bugfix: fix mmio information leak and ehci vm escape 0-day vulnerability

Signed-off-by: Yutao Ai <aiyutao@huawei.com> Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
2022-02-10 22:42:23 +08:00 · 2022-02-10 22:42:23 +08:00 · e7a1c5d229
commit e7a1c5d229
parent 6bfd0edc7b
1 changed files with 67 additions and 0 deletions
--- a/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
+++ b/bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch
@ -0,0 +1,67 @@
 From f14ea0bd2596f94ad926009411b8ffda9c2c2cda Mon Sep 17 00:00:00 2001
 From: jiangdongxu <jiangdongxu1@huawei.com>
 Date: Thu, 10 Feb 2022 22:42:23 +0800
 Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day
 vulnerability
 Signed-off-by: Yutao Ai <aiyutao@huawei.com>
 Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
 ---
 hw/usb/core.c     | 20 ++++++++++++++++++--
 hw/usb/hcd-ehci.c |  2 ++
 2 files changed, 20 insertions(+), 2 deletions(-)
 diff --git a/hw/usb/core.c b/hw/usb/core.c
 index 51b36126ca..a62826e051 100644
 --- a/hw/usb/core.c
 +++ b/hw/usb/core.c
@@ -206,7 +206,15 @@ static void do_token_in(USBDevice *s, USBPacket *p)
     case SETUP_STATE_DATA:
         if (s->setup_buf[0] & USB_DIR_IN) {
 -            int len = s->setup_len - s->setup_index;
 +            int len;
 +            if (s->setup_len > sizeof(s->data_buf)) {
 +                fprintf(stderr,
 +                        "usb_generic_handle_packet: ctrl buffer too small do_token_in(%d > %zu)\n",
 +                        s->setup_len, sizeof(s->data_buf));
 +                p->status = USB_RET_STALL;
 +                return;
 +            }
 +            len = s->setup_len - s->setup_index;
             if (len > p->iov.size) {
                 len = p->iov.size;
             }
@@ -244,7 +252,15 @@ static void do_token_out(USBDevice *s, USBPacket *p)
     case SETUP_STATE_DATA:
         if (!(s->setup_buf[0] & USB_DIR_IN)) {
 -            int len = s->setup_len - s->setup_index;
 +            int len;
 +            if (s->setup_len > sizeof(s->data_buf)) {
 +                fprintf(stderr,
 +                        "usb_generic_handle_packet: ctrl buffer too small do_token_out(%d > %zu)\n",
 +                        s->setup_len, sizeof(s->data_buf));
 +                p->status = USB_RET_STALL;
 +                return;
 +            }
 +            len = s->setup_len - s->setup_index;
             if (len > p->iov.size) {
                 len = p->iov.size;
             }
 diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
 index 6caa7ac6c2..1415107315 100644
 --- a/hw/usb/hcd-ehci.c
 +++ b/hw/usb/hcd-ehci.c
@@ -612,6 +612,8 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn)
         ehci_trace_guest_bug(q->ehci, warn);
     }
     QTAILQ_REMOVE(head, q, next);
 +    memset(q, 0, sizeof(*q));
 +    *(volatile char *)q = *(volatile char *)q;
     g_free(q);
 }
 -- 
 2.27.0