usb: fix u2f build

usb: fix ohci oob access and loop issues
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCgAGBQJfaGseAAoJEEy22O7T6HE4ZcUP/idasy/vHdsB2qqV7S3Qz579
 VzHD1D9PLc3gJ3dKW9u8JEyIMRH+elkpriv/YaYsZS0mZtaIlZiyhJ0aNzEDkZ4r
 UDW4VlD9f3Se5YMf4PAWIFgMqUOsqplTRIwwqWjJ5R4hQARu6YoERBx5yOZ3Z9sr
 FBHjZkPTvs5VEc/lvQ5SiK1FDotks83+6llYx45xaNI4CaYDjZWdMD9nsiKwRATp
 uJ1D/2Tg3pQXlobh0zUk0yU2SqQtGUhkBNSeX0Urc4uRPi+3eCZF8aWW0EjfMcas
 NH+NeFzlc6rWk2XFJUhqgcaa9681q7DaXSWk8upiL6gff5V8CDVe8/hoPJ2ttB01
 PaG8RDG9pD3GEgwj+YzwnsCSUpBKrF0Bqj5XIQ5GEtmhKbgiTuZ5iIDCP17yRx8x
 LufTW1FDXxgjHjMT6qkqsiCR6jKAvKsdHvyHcgvfWV0uMhllETCCM9KxCu1xtM3Y
 xwP4GH0vtrvq/J9mVYLcb2qPzMoWCwBQHcho24SlFi4ZTLSpdpRuMG2gRGUfy+3Y
 B+l90AUzW9OVw/2KPrxj8T1koIf7NJv6qUd1W1CEx1hZBWgpzDAKa7RtfukD9QNn
 eGt8dJcILvqTdU1xU//yzUExR7/AC98VIVbyq5J+e8vBd8pDT1uXu1uglBK+If0U
 7+YGxB6Y4QCdu1sEvC3K
 =c3+E
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20200921-pull-request' into staging

usb: fix u2f build
usb: fix ohci oob access and loop issues

# gpg: Signature made Mon 21 Sep 2020 09:58:06 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20200921-pull-request:
  hw: usb: hcd-ohci: check for processed TD before retire
  hw: usb: hcd-ohci: check len and frame_number variables
  usb: fix u2f build

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2020-09-22 16:40:56 +01:00
commit edf6ea6fbe
2 changed files with 28 additions and 4 deletions

View File

@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
the next ISO TD of the same ED */
trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
frame_count);
if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
/* avoid infinite loop */
return 1;
}
OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
ed->head &= ~OHCI_DPTR_MASK;
ed->head |= (iso_td.next & OHCI_DPTR_MASK);
@ -731,7 +735,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
}
start_offset = iso_td.offset[relative_frame_number];
if (relative_frame_number < frame_count) {
next_offset = iso_td.offset[relative_frame_number + 1];
} else {
next_offset = iso_td.be;
}
if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
((relative_frame_number < frame_count) &&
@ -764,7 +772,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
}
} else {
/* Last packet in the ISO TD */
end_addr = iso_td.be;
end_addr = next_offset;
}
if (start_addr > end_addr) {
trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
return 1;
}
if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
@ -773,6 +786,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
} else {
len = end_addr - start_addr + 1;
}
if (len > sizeof(ohci->usb_buf)) {
len = sizeof(ohci->usb_buf);
}
if (len && dir != OHCI_TD_DIR_IN) {
if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
@ -975,8 +991,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
} else {
if (td.cbp > td.be) {
trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
ohci_die(ohci);
return 1;
}
len = (td.be - td.cbp) + 1;
}
if (len > sizeof(ohci->usb_buf)) {
len = sizeof(ohci->usb_buf);
}
pktlen = len;
if (len && dir != OHCI_TD_DIR_IN) {

View File

@ -200,7 +200,7 @@ static ssize_t u2f_emulated_read(const char *path, char *buffer,
int fd;
ssize_t ret;
fd = qemu_open(path, O_RDONLY);
fd = qemu_open_old(path, O_RDONLY);
if (fd < 0) {
return -1;
}
@ -217,7 +217,7 @@ static bool u2f_emulated_setup_counter(const char *path,
int fd, ret;
FILE *fp;
fd = qemu_open(path, O_RDWR);
fd = qemu_open_old(path, O_RDWR);
if (fd < 0) {
return false;
}