motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-09-09 16:28:02 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/usb
History
Exact
Hongren Zheng 3b0234c950 hw/usb/canokey: Fix buffer overflow for OUT packet 
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.

It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.

This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.

Cc: qemu-stable@nongnu.org
Fixes: d7d3491855 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <thatjiaozi@gmail.com>
Signed-off-by: Hongren Zheng <i@zenithal.me>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 664280abdd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2025-01-29 22:29:03 +03:00
..
bus-stub.c hw/usb: move stubs out of stubs/ 2024-04-18 11:17:27 +02:00
bus.c hw/usb/bus.c: PCAP adding 0xA in Windows version 2024-03-01 08:27:33 +01:00
canokey.c hw/usb/canokey: Fix buffer overflow for OUT packet 2025-01-29 22:29:03 +03:00
canokey.h hw/usb/canokey: Fix buffer overflow for OUT packet 2025-01-29 22:29:03 +03:00
ccid-card-emulated.c hw/usb: spelling fixes 2023-08-31 19:47:43 +02:00
ccid-card-passthru.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
ccid.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
chipidea.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
combined-packet.c usb: limit combined packets to 1 MiB (CVE-2021-3527) 2021-05-05 15:06:01 +02:00
core.c usb: add pcap support. 2021-01-22 14:51:35 +01:00
desc-msos.c hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
desc.c hw/usb: Silence compiler warnings in USB code when compiling with -Wshadow 2023-10-06 13:27:48 +02:00
desc.h usb: allow max 8192 bytes for desc 2022-01-13 10:22:37 +01:00
dev-audio.c usb-audio: Fix invalid values in AudioControl descriptors 2024-04-01 19:47:40 +03:00
dev-hid.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-hub.c usb-hub: Fix handling port power control messages 2024-11-18 19:37:45 +03:00
dev-mtp.c hw/usb/dev-mtp: Correctly report free space 2024-06-19 12:42:03 +02:00
dev-network.c hw/usb/dev-network: Remove unused struct 'rndis_config_parameter' 2024-05-09 00:07:21 +02:00
dev-serial.c usb: remove support for -usbdevice parameters 2021-03-15 17:00:58 +01:00
dev-smartcard-reader.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-storage-bot.c Don't include headers already included by qemu/osdep.h 2023-02-08 07:28:05 +01:00
dev-storage-classic.c usb-storage: Fix BlockConf defaults 2024-04-16 11:50:52 +01:00
dev-storage.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-uas.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
dev-wacom.c hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
hcd-dwc2.c hw/usb/hcd-dwc2: Handle invalid address access in read and write functions 2024-06-21 14:01:59 +01:00
hcd-dwc2.h Clean up header guards that don't match their file name 2022-05-11 16:49:06 +02:00
hcd-dwc3.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-ehci-pci.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci-sysbus.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci.c hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-ehci.h hw/usb/ehci: Rename NB_PORTS -> EHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-musb.c hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
hcd-ohci-pci.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-ohci-sysbus.c hw/usb: extract sysbus-ohci to a separate file 2024-02-27 09:37:25 +01:00
hcd-ohci.c hw/usb/hcd-ohci: Fix ohci_service_td: accept zero-length TDs where CBP=BE+1 2024-06-21 16:20:45 +01:00
hcd-ohci.h hw/usb/ohci: Use OHCIState type definition 2023-02-27 22:29:02 +01:00
hcd-uhci.c hw/usb/uhci: Rename NB_PORTS -> UHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-uhci.h hw/usb/uhci: Rename NB_PORTS -> UHCI_PORTS 2024-02-20 20:34:21 +03:00
hcd-xhci-nec.c hw/usb/hcd-xhci: Remove XHCI_FLAG_SS_FIRST flag 2024-06-19 12:40:48 +02:00
hcd-xhci-pci.c hw/usb/hcd-xhci-pci: Use modulo to select MSI vector as per spec 2025-01-18 13:43:32 +03:00
hcd-xhci-pci.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
hcd-xhci-sysbus.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
hcd-xhci-sysbus.h usb/xhci: add include/hw/usb/xhci.h header file 2020-10-21 11:36:19 +02:00
hcd-xhci.c hw/usb/hcd-xhci: Remove XHCI_FLAG_SS_FIRST flag 2024-06-19 12:40:48 +02:00
hcd-xhci.h hw/usb/hcd-xhci: Remove XHCI_FLAG_SS_FIRST flag 2024-06-19 12:40:48 +02:00
host-libusb.c hw/usb/host-libusb: Get rid of qemu_open_old() 2024-07-17 14:04:15 +03:00
imx-usb-phy.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
Kconfig usb: add config options for the hub and hid devices 2024-06-04 11:53:43 +02:00
libhw.c dma: Let dma_memory_map() take MemTxAttrs argument 2021-12-30 17:16:32 +01:00
meson.build usb: add config options for the hub and hid devices 2024-06-04 11:53:43 +02:00
pcap.c usb/pcap: set flag_setup 2021-02-17 14:29:12 +01:00
quirks-ftdi-ids.h hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
quirks-pl2303-ids.h hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
quirks.h hw/usb: spelling fixes 2023-08-31 19:47:43 +02:00
redirect.c migration 1st pull for 9.0 2024-01-05 13:35:25 +00:00
trace-events hw/usb/hcd-ohci: Fix ohci_service_td: accept zero-length TDs where CBP=BE+1 2024-06-21 16:20:45 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
tusb6010.c Use OBJECT_DECLARE_SIMPLE_TYPE when possible 2020-09-18 14:12:32 -04:00
u2f-emulated.c hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
u2f-passthru.c hw/usb/u2f-passthru: Get rid of qemu_open_old() 2024-07-17 14:04:15 +03:00
u2f.c hw/usb: Constify VMState 2023-12-30 07:38:06 +11:00
u2f.h hw/usb/u2f: Declare QOM macros using OBJECT_DECLARE_TYPE() 2023-02-27 22:29:02 +01:00
vt82c686-uhci-pci.c hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts 2023-11-28 14:26:37 +01:00
xen-usb.c hw/xen: Make XenDevOps structures const 2024-06-04 11:53:43 +02:00
xlnx-usb-subsystem.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
xlnx-versal-usb2-ctrl-regs.c hw, target: Add ResetType argument to hold and exit phase methods 2024-04-25 10:21:06 +01:00