From e7a1c5d229a8190e71b6a61dc27c42725f91b74a Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Thu, 10 Feb 2022 22:42:23 +0800
Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day
 vulnerability

Signed-off-by: Yutao Ai <aiyutao@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
---
 ...information-leak-and-ehci-vm-escape-.patch | 67 +++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch

diff --git a/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch b/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
new file mode 100644
index 0000000..f463c6b
--- /dev/null
+++ b/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
@@ -0,0 +1,67 @@
+From f14ea0bd2596f94ad926009411b8ffda9c2c2cda Mon Sep 17 00:00:00 2001
+From: jiangdongxu <jiangdongxu1@huawei.com>
+Date: Thu, 10 Feb 2022 22:42:23 +0800
+Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day
+ vulnerability
+
+Signed-off-by: Yutao Ai <aiyutao@huawei.com>
+Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
+---
+ hw/usb/core.c     | 20 ++++++++++++++++++--
+ hw/usb/hcd-ehci.c |  2 ++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 51b36126ca..a62826e051 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -206,7 +206,15 @@ static void do_token_in(USBDevice *s, USBPacket *p)
+ 
+     case SETUP_STATE_DATA:
+         if (s->setup_buf[0] & USB_DIR_IN) {
+-            int len = s->setup_len - s->setup_index;
++            int len;
++            if (s->setup_len > sizeof(s->data_buf)) {
++                fprintf(stderr,
++                        "usb_generic_handle_packet: ctrl buffer too small do_token_in(%d > %zu)\n",
++                        s->setup_len, sizeof(s->data_buf));
++                p->status = USB_RET_STALL;
++                return;
++            }
++            len = s->setup_len - s->setup_index;
+             if (len > p->iov.size) {
+                 len = p->iov.size;
+             }
+@@ -244,7 +252,15 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ 
+     case SETUP_STATE_DATA:
+         if (!(s->setup_buf[0] & USB_DIR_IN)) {
+-            int len = s->setup_len - s->setup_index;
++            int len;
++            if (s->setup_len > sizeof(s->data_buf)) {
++                fprintf(stderr,
++                        "usb_generic_handle_packet: ctrl buffer too small do_token_out(%d > %zu)\n",
++                        s->setup_len, sizeof(s->data_buf));
++                p->status = USB_RET_STALL;
++                return;
++            }
++            len = s->setup_len - s->setup_index;
+             if (len > p->iov.size) {
+                 len = p->iov.size;
+             }
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 6caa7ac6c2..1415107315 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -612,6 +612,8 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn)
+         ehci_trace_guest_bug(q->ehci, warn);
+     }
+     QTAILQ_REMOVE(head, q, next);
++    memset(q, 0, sizeof(*q));
++    *(volatile char *)q = *(volatile char *)q;
+     g_free(q);
+ }
+ 
+-- 
+2.27.0
+