motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-09-09 00:07:57 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw
History
Exact
Hongren Zheng 3b0234c950 hw/usb/canokey: Fix buffer overflow for OUT packet 
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.

It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.

This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.

Cc: qemu-stable@nongnu.org
Fixes: d7d3491855 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <thatjiaozi@gmail.com>
Signed-off-by: Hongren Zheng <i@zenithal.me>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 664280abdd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-01-29 22:29:03 +03:00
..
9pfs 9pfs: fix regression regarding CVE-2023-2861 2024-12-13 00:21:17 +03:00
acpi hw/acpi: Fix ordering of BDF in Generic Initiator PCI Device Handle. 2024-11-06 15:01:58 +03:00
adc aspeed/adc: Add AST2700 support 2024-07-21 07:46:38 +02:00
alpha alpha: switch boards to "default y" 2024-05-03 15:47:47 +02:00
arm docs: Fix some typos (found by typos) and grammar issues 2024-08-16 14:12:59 +01:00
audio hw/audio/hda: fix memory leak on audio setup 2024-11-18 19:29:56 +03:00
avr avr: switch boards to "default y" 2024-05-03 15:47:47 +02:00
block hw/block/fdc-isa: Assert that isa_fdc_get_drive_max_chs() found something 2024-08-06 10:22:52 +02:00
char hw/char/pl011: Use correct masks for IBRD and FBRD 2024-10-15 20:33:06 +03:00
core qdev: Fix set_pci_devfn() to visit option only once 2024-11-26 19:06:00 +03:00
cpu hw: Add a Kconfig switch for the TYPE_CPU_CLUSTER device 2024-04-25 12:48:12 +02:00
cris cris: switch boards to "default y" 2024-05-03 15:47:47 +02:00
cxl Misc HW patch queue 2024-07-24 15:39:43 +10:00
display ui/win32: fix potential use-after-free with dbus shared memory 2024-10-16 11:15:04 +03:00
dma hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma 2024-08-20 00:38:48 +02:00
fsi hw/fsi: Aspeed APB2OPB & On-chip peripheral bus 2024-02-01 08:33:18 +01:00
gpio hw/gpio/aspeed: Add reg_table_count to AspeedGPIOClass 2024-07-02 07:52:43 +02:00
hppa hw/hppa/machine: Replace g_memdup() by g_memdup2() 2024-05-08 19:42:45 +02:00
hyperv kvm: move target-dependent interrupt routing out of kvm-all.c 2024-05-03 15:47:48 +02:00
i2c hw/i2c/mpc_i2c: Fix mmio region size 2024-07-23 20:30:36 +02:00
i386 pci: acpi: Windows 'PCI Label Id' bug workaround 2025-01-18 13:43:32 +03:00
ide mac_dbdma: Remove leftover dma_memory_unmap calls 2024-09-25 21:05:07 +03:00
input hw: arm: Remove use of tabs in some source files 2024-05-28 14:20:48 +01:00
intc hw/intc/riscv_aplic: Fix APLIC in_clrip and clripnum write emulation 2024-12-22 11:39:24 +03:00
ipack hw/ipack: Constify VMState 2023-12-29 11:17:30 +11:00
ipmi hw/ipmi: Constify VMState 2023-12-29 11:17:30 +11:00
isa hw/isa/vt82c686: Turn "intr" irq into a named gpio 2024-07-16 20:04:08 +02:00
loongarch hw/loongarch/virt: Add description for virt machine type 2024-09-26 13:15:03 +03:00
m68k hw: skip registration of outdated versioned machine types 2024-07-02 06:58:37 +02:00
mem hw/cxl: Fix msix_notify: Assertion vector < dev->msix_entries_nr 2025-01-18 13:43:32 +03:00
microblaze microblaze: switch boards to "default y" 2024-05-03 15:47:47 +02:00
mips hw/mips/jazz: fix typo in in-built NIC alias 2024-09-28 07:35:30 +03:00
misc hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values 2024-08-13 11:34:56 +01:00
net virtio-net: Add queues before loading them 2024-11-26 19:34:02 +03:00
nubus hw/nubus/virtio-mmio: Fix missing ERRP_GUARD() in realize handler 2024-07-23 22:34:09 +02:00
nvme hw/nvme: take a reference on the subsystem on vf realization 2024-12-03 20:02:54 +03:00
nvram hw/nvram: Add BCM2835 OTP device 2024-07-01 12:48:55 +01:00
openrisc hw/openrisc/openrisc_sim: keep serial@90000000 as default 2024-12-03 20:03:30 +03:00
pci pci/msix: Fix msix pba read vector poll end calculation 2025-01-18 13:43:32 +03:00
pci-bridge Misc HW patch queue 2024-04-25 09:43:29 -07:00
pci-host hw/pci-host/gt64120: Reset config registers during RESET phase 2024-08-06 16:24:14 +02:00
pcmcia hw/pcmcia/pxa2xx: Inline pxa2xx_pcmcia_init() 2023-10-27 12:48:57 +01:00
ppc target/ppc: Fix THREAD_SIBLING_FOREACH for multi-socket 2024-12-02 09:09:12 +03:00
remote hw/remote/message.c: Don't directly invoke DeviceClass:reset 2024-08-20 00:38:48 +02:00
riscv Revert "hw/riscv/virt.c: imsics DT: add '#msi-cells'" 2024-08-19 14:34:49 +10:00
rtc docs: Correct Loongarch -> LoongArch 2024-07-23 20:30:36 +02:00
rx kconfig: express dependency of individual boards on libfdt 2024-05-10 15:45:15 +02:00
s390x s390x: Fix CSS migration 2025-01-18 13:42:40 +03:00
scsi scsi: megasas: Internal cdbs have 16-byte length 2024-11-30 09:57:40 +03:00
sd hw/sd/sdcard: Fix calculation of size when using eMMC boot partitions 2024-11-05 19:14:12 +03:00
sensor hw, target: Add ResetType argument to hold and exit phase methods 2024-04-25 10:21:06 +01:00
sh4 Revert "hw/sh4/r2d: Realize IDE controller before accessing it" 2024-10-22 20:24:35 +03:00
smbios smbios: make memory device size configurable per Machine 2024-07-22 20:15:41 -04:00
sparc sparc: switch boards to "default y" 2024-05-03 15:47:48 +02:00
sparc64 qemu-sparc queue 2024-05-06 10:19:56 -07:00
ssi hw/ssi/pnv_spi: Fixes Coverity CID 1558831 2024-11-05 18:59:01 +03:00
timer hpet: avoid timer storms on periodic timers 2024-07-22 19:19:44 +02:00
tpm hw/tpm: Remove HOST_PAGE_ALIGN from tpm_ppi_init 2024-02-29 11:35:36 -10:00
tricore tricore: switch boards to "default y" 2024-05-03 15:47:48 +02:00
ufs hw/ufs: Fix mcq register range check logic 2024-07-14 17:11:21 +09:00
usb hw/usb/canokey: Fix buffer overflow for OUT packet 2025-01-29 22:29:03 +03:00
vfio vfio/container: Fix container object destruction 2024-11-18 19:29:41 +03:00
virtio vhost-user: fix shared object return values 2024-12-20 23:50:05 +03:00
watchdog aspeed/wdt: Add AST2700 support 2024-06-16 21:08:54 +02:00
xen xen: mapcache: Fix unmapping of first entries in buckets 2024-07-12 00:17:36 +02:00
xenpv hw/xen: Register framebuffer backend via xen_backend_init() 2024-06-04 11:53:43 +02:00
xtensa hw/xtensa: require libfdt 2024-05-10 15:45:15 +02:00
Kconfig hw: Fix problem with the A*MPCORE switches in the Kconfig files 2024-04-25 12:48:12 +02:00
meson.build hw/rdma: Remove deprecated pvrdma device and rdmacm-mux helper 2024-04-24 16:03:38 +02:00