]> xenbits.xensource.com Git - qemu-xen.git/commit
projects / qemu-xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 730e2b1) | patch
usb: fix setup_len init (CVE-2020-14364) stable-4.13 staging-4.13 qemu-xen-4.13.3 qemu-xen-4.13.4 qemu-xen-4.13.5
authorGerd Hoffmann <kraxel@redhat.com>
Tue, 25 Aug 2020 05:36:36 +0000 (07:36 +0200)
committerAnthony PERARD <anthony.perard@citrix.com>
Fri, 6 Nov 2020 15:32:03 +0000 (15:32 +0000)
commit7269466a5b0c0e89b36dc9a7db0554ae404aa230
tree514bfb9a778099108cd12c6e189177b3bb825603tree
parent730e2b1927e7d911bbd5350714054ddd5912f4edcommit | diff
usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20200825053636.29648-1-kraxel@redhat.com
(cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
hw/usb/core.c diff | blob | blame | history
qemu-xen (upstream qemu) tree.