From 6872e99bab61c5fc6e8a1e303f664ae3df1f830f Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 10 Feb 2022 10:41:40 +0800 Subject: [PATCH] xhci: check reg to avoid OOB read Add a sanity check to fix OOB read access. Signed-off-by: Yan Wang Signed-off-by: imxcc (cherry picked from commit 9d077b427a8779826def993be0c36f365e072f67) --- xhci-check-reg-to-avoid-OOB-read.patch | 47 ++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 xhci-check-reg-to-avoid-OOB-read.patch diff --git a/xhci-check-reg-to-avoid-OOB-read.patch b/xhci-check-reg-to-avoid-OOB-read.patch new file mode 100644 index 0000000..f6a4c35 --- /dev/null +++ b/xhci-check-reg-to-avoid-OOB-read.patch @@ -0,0 +1,47 @@ +From a95ada20170af0a71529c1583846e402cdbb850b Mon Sep 17 00:00:00 2001 +From: Yan Wang +Date: Thu, 10 Feb 2022 10:41:40 +0800 +Subject: [PATCH] xhci: check reg to avoid OOB read + +Add a sanity check to fix OOB read access. + +Signed-off-by: Yan Wang +--- + hw/usb/hcd-xhci.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index e01700039b..08cd63e159 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -27,6 +27,7 @@ + #include "hw/qdev-properties.h" + #include "trace.h" + #include "qapi/error.h" ++#include "qemu/log.h" + + #include "hcd-xhci.h" + +@@ -3017,14 +3018,17 @@ static void xhci_runtime_write(void *ptr, hwaddr reg, + XHCIInterrupter *intr; + int v; + +- trace_usb_xhci_runtime_write(reg, val); +- + if (reg < 0x20) { + trace_usb_xhci_unimplemented("runtime write", reg); + return; + } + v = (reg - 0x20) / 0x20; ++ if (v >= xhci->numintrs) { ++ qemu_log("intr nr out of range (%d >= %d)\n", v, xhci->numintrs); ++ return; ++ } + intr = &xhci->intr[v]; ++ trace_usb_xhci_runtime_write(reg, val); + + switch (reg & 0x1f) { + case 0x00: /* IMAN */ +-- +2.27.0 +