-
Notifications
You must be signed in to change notification settings - Fork 507
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Lee Chee Yang <[email protected]> Signed-off-by: Steve Sakoman <[email protected]>
- Loading branch information
1 parent
6a38db9
commit 3c85df8
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001 | ||
| From: Li Qiang <[email protected]> | ||
| Date: Wed, 12 Aug 2020 09:17:27 -0700 | ||
| Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map' | ||
|
|
||
| If 'usb_packet_map' fails, we should stop to process the usb | ||
| request. | ||
|
|
||
| Signed-off-by: Li Qiang <[email protected]> | ||
| Message-Id: <[email protected]> | ||
| Signed-off-by: Gerd Hoffmann <[email protected]> | ||
|
|
||
|
|
||
| Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6] | ||
| CVE: CVE-2020-25723 | ||
| Signed-off-by: Chee Yang Lee <[email protected]> | ||
|
|
||
| --- | ||
| hw/usb/hcd-ehci.c | 10 ++++++++-- | ||
| 1 file changed, 8 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c | ||
| index 58cceac..4da446d 100644 | ||
| --- a/hw/usb/hcd-ehci.c | ||
| +++ b/hw/usb/hcd-ehci.c | ||
| @@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action) | ||
| spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); | ||
| usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, | ||
| (p->qtd.token & QTD_TOKEN_IOC) != 0); | ||
| - usb_packet_map(&p->packet, &p->sgl); | ||
| + if (usb_packet_map(&p->packet, &p->sgl)) { | ||
| + qemu_sglist_destroy(&p->sgl); | ||
| + return -1; | ||
| + } | ||
| p->async = EHCI_ASYNC_INITIALIZED; | ||
| } | ||
|
|
||
| @@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci, | ||
| if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { | ||
| usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, | ||
| (itd->transact[i] & ITD_XACT_IOC) != 0); | ||
| - usb_packet_map(&ehci->ipacket, &ehci->isgl); | ||
| + if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { | ||
| + qemu_sglist_destroy(&ehci->isgl); | ||
| + return -1; | ||
| + } | ||
| usb_handle_packet(dev, &ehci->ipacket); | ||
| usb_packet_unmap(&ehci->ipacket, &ehci->isgl); | ||
| } else { | ||
| -- | ||
| 1.8.3.1 | ||
|
|