40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
|
From 93be5f3334394aa9a1794007aed79e75cf4d348b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||
|
|
Date: Mon, 21 Jun 2021 10:19:58 +0800
|
||
|
|
Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
|
||
|
|
|
||
|
|
Fix CVE-2021-3527
|
||
|
|
|
||
|
|
usb-host and usb-redirect try to batch bulk transfers by combining many
|
||
|
|
small usb packets into a single, large transfer request, to reduce the
|
||
|
|
overhead and improve performance.
|
||
|
|
|
||
|
|
This patch adds a size limit of 1 MiB for those combined packets to
|
||
|
|
restrict the host resources the guest can bind that way.
|
||
|
|
Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
|
||
|
|
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
|
||
|
|
|
||
|
|
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
|
||
|
|
---
|
||
|
|
hw/usb/combined-packet.c | 4 +++-
|
||
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
|
||
|
|
index 5d57e883dc..e56802f89a 100644
|
||
|
|
--- a/hw/usb/combined-packet.c
|
||
|
|
+++ b/hw/usb/combined-packet.c
|
||
|
|
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
|
||
|
|
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
|
||
|
|
next == NULL ||
|
||
|
|
/* Work around for Linux usbfs bulk splitting + migration */
|
||
|
|
- (totalsize == (16 * KiB - 36) && p->int_req)) {
|
||
|
|
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
|
||
|
|
+ /* Next package may grow combined package over 1MiB */
|
||
|
|
+ totalsize > 1 * MiB - ep->max_packet_size) {
|
||
|
|
usb_device_handle_data(ep->dev, first);
|
||
|
|
assert(first->status == USB_RET_ASYNC);
|
||
|
|
if (first->combined) {
|
||
|
|
--
|
||
|
|
2.27.0
|
||
|
|
|