usb: fix u2f build

usb: fix ohci oob access and loop issues -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCgAGBQJfaGseAAoJEEy22O7T6HE4ZcUP/idasy/vHdsB2qqV7S3Qz579 VzHD1D9PLc3gJ3dKW9u8JEyIMRH+elkpriv/YaYsZS0mZtaIlZiyhJ0aNzEDkZ4r UDW4VlD9f3Se5YMf4PAWIFgMqUOsqplTRIwwqWjJ5R4hQARu6YoERBx5yOZ3Z9sr FBHjZkPTvs5VEc/lvQ5SiK1FDotks83+6llYx45xaNI4CaYDjZWdMD9nsiKwRATp uJ1D/2Tg3pQXlobh0zUk0yU2SqQtGUhkBNSeX0Urc4uRPi+3eCZF8aWW0EjfMcas NH+NeFzlc6rWk2XFJUhqgcaa9681q7DaXSWk8upiL6gff5V8CDVe8/hoPJ2ttB01 PaG8RDG9pD3GEgwj+YzwnsCSUpBKrF0Bqj5XIQ5GEtmhKbgiTuZ5iIDCP17yRx8x LufTW1FDXxgjHjMT6qkqsiCR6jKAvKsdHvyHcgvfWV0uMhllETCCM9KxCu1xtM3Y xwP4GH0vtrvq/J9mVYLcb2qPzMoWCwBQHcho24SlFi4ZTLSpdpRuMG2gRGUfy+3Y B+l90AUzW9OVw/2KPrxj8T1koIf7NJv6qUd1W1CEx1hZBWgpzDAKa7RtfukD9QNn eGt8dJcILvqTdU1xU//yzUExR7/AC98VIVbyq5J+e8vBd8pDT1uXu1uglBK+If0U 7+YGxB6Y4QCdu1sEvC3K =c3+E -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20200921-pull-request' into staging usb: fix u2f build usb: fix ohci oob access and loop issues # gpg: Signature made Mon 21 Sep 2020 09:58:06 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20200921-pull-request: hw: usb: hcd-ohci: check for processed TD before retire hw: usb: hcd-ohci: check len and frame_number variables usb: fix u2f build Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-09-22 16:40:56 +01:00 · 2020-09-22 16:40:56 +01:00 · edf6ea6fbe
commit edf6ea6fbe
parent 834b9273d5 1be90ebecc
2 changed files with 28 additions and 4 deletions
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
           the next ISO TD of the same ED */
        trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
                                                        frame_count);
+        if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
+            /* avoid infinite loop */
+            return 1;
+        }
        OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
        ed->head &= ~OHCI_DPTR_MASK;
        ed->head |= (iso_td.next & OHCI_DPTR_MASK);
@ -731,7 +735,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
    }

    start_offset = iso_td.offset[relative_frame_number];
-    next_offset = iso_td.offset[relative_frame_number + 1];
+    if (relative_frame_number < frame_count) {
+        next_offset = iso_td.offset[relative_frame_number + 1];
+    } else {
+        next_offset = iso_td.be;
+    }

    if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
        ((relative_frame_number < frame_count) && 
@ -764,7 +772,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
        }
    } else {
        /* Last packet in the ISO TD */
-        end_addr = iso_td.be;
+        end_addr = next_offset;
+    }
+
+    if (start_addr > end_addr) {
+        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
+        return 1;
    }

    if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
@ -773,6 +786,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
    } else {
        len = end_addr - start_addr + 1;
    }
+    if (len > sizeof(ohci->usb_buf)) {
+        len = sizeof(ohci->usb_buf);
+    }

    if (len && dir != OHCI_TD_DIR_IN) {
        if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
@ -975,8 +991,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
        if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
            len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
        } else {
+            if (td.cbp > td.be) {
+                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
+                ohci_die(ohci);
+                return 1;
+            }
            len = (td.be - td.cbp) + 1;
        }
+        if (len > sizeof(ohci->usb_buf)) {
+            len = sizeof(ohci->usb_buf);
+        }

        pktlen = len;
        if (len && dir != OHCI_TD_DIR_IN) {
--- a/hw/usb/u2f-emulated.c
+++ b/hw/usb/u2f-emulated.c
@ -200,7 +200,7 @@ static ssize_t u2f_emulated_read(const char *path, char *buffer,
    int fd;
    ssize_t ret;

-    fd = qemu_open(path, O_RDONLY);
+    fd = qemu_open_old(path, O_RDONLY);
    if (fd < 0) {
        return -1;
    }
@ -217,7 +217,7 @@ static bool u2f_emulated_setup_counter(const char *path,
    int fd, ret;
    FILE *fp;

-    fd = qemu_open(path, O_RDWR);
+    fd = qemu_open_old(path, O_RDWR);
    if (fd < 0) {
        return false;
    }