From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 18 Aug 2021 14:05:05 +0200 Subject: [PATCH] uas: add stream number sanity checks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The device uses the guest-supplied stream number unchecked, which can lead to guest-triggered out-of-band access to the UASDevice->data3 and UASDevice->status3 fields. Add the missing checks. Fixes: CVE-2021-3713 Signed-off-by: Gerd Hoffmann Reported-by: Chen Zhe Reported-by: Tan Jingguo Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a CVE: CVE-2021-3713 Upstream-Status: Backport Signed-off-by: Chee Yang Lee --- hw/usb/dev-uas.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index 6d6d1073..0b8cd4dd 100644 --- a/hw/usb/dev-uas.c +++ b/hw/usb/dev-uas.c @@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) } break; case UAS_PIPE_ID_STATUS: + if (p->stream > UAS_MAX_STREAMS) { + goto err_stream; + } if (p->stream) { QTAILQ_FOREACH(st, &uas->results, next) { if (st->stream == p->stream) { @@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) break; case UAS_PIPE_ID_DATA_IN: case UAS_PIPE_ID_DATA_OUT: + if (p->stream > UAS_MAX_STREAMS) { + goto err_stream; + } if (p->stream) { req = usb_uas_find_request(uas, p->stream); } else { @@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) p->status = USB_RET_STALL; break; } + +err_stream: + error_report("%s: invalid stream %d", __func__, p->stream); + p->status = USB_RET_STALL; + return; } static void usb_uas_unrealize(USBDevice *dev, Error **errp)