mirrors/qemu
0
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-01-09 07:03:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
1328fe0c32
qemu/hw/usb
History
Prasad J Pandit 1328fe0c32 hw: usb: hcd-ohci: check len and frame_number variables 
While servicing the OHCI transfer descriptors(TD), OHCI host
controller derives variables 'start_addr', 'end_addr', 'len'
etc. from values supplied by the host controller driver.
Host controller driver may supply values such that using
above variables leads to out-of-bounds access issues.
Add checks to avoid them.

AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
  READ of size 2 at 0x7ffd53af76a0 thread T0
  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
  #4 timerlist_run_timers ../util/qemu-timer.c:572
  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
  #7 main_loop_wait ../util/main-loop.c:527
  #8 qemu_main_loop ../softmmu/vl.c:1676
  #9 main ../softmmu/main.c:50

Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <j_kangel@163.com>
Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20200915182259.68522-2-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-09-21 09:44:54 +02:00
..
bus.c usb/bus: Remove dead assignment in usb_get_fw_dev_path() 2020-09-01 12:03:39 +02:00
ccid-card-emulated.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
ccid-card-passthru.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
ccid.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
chipidea.c Include qemu/module.h where needed, drop it from qemu-common.h 2019-06-12 13:18:33 +02:00
combined-packet.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
core.c usb: fix setup_len init (CVE-2020-14364) 2020-08-31 08:23:39 +02:00
desc-msos.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.c usb: use local path for local headers 2018-06-01 19:20:38 +03:00
desc.h all: Clean up includes 2016-02-23 12:43:05 +00:00
dev-audio.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-hid.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-hub.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-mtp.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-network.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-serial.c usb: Rename USB_SERIAL_DEV to USB_SERIAL 2020-09-09 13:20:22 -04:00
dev-smartcard-reader.c dev-smartcard-reader: Rename CCID_DEV_NAME to TYPE_USB_CCID_DEV 2020-09-09 13:20:22 -04:00
dev-storage.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-uas.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
dev-wacom.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-dwc2.c hcd-dwc2: Rename USB_*CLASS macros for consistency 2020-08-27 14:04:54 -04:00
hcd-dwc2.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-ehci-pci.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
hcd-ehci-sysbus.c hw/arm/allwinner-h3: add USB host controller 2020-03-12 16:27:33 +00:00
hcd-ehci.c ehci: drop pointless warn_report for guest bugs. 2020-08-31 08:10:47 +02:00
hcd-ehci.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-musb.c exec/cpu-common: Move MUSB specific typedefs to 'hw/usb/hcd-musb.h' 2020-06-12 11:20:15 -04:00
hcd-ohci-pci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-ohci.c hw: usb: hcd-ohci: check len and frame_number variables 2020-09-21 09:44:54 +02:00
hcd-ohci.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-uhci.c Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
hcd-xhci-nec.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
hcd-xhci.c hw: xhci: check return value of 'usb_packet_map' 2020-08-31 08:10:47 +02:00
hcd-xhci.h Use DECLARE_*CHECKER* macros 2020-09-09 09:27:09 -04:00
host-libusb.c util: rename qemu_open() to qemu_open_old() 2020-09-16 10:33:48 +01:00
host-stub.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
host.h usb-host: move legacy cmd line bits 2013-02-19 12:30:05 +01:00
imx-usb-phy.c hw/usb: Add basic i.MX USB Phy support 2020-03-17 11:23:14 +00:00
Kconfig meson: Add U2F key to meson 2020-08-31 08:23:10 +02:00
libhw.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
meson.build hw/usb: Add U2F device autoscan to passthru mode 2020-08-31 08:23:39 +02:00
quirks-ftdi-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks-pl2303-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
quirks.h hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
redirect.c trivial patches pull request 20200911 2020-09-12 14:23:15 +01:00
trace-events trace-events: Fix attribution of trace points to source 2020-09-09 17:17:58 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tusb6010.c tusb6010: Rename TUSB to TUSB6010 2020-09-09 13:20:22 -04:00
u2f-emulated.c usb: fix u2f build 2020-09-21 09:44:54 +02:00
u2f-passthru.c util: rename qemu_open() to qemu_open_old() 2020-09-16 10:33:48 +01:00
u2f.c hw/usb: Add U2F key base class implementation 2020-08-31 08:10:47 +02:00
u2f.h hw/usb: Add U2F key base class 2020-08-31 08:10:47 +02:00
xen-usb.c xen: Fix and improve handling of device_add usb-host errors 2020-05-27 07:45:17 +02:00