bugfix: fix mmio information leak and ehci vm escape 0-day vulnerability

Signed-off-by: Yutao Ai <aiyutao@huawei.com> Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
2022-02-10 22:42:23 +08:00 · 2022-02-10 22:42:23 +08:00 · e7a1c5d229
commit e7a1c5d229
parent 6bfd0edc7b
1 changed files with 67 additions and 0 deletions
--- a/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
+++ b/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
@ -0,0 +1,67 @@
+From f14ea0bd2596f94ad926009411b8ffda9c2c2cda Mon Sep 17 00:00:00 2001
+From: jiangdongxu <jiangdongxu1@huawei.com>
+Date: Thu, 10 Feb 2022 22:42:23 +0800
+Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day
+ vulnerability
+
+Signed-off-by: Yutao Ai <aiyutao@huawei.com>
+Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
+---
+ hw/usb/core.c     | 20 ++++++++++++++++++--
+ hw/usb/hcd-ehci.c |  2 ++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 51b36126ca..a62826e051 100644
+--- a/hw/usb/core.c
+++ b/hw/usb/core.c
+@@ -206,7 +206,15 @@ static void do_token_in(USBDevice *s, USBPacket *p)
+ 
+     case SETUP_STATE_DATA:
+         if (s->setup_buf[0] & USB_DIR_IN) {
+-            int len = s->setup_len - s->setup_index;
+            int len;
+            if (s->setup_len > sizeof(s->data_buf)) {
+                fprintf(stderr,
+                        "usb_generic_handle_packet: ctrl buffer too small do_token_in(%d > %zu)\n",
+                        s->setup_len, sizeof(s->data_buf));
+                p->status = USB_RET_STALL;
+                return;
+            }
+            len = s->setup_len - s->setup_index;
+             if (len > p->iov.size) {
+                 len = p->iov.size;
+             }
+@@ -244,7 +252,15 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ 
+     case SETUP_STATE_DATA:
+         if (!(s->setup_buf[0] & USB_DIR_IN)) {
+-            int len = s->setup_len - s->setup_index;
+            int len;
+            if (s->setup_len > sizeof(s->data_buf)) {
+                fprintf(stderr,
+                        "usb_generic_handle_packet: ctrl buffer too small do_token_out(%d > %zu)\n",
+                        s->setup_len, sizeof(s->data_buf));
+                p->status = USB_RET_STALL;
+                return;
+            }
+            len = s->setup_len - s->setup_index;
+             if (len > p->iov.size) {
+                 len = p->iov.size;
+             }
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 6caa7ac6c2..1415107315 100644
+--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
+@@ -612,6 +612,8 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn)
+         ehci_trace_guest_bug(q->ehci, warn);
+     }
+     QTAILQ_REMOVE(head, q, next);
+    memset(q, 0, sizeof(*q));
+    *(volatile char *)q = *(volatile char *)q;
+     g_free(q);
+ }
+ 
+-- 
+2.27.0
+