From bc78f577fcfec5f02e620840b61a9c51df0a600b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 18 Aug 2021 14:05:05 +0200 Subject: [PATCH 1/3] uas: add stream number sanity checks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The device uses the guest-supplied stream number unchecked, which can lead to guest-triggered out-of-band access to the UASDevice->data3 and UASDevice->status3 fields. Add the missing checks. Fixes: CVE-2021-3713 Signed-off-by: Gerd Hoffmann Reported-by: Chen Zhe Reported-by: Tan Jingguo Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> --- uas-add-stream-number-sanity-checks.patch | 61 +++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 uas-add-stream-number-sanity-checks.patch diff --git a/uas-add-stream-number-sanity-checks.patch b/uas-add-stream-number-sanity-checks.patch new file mode 100644 index 00000000..ab607a8d --- /dev/null +++ b/uas-add-stream-number-sanity-checks.patch @@ -0,0 +1,61 @@ +From 4e30c1168b65d31b5a66d82fd0b9a72d50064180 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index abd8070d0c..82bbc0d083 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -827,6 +827,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -854,6 +857,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -889,6 +895,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev, Error **errp) +-- +2.27.0 + -- Gitee From c5eaa38f5e57ce873ad0f5609acd1ace0c8f18b1 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 16 Sep 2021 11:27:44 +0800 Subject: [PATCH 2/3] spec: Update patch and changelog with !198 fix CVE-2021-3713 #I49VTJ !198 uas: add stream number sanity checks. Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 676116ce..85f86c7b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -300,6 +300,7 @@ Patch0287: target-i386-add-PSCHANGE_NO-bit-for-the-ARCH_CAPABIL.patch Patch0288: target-i386-Export-TAA_NO-bit-to-guests.patch Patch0289: usbredir-fix-free-call.patch Patch0290: hw-arm-virt-Init-PMU-for-hotplugged-vCPU.patch +Patch0291: uas-add-stream-number-sanity-checks.patch BuildRequires: flex BuildRequires: bison @@ -697,6 +698,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Sep 16 2021 Chen Qun +- uas: add stream number sanity checks. + * Tue Aug 31 2021 imxcc - hw/arm/virt: Init PMU for hotplugged vCPU -- Gitee From 3b17b7e842219f5019ffa1d0643cc210bea316f5 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 16 Sep 2021 11:27:53 +0800 Subject: [PATCH 3/3] spec: Update release version with !198 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 85f86c7b..8fe72463 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 55 +Release: 56 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee