Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll()

From:	Philippe Mathieu-Daudé
Subject:	Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll()
Date:	Mon, 13 Feb 2023 19:26:51 +0100
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.7.2

Hi Mauro,

On 13/2/23 18:41, Mauro Matteo Cascella wrote:

The guest can control the size of buf; an OOB write occurs when buf is 1 or 2
bytes long. Only fill in the buffer as long as there is enough space, throw
away any data which doesn't fit.


Any reproducer?

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
---
  hw/usb/dev-wacom.c | 20 +++++++++++++-------
  1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index 7177c17f03..ca9e6aa82f 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -252,14 +252,20 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t *buf, 
int len)
      if (s->buttons_state & MOUSE_EVENT_MBUTTON)
          b |= 0x04;

- buf[0] = b;

-    buf[1] = dx;
-    buf[2] = dy;
-    l = 3;
-    if (len >= 4) {
-        buf[3] = dz;
-        l = 4;
+    l = 0;
+    if (len > l) {
+        buf[l++] = b;
      }
+    if (len > l) {
+        buf[l++] = dx;
+    }


       else { // the packet is now corrupted... }

+    if (len > l) {
+        buf[l++] = dy;
+    }
+    if (len > l) {
+        buf[l++] = dz;
+    }
+
      return l;
  }


Better is to wait for enough data to process:

-- >8 --
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index 7177c17f03..2fe2a9220e 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c

@@ -244,6 +244,9 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t*buf, int len)

     s->dy -= dy;
     s->dz -= dz;

+    if (len < 3)
+        return 0;
+
     b = 0;
     if (s->buttons_state & MOUSE_EVENT_LBUTTON)
         b |= 0x01;

@@ -274,6 +277,9 @@ static int usb_wacom_poll(USBWacomState *s, uint8_t*buf, int len)

         s->mouse_grabbed = 1;
     }

+    if (len < 7)
+        return 0;
+
     b = 0;
     if (s->buttons_state & MOUSE_EVENT_LBUTTON)
         b |= 0x01;

@@ -282,9 +288,6 @@ static int usb_wacom_poll(USBWacomState *s, uint8_t*buf, int len)

     if (s->buttons_state & MOUSE_EVENT_MBUTTON)
         b |= 0x20; /* eraser */

-    if (len < 7)
-        return 0;
-
     buf[0] = s->mode;
     buf[5] = 0x00 | (b & 0xf0);
     buf[1] = s->x & 0xff;
---

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll(), Mauro Matteo Cascella, 2023/02/13
- Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll(), Philippe Mathieu-Daudé <=
  - Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll(), Mauro Matteo Cascella, 2023/02/14
    - 答复: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll(), ningqiang (A), 2023/02/15

Prev by Date: Re: [PATCH 3/4] qga/vss-win32: fix warning for clang++-15
Next by Date: Re: [PATCH 1/2] log: Add separate debug option for logging invalid memory accesses
Previous by thread: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll()
Next by thread: Re: [PATCH] usb/dev-wacom: fix OOB write in usb_mouse_poll()
Index(es):
- Date
- Thread