debian/patches/extra/0003-usb-fix-setup_len-init-CVE-2020-14364.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Gerd Hoffmann <kraxel@redhat.com>
   3 Date: Tue, 25 Aug 2020 07:36:36 +0200
   4 Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
   5
   6 Store calculated setup_len in a local variable, verify it, and only
   7 write it to the struct (USBDevice->setup_len) in case it passed the
   8 sanity checks.
   9
  10 This prevents other code (do_token_{in,out} functions specifically)
  11 from working with invalid USBDevice->setup_len values and overrunning
  12 the USBDevice->setup_buf[] buffer.
  13
  14 Fixes: CVE-2020-14364
  15 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  16 Tested-by: Gonglei <arei.gonglei@huawei.com>
  17 Reviewed-by: Li Qiang <liq3ea@gmail.com>
  18 Message-id: 20200825053636.29648-1-kraxel@redhat.com
  19 (cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
  20 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  21 ---
  22  hw/usb/core.c | 16 ++++++++++------
  23  1 file changed, 10 insertions(+), 6 deletions(-)
  24
  25 diff --git a/hw/usb/core.c b/hw/usb/core.c
  26 index 5abd128b6b..5234dcc73f 100644
  27 --- a/hw/usb/core.c
  28 +++ b/hw/usb/core.c
  29 @@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
  30  static void do_token_setup(USBDevice *s, USBPacket *p)
  31  {
  32      int request, value, index;
  33 +    unsigned int setup_len;
  34
  35      if (p->iov.size != 8) {
  36          p->status = USB_RET_STALL;
  37 @@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
  38      usb_packet_copy(p, s->setup_buf, p->iov.size);
  39      s->setup_index = 0;
  40      p->actual_length = 0;
  41 -    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
  42 -    if (s->setup_len > sizeof(s->data_buf)) {
  43 +    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
  44 +    if (setup_len > sizeof(s->data_buf)) {
  45          fprintf(stderr,
  46                  "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
  47 -                s->setup_len, sizeof(s->data_buf));
  48 +                setup_len, sizeof(s->data_buf));
  49          p->status = USB_RET_STALL;
  50          return;
  51      }
  52 +    s->setup_len = setup_len;
  53
  54      request = (s->setup_buf[0] << 8) | s->setup_buf[1];
  55      value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
  56 @@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
  57  static void do_parameter(USBDevice *s, USBPacket *p)
  58  {
  59      int i, request, value, index;
  60 +    unsigned int setup_len;
  61
  62      for (i = 0; i < 8; i++) {
  63          s->setup_buf[i] = p->parameter >> (i*8);
  64      }
  65
  66      s->setup_state = SETUP_STATE_PARAM;
  67 -    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
  68      s->setup_index = 0;
  69
  70      request = (s->setup_buf[0] << 8) | s->setup_buf[1];
  71      value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
  72      index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
  73
  74 -    if (s->setup_len > sizeof(s->data_buf)) {
  75 +    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
  76 +    if (setup_len > sizeof(s->data_buf)) {
  77          fprintf(stderr,
  78                  "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
  79 -                s->setup_len, sizeof(s->data_buf));
  80 +                setup_len, sizeof(s->data_buf));
  81          p->status = USB_RET_STALL;
  82          return;
  83      }
  84 +    s->setup_len = setup_len;
  85
  86      if (p->pid == USB_TOKEN_OUT) {
  87          usb_packet_copy(p, s->data_buf, s->setup_len);