Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 1 | CVE: CVE-2020-14364 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 |
| 6 | From: Gerd Hoffmann <kraxel@redhat.com> |
| 7 | Date: Tue, 25 Aug 2020 07:36:36 +0200 |
| 8 | Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) |
| 9 | |
| 10 | Store calculated setup_len in a local variable, verify it, and only |
| 11 | write it to the struct (USBDevice->setup_len) in case it passed the |
| 12 | sanity checks. |
| 13 | |
| 14 | This prevents other code (do_token_{in,out} functions specifically) |
| 15 | from working with invalid USBDevice->setup_len values and overrunning |
| 16 | the USBDevice->setup_buf[] buffer. |
| 17 | |
| 18 | Fixes: CVE-2020-14364 |
| 19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| 20 | Tested-by: Gonglei <arei.gonglei@huawei.com> |
| 21 | Reviewed-by: Li Qiang <liq3ea@gmail.com> |
| 22 | Message-id: 20200825053636.29648-1-kraxel@redhat.com |
| 23 | --- |
| 24 | hw/usb/core.c | 16 ++++++++++------ |
| 25 | 1 file changed, 10 insertions(+), 6 deletions(-) |
| 26 | |
| 27 | diff --git a/hw/usb/core.c b/hw/usb/core.c |
| 28 | index 5abd128b6bc..5234dcc73fe 100644 |
| 29 | --- a/hw/usb/core.c |
| 30 | +++ b/hw/usb/core.c |
| 31 | @@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) |
| 32 | static void do_token_setup(USBDevice *s, USBPacket *p) |
| 33 | { |
| 34 | int request, value, index; |
| 35 | + unsigned int setup_len; |
| 36 | |
| 37 | if (p->iov.size != 8) { |
| 38 | p->status = USB_RET_STALL; |
| 39 | @@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) |
| 40 | usb_packet_copy(p, s->setup_buf, p->iov.size); |
| 41 | s->setup_index = 0; |
| 42 | p->actual_length = 0; |
| 43 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; |
| 44 | - if (s->setup_len > sizeof(s->data_buf)) { |
| 45 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; |
| 46 | + if (setup_len > sizeof(s->data_buf)) { |
| 47 | fprintf(stderr, |
| 48 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", |
| 49 | - s->setup_len, sizeof(s->data_buf)); |
| 50 | + setup_len, sizeof(s->data_buf)); |
| 51 | p->status = USB_RET_STALL; |
| 52 | return; |
| 53 | } |
| 54 | + s->setup_len = setup_len; |
| 55 | |
| 56 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; |
| 57 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; |
| 58 | @@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) |
| 59 | static void do_parameter(USBDevice *s, USBPacket *p) |
| 60 | { |
| 61 | int i, request, value, index; |
| 62 | + unsigned int setup_len; |
| 63 | |
| 64 | for (i = 0; i < 8; i++) { |
| 65 | s->setup_buf[i] = p->parameter >> (i*8); |
| 66 | } |
| 67 | |
| 68 | s->setup_state = SETUP_STATE_PARAM; |
| 69 | - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; |
| 70 | s->setup_index = 0; |
| 71 | |
| 72 | request = (s->setup_buf[0] << 8) | s->setup_buf[1]; |
| 73 | value = (s->setup_buf[3] << 8) | s->setup_buf[2]; |
| 74 | index = (s->setup_buf[5] << 8) | s->setup_buf[4]; |
| 75 | |
| 76 | - if (s->setup_len > sizeof(s->data_buf)) { |
| 77 | + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; |
| 78 | + if (setup_len > sizeof(s->data_buf)) { |
| 79 | fprintf(stderr, |
| 80 | "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", |
| 81 | - s->setup_len, sizeof(s->data_buf)); |
| 82 | + setup_len, sizeof(s->data_buf)); |
| 83 | p->status = USB_RET_STALL; |
| 84 | return; |
| 85 | } |
| 86 | + s->setup_len = setup_len; |
| 87 | |
| 88 | if (p->pid == USB_TOKEN_OUT) { |
| 89 | usb_packet_copy(p, s->data_buf, s->setup_len); |