usb: fix some memory allocation issues (CVE-2021-3527).

usb: add stubs, allow building without usb subsystem. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmCSmHYACgkQTLbY7tPo cTgaCg/+JhqQOxrDQyti57OjS0JEneuqxZLzBcrqarXssEx2q2hG4aV/CHbPguLh MmTHAwNp1ncCgQ7f95obF+zqpSTjDy42gsmR7CNBXxV2BhNt8exDvJjcAZ/4xy6T qFdQ9/VSMghmgR5rOnZ9ecf7DMdnvfQy/Bn96FUP5baGpi4Bgg1eM5yTbe81l5Q4 frj83p5CNfJ/6kk9rCCT2WLLxpm8qFxXQy5JBOM80iJeupc59mZ/l6d+GMTnZYB9 SsIp1Kvh3NKLqkRZFMohrjCkGkEADMknPv126Mev5ZP3WIoS4LsUK0Gyqvi+MVoV KWf33ZLVqKnsKw1nfb6LMwWy9r7+IK9EV2bxsoo/3xd9f0PT95nwZhLDtmzMfxq/ uKpt+/1uEkQB3f7WrVzYw74bdOIu7w497Q4f3hRZ/8ohB+/QNZkFSHaf24Htt7CZ 0hsB8WB7RmfdUz+ndPmbnzOizHeDy/hQT/IaF92nLG69YpBE8/ZyGX/HDqOUzClJ mMN6z5EyzXG3bssH3iP50+hufRe9xHZw4Jm/QI+4rg5sIH+tPDKvks98tGMIQC1h fh/SQNWucVJs5cmcr+n36bUOT7fGe3dy28NseU1XhIy3jcQGm9u0t9XFbC7kPoNO du722597UGWxMOtGK40TE9i377124lum/ZPGpGD34NXR1Z7meNM= =5oCQ -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20210505-pull-request' into staging usb: fix some memory allocation issues (CVE-2021-3527). usb: add stubs, allow building without usb subsystem. # gpg: Signature made Wed 05 May 2021 14:07:02 BST # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20210505-pull-request: usb: limit combined packets to 1 MiB (CVE-2021-3527) usb/mtp: avoid dynamic stack allocation usb/redir: avoid dynamic stack allocation (CVE-2021-3527) usb/hid: avoid dynamic stack allocation hw/usb: Do not build USB subsystem if not required hw/usb/host-stub: Remove unused header Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-05-10 19:55:06 +01:00 · 2021-05-10 19:55:06 +01:00 · e4f3ede95c
parent e58c7a3bba 05a40b172e
commit e4f3ede95c
10 changed files with 40 additions and 14 deletions
--- a/1
+++ b/1
@ -1827,6 +1827,7 @@ USB
 M: Gerd Hoffmann <kraxel@redhat.com>
 S: Maintained
 F: hw/usb/*
+F: stubs/usb-dev-stub.c
 F: tests/qtest/usb-*-test.c
 F: docs/usb2.txt
 F: docs/usb-storage.txt
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
        if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
                next == NULL ||
                /* Work around for Linux usbfs bulk splitting + migration */
-                (totalsize == (16 * KiB - 36) && p->int_req)) {
+                (totalsize == (16 * KiB - 36) && p->int_req) ||
+                /* Next package may grow combined package over 1MiB */
+                totalsize > 1 * MiB - ep->max_packet_size) {
            usb_device_handle_data(ep->dev, first);
            assert(first->status == USB_RET_ASYNC);
            if (first->combined) {
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
 {
    USBHIDState *us = USB_HID(dev);
    HIDState *hs = &us->hid;
-    uint8_t buf[p->iov.size];
+    g_autofree uint8_t *buf = g_malloc(p->iov.size);
    int len = 0;

    switch (p->pid) {
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@ -907,7 +907,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
                                           MTPObject *o)
 {
    MTPData *d = usb_mtp_data_alloc(c);
-    uint32_t i = 0, handles[o->nchildren];
+    uint32_t i = 0;
+    g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
    MTPObject *iter;

    trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
 static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
 {
    USBWacomState *s = (USBWacomState *) dev;
-    uint8_t buf[p->iov.size];
+    g_autofree uint8_t *buf = g_malloc(p->iov.size);
    int len = 0;

    switch (p->pid) {
--- a/hw/usb/host-stub.c
+++ b/hw/usb/host-stub.c
@ -31,7 +31,6 @@
 */

 #include "qemu/osdep.h"
-#include "ui/console.h"
 #include "hw/usb.h"
 #include "monitor/monitor.h"

--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@ -1,17 +1,14 @@
 hw_usb_modules = {}

 # usb subsystem core
-softmmu_ss.add(files(
+softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
  'bus.c',
  'combined-packet.c',
  'core.c',
-  'pcap.c',
-  'libhw.c'
-))
-
-softmmu_ss.add(when: 'CONFIG_USB', if_true: files(
  'desc.c',
  'desc-msos.c',
+  'libhw.c',
+  'pcap.c',
 ))

 # usb host adapters
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
                .endpoint = ep,
                .length = p->iov.size
            };
-            uint8_t buf[p->iov.size];
+            g_autofree uint8_t *buf = g_malloc(p->iov.size);
            /* No id, we look at the ep when receiving a status back */
            usb_packet_copy(p, buf, p->iov.size);
            usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
        usbredirparser_send_bulk_packet(dev->parser, p->id,
                                        &bulk_packet, NULL, 0);
    } else {
-        uint8_t buf[size];
+        g_autofree uint8_t *buf = g_malloc(size);
        usb_packet_copy(p, buf, size);
        usbredir_log_data(dev, "bulk data out:", buf, size);
        usbredirparser_send_bulk_packet(dev->parser, p->id,
@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
                                               USBPacket *p, uint8_t ep)
 {
    struct usb_redir_interrupt_packet_header interrupt_packet;
-    uint8_t buf[p->iov.size];
+    g_autofree uint8_t *buf = g_malloc(p->iov.size);

    DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
            p->iov.size, p->id);
--- a/stubs/meson.build
+++ b/stubs/meson.build
@ -50,6 +50,7 @@ if have_block
 endif
 if have_system
  stub_ss.add(files('semihost.c'))
+  stub_ss.add(files('usb-dev-stub.c'))
  stub_ss.add(files('xen-hw-stub.c'))
 else
  stub_ss.add(files('qdev.c'))
--- a/stubs/usb-dev-stub.c
+++ b/stubs/usb-dev-stub.c
@ -0,0 +1,25 @@
+/*
+ * QEMU USB device emulation stubs
+ *
+ * Copyright (C) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "sysemu/sysemu.h"
+#include "monitor/monitor.h"
+#include "hw/usb.h"
+
+USBDevice *usbdevice_create(const char *driver)
+{
+    error_report("Support for USB devices not built-in");
+
+    return NULL;
+}
+
+void hmp_info_usb(Monitor *mon, const QDict *qdict)
+{
+    monitor_printf(mon, "Support for USB devices not built-in\n");
+}