xhci: check reg to avoid OOB read

Add a sanity check to fix OOB read access. Signed-off-by: Yan Wang <wangyan122@huawei.com> Signed-off-by: imxcc <xingchaochao@huawei.com> (cherry picked from commit 9d077b427a8779826def993be0c36f365e072f67)
2022-02-10 10:41:40 +08:00 · 2022-02-10 10:41:40 +08:00 · 6872e99bab
commit 6872e99bab
parent b19a056849
1 changed files with 47 additions and 0 deletions
--- a/xhci-check-reg-to-avoid-OOB-read.patch
+++ b/xhci-check-reg-to-avoid-OOB-read.patch
@ -0,0 +1,47 @@
+From a95ada20170af0a71529c1583846e402cdbb850b Mon Sep 17 00:00:00 2001
+From: Yan Wang <wangyan122@huawei.com>
+Date: Thu, 10 Feb 2022 10:41:40 +0800
+Subject: [PATCH] xhci: check reg to avoid OOB read
+
+Add a sanity check to fix OOB read access.
+
+Signed-off-by: Yan Wang <wangyan122@huawei.com>
+---
+ hw/usb/hcd-xhci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index e01700039b..08cd63e159 100644
+--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
+@@ -27,6 +27,7 @@
+ #include "hw/qdev-properties.h"
+ #include "trace.h"
+ #include "qapi/error.h"
+#include "qemu/log.h"
+ 
+ #include "hcd-xhci.h"
+ 
+@@ -3017,14 +3018,17 @@ static void xhci_runtime_write(void *ptr, hwaddr reg,
+     XHCIInterrupter *intr;
+     int v;
+ 
+-    trace_usb_xhci_runtime_write(reg, val);
+-
+     if (reg < 0x20) {
+         trace_usb_xhci_unimplemented("runtime write", reg);
+         return;
+     }
+     v = (reg - 0x20) / 0x20;
+    if (v >= xhci->numintrs) {
+        qemu_log("intr nr out of range (%d >= %d)\n", v, xhci->numintrs);
+        return;
+    }
+     intr = &xhci->intr[v];
+    trace_usb_xhci_runtime_write(reg, val);
+ 
+     switch (reg & 0x1f) {
+     case 0x00: /* IMAN */
+-- 
+2.27.0
+