fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/hw/usb
History
Peter Maydell d0af3cd027 hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 
If the guest feeds invalid data to the UHCI controller, we
can assert:
qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.

(see issue 2548 for the repro case).  This happens because the guest
attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
valid.  The controller code doesn't catch this guest error, so
instead we hit the assertion in the USB core code.

Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
error in the TD, in the same way we do for an invalid PID value in
the TD.

This is the UHCI equivalent of the same bug in OHCI that we fixed in
commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
OUT").

This bug has been tracked as CVE-2024-8354.

Cc: qemu-stable@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
2025-09-25 11:06:27 +01:00
..
bus-stub.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
bus.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
canokey.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
canokey.h hw/usb/canokey: Fix buffer overflow for OUT packet 2025-01-28 18:40:19 +00:00
ccid-card-emulated.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
ccid-card-passthru.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
ccid.h Use OBJECT_DECLARE_TYPE when possible 2020-09-18 14:12:32 -04:00
chipidea.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
combined-packet.c usb: limit combined packets to 1 MiB (CVE-2021-3527) 2021-05-05 15:06:01 +02:00
core.c usb: add pcap support. 2021-01-22 14:51:35 +01:00
desc-msos.c hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
desc.c hw/usb: Silence compiler warnings in USB code when compiling with -Wshadow 2023-10-06 13:27:48 +02:00
desc.h usb: allow max 8192 bytes for desc 2022-01-13 10:22:37 +01:00
dev-audio.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-hid.c hw/usb/dev-hid: Support side and extra mouse buttons for usb-tablet 2025-07-13 12:08:07 +03:00
dev-hub.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-mtp.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-network.c hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response 2025-09-16 17:32:06 +01:00
dev-serial.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-smartcard-reader.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
dev-storage-bot.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-storage-classic.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-storage.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-uas.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
dev-wacom.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-dwc2.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-dwc2.h include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
hcd-dwc3.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-ehci-pci.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
hcd-ehci-sysbus.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-ehci.c hw/usb/hcd-ehci: Fix debug printf format string 2025-01-31 19:36:44 +01:00
hcd-ehci.h include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
hcd-ohci-pci.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
hcd-ohci-sysbus.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-ohci.c hw/usb/hcd-ohci: skip automatic zero-init of large array 2025-06-12 13:40:16 -04:00
hcd-ohci.h include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
hcd-uhci.c hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 2025-09-25 11:06:27 +01:00
hcd-uhci.h qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-xhci-nec.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-xhci-pci.c qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
hcd-xhci-pci.h hw/usb/hcd-xhci-pci: Adds property for disabling mapping in IRQ mode 2025-03-04 14:45:34 +01:00
hcd-xhci-sysbus.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
hcd-xhci-sysbus.h usb/xhci: add include/hw/usb/xhci.h header file 2020-10-21 11:36:19 +02:00
hcd-xhci.c hw/usb/hcd-xhci: Unmap canceled packet 2025-04-25 17:00:42 +02:00
hcd-xhci.h hw/usb/hcd-xhci-pci: Adds property for disabling mapping in IRQ mode 2025-03-04 14:45:34 +01:00
host-libusb.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
imx-usb-phy.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
Kconfig Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 2025-02-20 14:20:29 +00:00
libhw.c include: Rename sysemu/ -> system/ 2024-12-20 17:44:56 +01:00
meson.build Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 2025-02-20 14:20:29 +00:00
pcap.c usb/pcap: set flag_setup 2021-02-17 14:29:12 +01:00
quirks-ftdi-ids.h hw/usb: Fix typo in comments and print 2021-09-01 06:37:13 +02:00
quirks-pl2303-ids.h hw/usb: fix tab indentation 2022-11-08 11:13:48 +01:00
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 2020-03-16 23:02:25 +01:00
quirks.h hw/usb: spelling fixes 2023-08-31 19:47:43 +02:00
redirect.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
trace-events hw/usb/hcd-ohci: Fix ohci_service_td: accept zero-length TDs where CBP=BE+1 2024-06-21 16:20:45 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
u2f-emulated.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
u2f-passthru.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
u2f.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
u2f.h hw/usb/u2f: Declare QOM macros using OBJECT_DECLARE_TYPE() 2023-02-27 22:29:02 +01:00
vt82c686-uhci-pci.c hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts 2023-11-28 14:26:37 +01:00
xen-usb.c hw/xen: Prefer QOM cast for XenLegacyDevice 2025-02-16 14:25:08 +01:00
xlnx-usb-subsystem.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
xlnx-versal-usb2-ctrl-regs.c qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00