fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
qemu-cr16/hw
History
Peter Maydell d0af3cd027 hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 
If the guest feeds invalid data to the UHCI controller, we
can assert:
qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.

(see issue 2548 for the repro case).  This happens because the guest
attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
valid.  The controller code doesn't catch this guest error, so
instead we hit the assertion in the USB core code.

Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
error in the TD, in the same way we do for an invalid PID value in
the TD.

This is the UHCI equivalent of the same bug in OHCI that we fixed in
commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
OUT").

This bug has been tracked as CVE-2024-8354.

Cc: qemu-stable@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
2025-09-25 11:06:27 +01:00
..
9pfs 9pfs: Stop including gstrfuncs.h 2025-09-18 21:21:29 +02:00
acpi acpi: mark PMTIMER as unlocked 2025-08-29 12:48:14 +02:00
adc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
alpha qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
arm target-arm queue: 2025-09-17 11:10:55 -07:00
audio hw/audio/via-ac97: skip automatic zero-init of large array 2025-06-12 13:40:15 -04:00
avr qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
block hw/virtio: Build various files once 2025-07-15 02:56:39 -04:00
char hw/char/max78000_uart: Destroy FIFO on deinit 2025-09-02 17:57:05 +02:00
core * qom: Do not unparent in instance_finalize 2025-09-24 12:04:18 -07:00
cpu qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
cxl hw/cxl: mailbox-utils: 0x5605 - FMAPI Initiate DC Release 2025-07-15 02:56:40 -04:00
display hw/display/bcm2835_fb: Move inclusion of console.h to the .c file 2025-09-09 09:31:15 +02:00
dma hw/dma/xlnx_csu_dma: skip automatic zero-init of large array 2025-06-12 13:40:15 -04:00
fsi qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
gpio hw/gpio/pca9554: Avoid leak in pca9554_set_pin() 2025-09-02 17:57:05 +02:00
hppa qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
hyperv hv-balloon: hw/core/register: Do not unparent in instance_finalize() 2025-09-24 09:23:20 +02:00
i2c hw/arm: Replace TABs for spaces in OMAP board and device code 2025-05-14 14:29:47 +01:00
i386 hw/i386/pc_piix.c: remove unnecessary if() from pc_init1() 2025-09-02 17:58:05 +02:00
ide hw/ide/ich.c: Use qemu_init_irq_child() to avoid memory leak 2025-09-02 17:57:05 +02:00
input treewide: use qemu_set_blocking instead of g_unix_set_fd_nonblocking 2025-09-19 12:46:07 +01:00
intc hw/intc: compile some arm related source once 2025-09-02 17:57:05 +02:00
ipack qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ipmi qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
isa hw/isa/superio: Include 'system/system.h' 2025-09-02 17:58:05 +02:00
loongarch hw/loongarch/virt: Register reset interface with cpu plug callback 2025-09-18 17:39:57 +08:00
m68k hw: add compat machines for 10.2 2025-08-27 07:07:53 +02:00
mem hw/cxl: mailbox-utils: 0x5604 - FMAPI Initiate DC Add 2025-07-15 02:56:40 -04:00
microblaze hw/microblaze: Add missing FDT dependency 2025-07-15 00:24:26 +02:00
mips hw/mips/malta: Silence warning from ubsan 2025-09-09 09:34:45 +02:00
misc treewide: use qemu_set_blocking instead of g_unix_set_fd_nonblocking 2025-09-19 12:46:07 +01:00
net hw/net: Remove mipsnet device model 2025-09-02 17:57:05 +02:00
nubus qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
nvme hw/nvme: cap MDTS value for internal limitation 2025-08-11 00:17:38 -07:00
nvram hw/nvram/fw_cfg: Remove legacy FW_CFG_ORDER_OVERRIDE 2025-05-30 09:52:08 +02:00
openrisc add cpu_test_interrupt()/cpu_set_interrupt() helpers and use them tree wide 2025-08-29 12:48:14 +02:00
pci hw/pci: Introduce pci_setup_iommu_per_bus() for per-bus IOMMU ops retrieval 2025-09-16 17:31:54 +01:00
pci-bridge hw/arm/smmu-common: Check SMMU has PCIe Root Complex association 2025-09-16 17:31:54 +01:00
pci-host hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init 2025-09-23 16:52:50 -07:00
ppc hw/ppc/spapr: Use tb_invalidate_phys_range in h_page_init 2025-09-24 10:29:43 -07:00
remote treewide: handle result of qio_channel_set_blocking() 2025-09-19 12:46:07 +01:00
riscv hw/riscv/virt-acpi-build.c: Update FADT and MADT versions 2025-07-30 10:59:26 +10:00
rtc hw/rtc/mc146818rtc: Drop pre-v3 migration stream support 2025-04-30 20:44:20 +02:00
rx qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
s390x s390x/s390-pci-vfio.c: use QOM casts where appropriate 2025-09-08 16:46:31 +02:00
scsi hw/scsi/mptsas: Avoid silent integer truncation in MPI_FUNC_IOC_INIT 2025-09-02 17:57:05 +02:00
sd hw/sd/sdhci: Do not unparent in instance_finalize() 2025-09-24 09:23:20 +02:00
sensor qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sh4 include: Remove 'exec/exec-all.h' 2025-04-30 12:45:05 -07:00
smbios qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
sparc qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
sparc64 qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
ssi hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 2025-08-04 09:07:38 +02:00
timer hpet: guard IRQ handling with BQL 2025-09-17 19:00:58 +02:00
tpm qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
tricore qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
uefi hw/uefi: open json file in binary mode 2025-08-12 08:03:16 +02:00
ufs hw/ufs/lu: skip automatic zero-init of large array 2025-06-12 13:40:16 -04:00
usb hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 2025-09-25 11:06:27 +01:00
vfio vfio: Do not unparent in instance_finalize() 2025-09-24 09:23:20 +02:00
vfio-user treewide: handle result of qio_channel_set_blocking() 2025-09-19 12:46:07 +01:00
virtio treewide: use qemu_set_blocking instead of g_unix_set_fd_nonblocking 2025-09-19 12:46:07 +01:00
vmapple qemu: Declare all load/store helper in 'qemu/bswap.h' 2025-07-15 02:56:39 -04:00
watchdog qom: Make InterfaceInfo[] uses const 2025-04-25 17:00:41 +02:00
xen hw/xen: Do not unparent in instance_finalize() 2025-09-24 09:23:20 +02:00
xenpv hw/boards: Do not create unusable default if=sd drives 2025-02-16 14:25:08 +01:00
xtensa qom: Have class_init() take a const data argument 2025-04-25 17:00:41 +02:00
Kconfig vfio-user: add vfio-user class and container 2025-06-26 08:55:38 +02:00
meson.build hw/meson: enter target hw first 2025-09-02 17:57:05 +02:00