ShuriZma
/
xemu
mirror of https://github.com/xemu-project/xemu.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
xemu/hw
History
Qiang Liu d8c2e6f2f6 hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero 
An abort happens in ohci_frame_boundary() when ohci->done is 0 [1].

``` c
static void ohci_frame_boundary(void *opaque)
{
    // ...
    if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
        if (!ohci->done)
            abort(); <----------------------------------------- [1]
```

This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/,
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and
https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with
the latest QEMU.

This happends due to crafted ED with putting ISO_TD at physical address 0.

Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal
memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count
[4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f,
suppose 1), we then control the value of relative_frame_number to be 1 [6]. The
control flow goes to [7] where ohci->done is 0. Have returned from
ohci_service_iso_td(), ohci_frame_boundary() will abort() [1].

``` c
static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
{
    // ...
    addr = ed->head & OHCI_DPTR_MASK; // <--------------------- [2]

    if (ohci_read_iso_td(ohci, addr, &iso_td)) {   // <-------- [3]
        // ...

    starting_frame = OHCI_BM(iso_td.flags, TD_SF); // <-------- [4]
    frame_count = OHCI_BM(iso_td.flags, TD_FC);    // <-------- [5]
    relative_frame_number = USUB(ohci->frame_number, starting_frame);
                                                   // <-------- [6]
    if (relative_frame_number < 0) {
        return 1;
    } else if (relative_frame_number > frame_count) {
        // ...
        ohci->done = addr;                         // <-------- [7]
        // ...
    }
```

As only (afaik) a guest root user can manipulate ED, TD and the physical memory,
this assertion failure is not a security bug.

The idea to fix this issue is to drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is 0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.

Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545
Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html
Buglink: https://bugs.launchpad.net/qemu/+bug/1911216
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220826051557.119570-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 		2022-09-23 14:38:27 +02:00
..
9pfs trivial typos: namesapce 2022-06-28 11:06:44 +02:00
acpi acpi/nvdimm: Define trace events for NVDIMM and substitute nvdimm_debug() 2022-07-26 10:37:46 -04:00
adc hw/adc: Make adci[*] R/W in NPCM7XX ADC 2022-07-18 13:20:14 +01:00
alpha Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
arm target/arm: Make boards pass base address to armv7m_load_kernel() 2022-09-14 11:19:40 +01:00
audio hw/audio/cs4231a: Const'ify global tables 2022-06-11 11:44:50 +02:00
avr Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
block virtio-scsi: fix race in virtio_scsi_dataplane_start() 2022-08-17 07:07:37 -04:00
char acpi: serial-is: replace ISADeviceClass::build_aml with AcpiDevAmlIfClass:build_dev_aml 2022-06-09 19:32:48 -04:00
core hw/core: fix platform bus node name 2022-09-07 09:18:33 +02:00
cpu cpu/core: Fix "help" of CPU core device types 2021-04-09 16:05:16 -04:00
cris Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
cxl hw/cxl: Correctly handle variable sized mailbox input payloads. 2022-08-17 13:08:11 -04:00
display xlnx_dp: drop unsupported AUXCommand in xlnx_dp_aux_set_command 2022-08-08 11:40:06 +02:00
dma ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
gpio hw/gpio/aspeed: Don't let guests modify input pins 2022-07-14 16:24:38 +02:00
hppa lasips2: remove legacy lasips2_initfn() function 2022-07-18 19:28:46 +01:00
hyperv hw/hyperv/vmbus: Remove unused vmbus_load/save_req() 2022-05-30 19:49:42 +02:00
i2c hw/i2c/pmbus: Add idle state to return 0xff's 2022-07-14 16:24:38 +02:00
i386 util: accept iova_tree_remove_parameter by value 2022-09-02 10:22:39 +08:00
ide block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
input pckbd: remove legacy i8042_mm_init() function 2022-07-18 19:28:46 +01:00
intc hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
ipack qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
ipmi ipmi:smbus: Add a check around a memcpy 2022-08-01 06:40:50 -05:00
isa hw/i386/xen/xen-hvm: Inline xen_piix_pci_write_config_client() and remove it 2022-06-29 00:24:59 +02:00
loongarch hw/loongarch: Improve acpi dsdt table 2022-09-20 15:44:25 +08:00
m68k goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
mem mem/cxl_type3: Add read and write functions for associated hostmem. 2022-05-13 07:57:26 -04:00
microblaze hw/microblaze: pass random seed to fdt 2022-09-21 19:59:56 +02:00
mips hw/mips/malta: turn off x86 specific features of PIIX4_PM 2022-08-08 23:23:11 +02:00
misc hw/arm/bcm2835_property: Add support for RPI_FIRMWARE_FRAMEBUFFER_GET_NUM_DISPLAYS 2022-09-14 11:19:39 +01:00
net net: tulip: Restrict DMA engine to memories 2022-09-02 10:22:39 +08:00
nios2 hw/nios2: virt: pass random seed to fdt 2022-07-22 19:01:44 +02:00
nubus qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
nvme hw/nvme: do not enable ioeventfd by default 2022-08-01 12:01:21 +02:00
nvram block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
openrisc hw/openrisc: virt: pass random seed to fdt 2022-09-04 07:02:57 +01:00
pci trivial patches pull request 20220629 2022-06-30 04:49:40 +05:30
pci-bridge pci-bridge/cxl_downstream: Add a CXL switch downstream port 2022-06-16 12:54:57 -04:00
pci-host hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure 2022-09-20 12:31:53 -03:00
pcmcia hw/pcmcia: Do not register PCMCIA type if not required 2021-05-02 17:24:50 +02:00
ppc ppc patch queue for 2022-09-20: 2022-09-21 13:11:57 -04:00
rdma hw/pvrdma: Some cosmetic fixes 2022-04-26 12:25:14 +02:00
remote vfio-user: handle reset of remote device 2022-06-15 16:43:42 +01:00
riscv hw/riscv: virt: Add PMU DT node to the device tree 2022-09-07 09:19:15 +02:00
rtc goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
rx hw/rx: pass random seed to fdt 2022-07-22 19:01:44 +02:00
s390x s390x/cpumodel: add stfl197 processor-activity-instrumentation extension 1 2022-08-25 21:59:04 +02:00
scsi scsi: Reject commands if the CDB length exceeds buf_len 2022-09-01 07:42:37 +02:00
sd block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
sensor hw/sensor: Add Renesas ISL69259 device model 2022-07-14 16:24:38 +02:00
sh4 Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
smbios smbios: sanitize type from external type before checking have_fields_bitmap 2022-09-18 09:17:40 +02:00
sparc machine: make memory-backend a link property 2022-05-12 12:29:44 +02:00
sparc64 hw: Reuse TYPE_I8042 define 2022-06-11 11:44:50 +02:00
ssi aspeed/smc: Fix potential overflow 2022-06-30 09:21:13 +02:00
timer hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
tpm tpm_crb: Avoid backend startup just before shutdown under Xen 2022-09-09 17:55:59 -04:00
tricore hw/tricore: fix inclusion of tricore_testboard 2021-07-20 20:10:21 +02:00
usb hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero 2022-09-23 14:38:27 +02:00
vfio ui/console: Do not return a value with ui_info 2022-06-14 10:34:37 +02:00
virtio vdpa: Delete CVQ migration blocker 2022-09-02 10:22:39 +08:00
watchdog ppc/spapr: Implement H_WATCHDOG 2022-07-06 10:22:38 -03:00
xen xen/pass-through: don't create needless register group 2022-07-05 14:19:48 +01:00
xenpv Warn user if the vga flag is passed but no vga device is created 2022-05-09 08:21:14 +02:00
xtensa hw/xtensa: fix reset value of MIROUT register of MX PIC 2022-05-06 15:27:40 -07:00
Kconfig hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00
meson.build hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00