| From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 |
| From: Gerd Hoffmann <kraxel@redhat.com> |
| Date: Mon, 3 May 2021 15:29:15 +0200 |
| Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527) |
| |
| usb-host and usb-redirect try to batch bulk transfers by combining many |
| small usb packets into a single, large transfer request, to reduce the |
| overhead and improve performance. |
| |
| This patch adds a size limit of 1 MiB for those combined packets to |
| restrict the host resources the guest can bind that way. |
| |
| Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> |
| |
| Upstream-Status: Backport |
| https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c |
| CVE: CVE-2021-3527 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| |
| --- |
| hw/usb/combined-packet.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c |
| index 5d57e883dc..e56802f89a 100644 |
| --- a/hw/usb/combined-packet.c |
| +++ b/hw/usb/combined-packet.c |
| @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) |
| if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || |
| next == NULL || |
| /* Work around for Linux usbfs bulk splitting + migration */ |
| - (totalsize == (16 * KiB - 36) && p->int_req)) { |
| + (totalsize == (16 * KiB - 36) && p->int_req) || |
| + /* Next package may grow combined package over 1MiB */ |
| + totalsize > 1 * MiB - ep->max_packet_size) { |
| usb_device_handle_data(ep->dev, first); |
| assert(first->status == USB_RET_ASYNC); |
| if (first->combined) { |
| -- |
| GitLab |
| |