From f14ea0bd2596f94ad926009411b8ffda9c2c2cda Mon Sep 17 00:00:00 2001 From: jiangdongxu Date: Thu, 10 Feb 2022 22:42:23 +0800 Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day vulnerability Signed-off-by: Yutao Ai Signed-off-by: jiangdongxu --- hw/usb/core.c | 20 ++++++++++++++++++-- hw/usb/hcd-ehci.c | 2 ++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/hw/usb/core.c b/hw/usb/core.c index 51b36126ca..a62826e051 100644 --- a/hw/usb/core.c +++ b/hw/usb/core.c @@ -206,7 +206,15 @@ static void do_token_in(USBDevice *s, USBPacket *p) case SETUP_STATE_DATA: if (s->setup_buf[0] & USB_DIR_IN) { - int len = s->setup_len - s->setup_index; + int len; + if (s->setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small do_token_in(%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } + len = s->setup_len - s->setup_index; if (len > p->iov.size) { len = p->iov.size; } @@ -244,7 +252,15 @@ static void do_token_out(USBDevice *s, USBPacket *p) case SETUP_STATE_DATA: if (!(s->setup_buf[0] & USB_DIR_IN)) { - int len = s->setup_len - s->setup_index; + int len; + if (s->setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small do_token_out(%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } + len = s->setup_len - s->setup_index; if (len > p->iov.size) { len = p->iov.size; } diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 6caa7ac6c2..1415107315 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -612,6 +612,8 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn) ehci_trace_guest_bug(q->ehci, warn); } QTAILQ_REMOVE(head, q, next); + memset(q, 0, sizeof(*q)); + *(volatile char *)q = *(volatile char *)q; g_free(q); } -- 2.27.0