[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-traditional stable-4.6] usb-linux.c: fix buffer overflow



commit 3c1e883f6c41b15690f6f466aeaa87362723bcb4
Author:     Jim Paris <jim@xxxxxxxx>
AuthorDate: Wed Apr 22 12:29:21 2015 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Oct 16 16:52:06 2015 +0100

    usb-linux.c: fix buffer overflow
    
    In usb-linux.c:usb_host_handle_control, we pass a 1024-byte buffer and
    length to the kernel.  However, the length was provided by the caller
    of dev->handle_packet, and is not checked, so the kernel might provide
    too much data and overflow our buffer.
    
    For example, hw/usb-uhci.c could set the length to 2047.
    hw/usb-ohci.c looks like it might go up to 4096 or 8192.
    
    This causes a qemu crash, as reported here:
      http://www.mail-archive.com/kvm@xxxxxxxxxxxxxxx/msg18447.html
    
    This patch increases the usb-linux.c buffer size to 2048 to fix the
    specific device reported, and adds a check to avoid the overflow in
    any case.
    
    Signed-off-by: Jim Paris <jim@xxxxxxxx>
    Signed-off-by: Anthony Liguori <aliguori@xxxxxxxxxx>
---
 usb-linux.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/usb-linux.c b/usb-linux.c
index 5dfed8c..51bac8a 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -117,7 +117,7 @@ struct ctrl_struct {
     uint16_t offset;
     uint8_t  state;
     struct   usb_ctrlrequest req;
-    uint8_t  buffer[1024];
+    uint8_t  buffer[2048];
 };
 
 typedef struct USBHostDevice {
@@ -554,6 +554,7 @@ static int usb_host_handle_control(USBHostDevice *s, 
USBPacket *p)
     struct usbdevfs_urb *urb;
     AsyncURB *aurb;
     int ret, value, index;
+    int buffer_len;
 
     /* 
      * Process certain standard device requests.
@@ -582,6 +583,13 @@ static int usb_host_handle_control(USBHostDevice *s, 
USBPacket *p)
 
     /* The rest are asynchronous */
 
+    buffer_len = 8 + s->ctrl.len;
+    if (buffer_len > sizeof(s->ctrl.buffer)) {
+           fprintf(stderr, "husb: ctrl buffer too small (%d > %zu)\n",
+                   buffer_len, sizeof(s->ctrl.buffer));
+           return USB_RET_STALL;
+    }
+
     aurb = async_alloc();
     aurb->hdev   = s;
     aurb->packet = p;
@@ -598,7 +606,7 @@ static int usb_host_handle_control(USBHostDevice *s, 
USBPacket *p)
     urb->endpoint = p->devep;
 
     urb->buffer        = &s->ctrl.req;
-    urb->buffer_length = 8 + s->ctrl.len;
+    urb->buffer_length = buffer_len;
 
     urb->usercontext = s;
 
--
generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.