From bc78f577fcfec5f02e620840b61a9c51df0a600b Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Wed, 18 Aug 2021 14:05:05 +0200
Subject: [PATCH 1/3] uas: add stream number sanity checks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The device uses the guest-supplied stream number unchecked, which can
lead to guest-triggered out-of-band access to the UASDevice->data3 and
UASDevice->status3 fields.  Add the missing checks.

Fixes: CVE-2021-3713
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reported-by: Chen Zhe <chenzhe@huawei.com>
Reported-by: Tan Jingguo <tanjingguo@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
---
 uas-add-stream-number-sanity-checks.patch | 61 +++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 uas-add-stream-number-sanity-checks.patch

diff --git a/uas-add-stream-number-sanity-checks.patch b/uas-add-stream-number-sanity-checks.patch
new file mode 100644
index 00000000..ab607a8d
--- /dev/null
+++ b/uas-add-stream-number-sanity-checks.patch
@@ -0,0 +1,61 @@
+From 4e30c1168b65d31b5a66d82fd0b9a72d50064180 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index abd8070d0c..82bbc0d083 100644
+--- a/hw/usb/dev-uas.c
++++ b/hw/usb/dev-uas.c
+@@ -827,6 +827,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -854,6 +857,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -889,6 +895,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
++
++err_stream:
++    error_report("%s: invalid stream %d", __func__, p->stream);
++    p->status = USB_RET_STALL;
++    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)
+-- 
+2.27.0
+
-- 
Gitee


From c5eaa38f5e57ce873ad0f5609acd1ace0c8f18b1 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Thu, 16 Sep 2021 11:27:44 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !198 fix
 CVE-2021-3713 #I49VTJ  !198

uas: add stream number sanity checks.

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 676116ce..85f86c7b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -300,6 +300,7 @@ Patch0287: target-i386-add-PSCHANGE_NO-bit-for-the-ARCH_CAPABIL.patch
 Patch0288: target-i386-Export-TAA_NO-bit-to-guests.patch
 Patch0289: usbredir-fix-free-call.patch
 Patch0290: hw-arm-virt-Init-PMU-for-hotplugged-vCPU.patch
+Patch0291: uas-add-stream-number-sanity-checks.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -697,6 +698,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Thu Sep 16 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- uas: add stream number sanity checks.
+
 * Tue Aug 31 2021 imxcc <xingchaochao@huawei.com>
 - hw/arm/virt: Init PMU for hotplugged vCPU
 
-- 
Gitee


From 3b17b7e842219f5019ffa1d0643cc210bea316f5 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Thu, 16 Sep 2021 11:27:53 +0800
Subject: [PATCH 3/3] spec: Update release version with !198

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index 85f86c7b..8fe72463 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 55
+Release: 56
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee