mirrors/qemu
0
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-01-09 23:23:40 +08:00
Code Issues Packages Projects Releases Wiki Activity
1328fe0c32
qemu/hw
History
Prasad J Pandit 1328fe0c32 hw: usb: hcd-ohci: check len and frame_number variables 
While servicing the OHCI transfer descriptors(TD), OHCI host
controller derives variables 'start_addr', 'end_addr', 'len'
etc. from values supplied by the host controller driver.
Host controller driver may supply values such that using
above variables leads to out-of-bounds access issues.
Add checks to avoid them.

AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
  READ of size 2 at 0x7ffd53af76a0 thread T0
  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
  #4 timerlist_run_timers ../util/qemu-timer.c:572
  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
  #7 main_loop_wait ../util/main-loop.c:527
  #8 qemu_main_loop ../softmmu/vl.c:1676
  #9 main ../softmmu/main.c:50

Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <j_kangel@163.com>
Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200915182259.68522-2-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-09-21 09:44:54 +02:00
..
9pfs 9pfs: disable msize warning for synth driver 2020-09-15 12:12:03 +02:00
acpi acpi: move acpi_dsdt_add_power_button() to ged 2020-09-17 14:16:19 +02:00
adc meson: convert hw/adc 2020-08-21 06:30:32 -04:00
alpha Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
arm Aspeed patches : 2020-09-18 13:36:42 +01:00
audio Use OBJECT_DECLARE_TYPE where possible 2020-09-09 09:27:11 -04:00
avr Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
block QOM boilerplate cleanup 2020-09-11 19:26:51 +01:00
char This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
core Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
cpu Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
cris meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
display virtio-gpu: build modular 2020-09-15 14:11:49 +02:00
dma This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
gpio This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
hppa Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hyperv trivial patches pull request 20200911 2020-09-12 14:23:15 +01:00
i2c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
i386 microvm: enable ramfb 2020-09-17 14:16:19 +02:00
ide ahci: Rename ICH_AHCI to ICH9_AHCI 2020-09-09 13:20:22 -04:00
input Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
intc This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
ipack Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
ipmi Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
isa trivial patches pull request 20200911 2020-09-12 14:23:15 +01:00
lm32 hw/sd/milkymist: Do not create SD card within the SD host controller 2020-08-21 16:22:43 +02:00
m68k esp: Rename ESP_STATE to ESP 2020-09-09 13:20:22 -04:00
mem hw/mem: Stubbed out NPCM7xx Memory Controller model 2020-09-14 14:24:59 +01:00
microblaze Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
mips trivial patches pull request 20200911 2020-09-12 14:23:15 +01:00
misc misc: aspeed_scu: Update AST2600 silicon id register 2020-09-18 09:04:36 +02:00
moxie meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
net This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
nios2 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
nubus meson: convert hw/nubus 2020-08-21 06:30:25 -04:00
nvram hw/nvram/fw_cfg: fix FWCfgDataGeneratorClass::get_data() consumption 2020-09-18 17:18:18 +02:00
openrisc meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
pci meson: convert hw/pci 2020-08-21 06:30:28 -04:00
pci-bridge Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
pci-host sabre: Rename SABRE_DEVICE to SABRE 2020-09-09 13:20:22 -04:00
pcmcia pxa2xx: Move QOM macros to header 2020-08-27 14:04:55 -04:00
ppc QOM boilerplate cleanup 2020-09-11 19:26:51 +01:00
rdma Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
riscv hw/riscv: Sort the Kconfig options in alphabetical order 2020-09-09 15:54:19 -07:00
rtc QOM boilerplate cleanup 2020-09-11 19:26:51 +01:00
rx Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
s390x util: rename qemu_open() to qemu_open_old() 2020-09-16 10:33:48 +01:00
scsi esp: Rename ESP_STATE to ESP 2020-09-09 13:20:22 -04:00
sd This PR includes multiple fixes and features for RISC-V: 2020-09-13 20:29:35 +01:00
semihosting meson: convert hw/semihosting 2020-08-21 06:30:25 -04:00
sh4 Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
smbios hw/smbios: add options for type 4 max-speed and current-speed 2020-08-27 08:29:13 -04:00
sparc esp: Rename ESP_STATE to ESP 2020-09-09 13:20:22 -04:00
sparc64 sabre: Rename SABRE_DEVICE to SABRE 2020-09-09 13:20:22 -04:00
ssi hw/ssi: NPCM7xx Flash Interface Unit device model 2020-09-14 14:24:59 +01:00
timer hw/timer: Add NPCM7xx Timer device model 2020-09-14 14:24:58 +01:00
tpm QOM boilerplate cleanup 2020-09-11 19:26:51 +01:00
tricore meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
unicore32 meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
usb hw: usb: hcd-ohci: check len and frame_number variables 2020-09-21 09:44:54 +02:00
vfio util: rename qemu_open() to qemu_open_old() 2020-09-16 10:33:48 +01:00
virtio QOM boilerplate cleanup 2020-09-11 19:26:51 +01:00
watchdog Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
xen Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
xenpv meson: convert hw/arch* 2020-08-21 06:30:33 -04:00
xtensa target/xtensa: implement NMI support 2020-08-21 12:48:14 -07:00
Kconfig hw/avr: Add limited support for some Arduino boards 2020-07-11 11:02:05 +02:00
meson.build meson: convert hw/arch* 2020-08-21 06:30:33 -04:00