[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)

From: Remy Noel
Subject: Re: [PULL 6/7] usb/xhci: sanity check packet size (CVE-2021-3527)
Date: Tue, 4 May 2021 15:33:27 +0200


On Tue, May 04, 2021 at 10:53:16AM +0200, Gerd Hoffmann wrote:
Make sure the usb packet size is within the
bounds of the endpoint configuration.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-5-kraxel@redhat.com>
hw/usb/hcd-xhci.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 46212b1e695a..7acfb8137bc9 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1568,6 +1568,11 @@ static int xhci_setup_packet(XHCITransfer *xfer)
        return -1;
+    if (xfer->packet.iov.size > ep->max_packet_size) {
+        usb_packet_unmap(&xfer->packet, &xfer->sgl);
+        qemu_sglist_destroy(&xfer->sgl);
+        return -1;
+    }
    DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
            xfer->packet.pid, ep->dev->addr, ep->nr);
    return 0;
So im my user's case (using a usb-Display-port adapter) i managed to trigger
this error.
According to him. the his displays works without this patch (but i can see him sending usbredir packets of up to 9MB) but breaks without (which is expected.) I have trouble understanding whether this can be considered an illegitimate xhci use case (i'm very unfamiliar with it), but i don't see any burst working if we drop any buffer chain bigger than a single endpoint packet size.

I'm strill struggling to emulate SuperSpeed Bulk transfers from the vm in order to have a reproducer though.

By the way, the call to qemu_sglist_destroy seems unnecessary to me since usb_packet_unmap calls it already.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]