1 Star 0 Fork 123

ctyunsystem/qemu

forked from src-openEuler/qemu 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
bugfix-fix-mmio-information-leak-and-ehci-vm-escape-.patch 2.35 KB
一键复制 编辑 原始数据 按行查看 历史
From f14ea0bd2596f94ad926009411b8ffda9c2c2cda Mon Sep 17 00:00:00 2001
From: jiangdongxu <jiangdongxu1@huawei.com>
Date: Thu, 10 Feb 2022 22:42:23 +0800
Subject: [PATCH] bugfix: fix mmio information leak and ehci vm escape 0-day
vulnerability
Signed-off-by: Yutao Ai <aiyutao@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
---
hw/usb/core.c | 20 ++++++++++++++++++--
hw/usb/hcd-ehci.c | 2 ++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/hw/usb/core.c b/hw/usb/core.c
index 51b36126ca..a62826e051 100644
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@@ -206,7 +206,15 @@ static void do_token_in(USBDevice *s, USBPacket *p)
case SETUP_STATE_DATA:
if (s->setup_buf[0] & USB_DIR_IN) {
- int len = s->setup_len - s->setup_index;
+ int len;
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small do_token_in(%d > %zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
+ len = s->setup_len - s->setup_index;
if (len > p->iov.size) {
len = p->iov.size;
}
@@ -244,7 +252,15 @@ static void do_token_out(USBDevice *s, USBPacket *p)
case SETUP_STATE_DATA:
if (!(s->setup_buf[0] & USB_DIR_IN)) {
- int len = s->setup_len - s->setup_index;
+ int len;
+ if (s->setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small do_token_out(%d > %zu)\n",
+ s->setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
+ len = s->setup_len - s->setup_index;
if (len > p->iov.size) {
len = p->iov.size;
}
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 6caa7ac6c2..1415107315 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -612,6 +612,8 @@ static void ehci_free_queue(EHCIQueue *q, const char *warn)
ehci_trace_guest_bug(q->ehci, warn);
}
QTAILQ_REMOVE(head, q, next);
+ memset(q, 0, sizeof(*q));
+ *(volatile char *)q = *(volatile char *)q;
g_free(q);
}
--
2.27.0
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/ctyunsystem/qemu.git
git@gitee.com:ctyunsystem/qemu.git
ctyunsystem
qemu
qemu
master

搜索帮助