From 0a067ff27f2a088b880abdc3697c03661f1e4fe2 Mon Sep 17 00:00:00 2001 From: Jiajie Li Date: Wed, 19 Aug 2020 17:17:48 +0800 Subject: [PATCH 1/3] hw/usb: Fix buffer overflow in do_token_setup Store calculated setup_len in a local variable, verify it, and only write it to the struct (USBDevice->setup_len) in case it passed the sanity checks. This prevent other code (do_token_{in,out} functions specifically) from working with invalid USBDevice->setup_len values and overruning the USBDevice->setup_buf[] buffer. Fixes: CVE-2020-14364 Signed-off-by: Gerd Hoffmann --- hw-usb-core-fix-buffer-overflow.patch | 46 +++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 hw-usb-core-fix-buffer-overflow.patch diff --git a/hw-usb-core-fix-buffer-overflow.patch b/hw-usb-core-fix-buffer-overflow.patch new file mode 100644 index 0000000..4949557 --- /dev/null +++ b/hw-usb-core-fix-buffer-overflow.patch @@ -0,0 +1,46 @@ +hw-usb-core-fix-buffer-overflow + +From 18ad0451f113ffc3a2ff59c059d189cca1e42842 Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 19 Aug 2020 17:04:04 +0800 +Subject: [PATCH] hw/usb/core.c fix buffer overflow + +Store calculated setup_len in a local variable, verify it, + and only write it to the struct (USBDevice->setup_len) in case it passed the + sanity checks. + +This prevents other code (do_token_{in,out} function specifically) +from working with invalid USBDevice->setup_len values and overruning +the USBDevice->setup_buf[] buffer. +Store +Fixes: CVE-2020-14364 +Signed-off-by: Gred Hoffman +--- + hw/usb/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128b..12342f13 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -144,6 +144,8 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; ++ s->setup_len = 0; ++ s->setup_state = SETUP_STATE_ACK; + return; + } + +@@ -277,6 +279,8 @@ static void do_parameter(USBDevice *s, USBPacket *p) + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", + s->setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; ++ s->setup_len = 0; ++ s->setup_state = SETUP_STATE_ACK; + return; + } + +-- +2.23.0 + -- Gitee From b9478104d18f5afd9f7d5acade6172ee8950bb4f Mon Sep 17 00:00:00 2001 From: lijiajie Date: Fri, 21 Aug 2020 10:46:04 +0800 Subject: [PATCH 2/3] update qemu.spec with hw-usb-core-fixe-buffer-overflow.patch --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 2293b2d..f89933a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -204,6 +204,7 @@ Patch0191: test-tpm-pass-optional-machine-options-to-swtpm-test.patch Patch0192: test-tpm-tis-Get-prepared-to-share-tests-between-ISA.patch Patch0193: test-tpm-tis-Add-Sysbus-TPM-TIS-device-test.patch Patch0194: build-smt-processor-structure-to-support-smt-topolog.patch +Patch0195: hw-usb-core-fix-buffer-overflow.patch BuildRequires: flex BuildRequires: bison @@ -550,6 +551,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Aug 21 2020 Huawei Technologies Co., Ltd +- hw/usb/core.c: fix buffer overflow in do_token_setup function + * Tue Aug 18 2020 Huawei Technologies Co., Ltd - hw/acpi/aml-build.c: build smt processor structure to support smt topology -- Gitee From 6665dac3a55ef2d7bb9014155ddc8f0d06b34b4b Mon Sep 17 00:00:00 2001 From: lijiajie Date: Mon, 24 Aug 2020 16:34:15 +0800 Subject: [PATCH 3/3] update qemu.spec with Release num Increace one --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index f89933a..b651363 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 19 +Release: 20 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee