.size];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[807/1072] Compiling C object libcommon.fa.p/hw_usb_dev-mtp.c.o
FAILED: libcommon.fa.p/hw_usb_dev-mtp.c.o
hw/usb/dev-mtp.c: In function ‘usb_mtp_get_object_handles’:
hw/usb/dev-mtp.c:910:5: error: ISO C90 forbids variable length array
‘handles’ [-Werror=vla]
  910 |     uint32_t i = 0, handles[o->nchildren];
      |     ^~~~~~~~
cc1: all warnings being treated as errors
[818/1072] Compiling C object libcommon.fa.p/chardev_baum.c.o
FAILED: libcommon.fa.p/chardev_baum.c.o
chardev/baum.c: In function ‘baum_write_packet’:
chardev/baum.c:299:5: error: ISO C90 forbids variable length array
‘io_buf’ [-Werror=vla]
  299 |     uint8_t io_buf[1 + 2 * len], *cur = io_buf;
      |     ^~~~~~~
chardev/baum.c: In function ‘baum_eat_packet’:
chardev/baum.c:383:9: error: ISO C90 forbids variable length array
‘cells’ [-Werror=vla]
  383 |         uint8_t cells[baum->x * baum->y], c;
      |         ^~~~~~~
chardev/baum.c:384:9: error: ISO C90 forbids variable length array
‘text’ [-Werror=vla]
  384 |         uint8_t text[baum->x * baum->y];
      |         ^~~~~~~
chardev/baum.c:385:9: error: ISO C90 forbids variable length array
‘zero’ [-Werror=vla]
  385 |         uint8_t zero[baum->x * baum->y];
      |         ^~~~~~~
cc1: all warnings being treated as errors
[825/1072] Compiling C object libcommon.fa.p/hw_usb_redirect.c.o
FAILED: libcommon.fa.p/hw_usb_redirect.c.o
hw/usb/redirect.c: In function ‘usbredir_handle_iso_data’:
hw/usb/redirect.c:623:13: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
  623 |             uint8_t buf[p->iov.size];
      |             ^~~~~~~
hw/usb/redirect.c: In function ‘usbredir_handle_bulk_data’:
hw/usb/redirect.c:821:9: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
  821 |         uint8_t buf[size];
      |         ^~~~~~~
hw/usb/redirect.c: In function ‘usbredir_handle_interrupt_out_data’:
hw/usb/redirect.c:926:5: error: ISO C90 forbids variable length array
‘buf’ [-Werror=vla]
  926 |     uint8_t buf[p->iov.size];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[830/1072] Compiling C object libcommon.fa.p/ui_curses.c.o
FAILED: libcommon.fa.p/ui_curses.c.o
ui/curses.c: In function ‘curses_update’:
ui/curses.c:68:5: error: ISO C90 forbids variable length array
‘curses_line’ [-Werror=vla]
   68 |     cchar_t curses_line[width];
      |     ^~~~~~~
cc1: all warnings being treated as errors
[852/1072] Compiling C object libcommon.fa.p/ui_spice-display.c.o
FAILED: libcommon.fa.p/ui_spice-display.c.o
ui/spice-display.c: In function ‘qemu_spice_create_update’:
ui/spice-display.c:191:5: error: ISO C90 forbids variable length array
‘dirty_top’ [-Werror=vla]
  191 |     int dirty_top[blocks];
      |     ^~~
cc1: all warnings being treated as errors
[987/1072] Compiling C object
libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o
FAILED: libqemu-arm-softmmu.fa.p/hw_block_dataplane_virtio-blk.c.o
hw/block/dataplane/virtio-blk.c: In function ‘notify_guest_bh’:
hw/block/dataplane/virtio-blk.c:63:5: error: ISO C90 forbids variable
length array ‘bitmap’ [-Werror=vla]
   63 |     unsigned long bitmap[BITS_TO_LONGS(nvqs)];
      |     ^~~~~~~~
cc1: all warnings being treated as errors
[1066/1072] Compiling C object
libqemu-arm-softmmu.fa.p/accel_tcg_translate-all.c.o
ninja: build stopped: cannot make progress due to previous errors.