head 1.2; access; symbols pkgsrc-2020Q3:1.1.0.2 pkgsrc-2020Q3-base:1.1; locks; strict; comment @# @; 1.2 date 2020.11.06.21.45.50; author bouyer; state dead; branches; next 1.1; commitid WDPVMlrHGXeceSuC; 1.1 date 2020.08.27.08.22.33; author bouyer; state Exp; branches; next ; commitid 6EkLpnMUbS7p4GlC; desc @@ 1.2 log @Update xenkernel413 and xentools413 to 4.13.2. This includes fixes for XSA up to XSA347, and an improved fix for XSA 286. @ text @$NetBSD: patch-XSA335,v 1.1 2020/08/27 08:22:33 bouyer Exp $ From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 17 Aug 2020 08:34:22 +0200 Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) Store calculated setup_len in a local variable, verify it, and only write it to the struct (USBDevice->setup_len) in case it passed the sanity checks. This prevents other code (do_token_{in,out} functions specifically) from working with invalid USBDevice->setup_len values and overrunning the USBDevice->setup_buf[] buffer. Fixes: CVE-2020-14364 Signed-off-by: Gerd Hoffmann --- hw/usb/core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/hw/usb/core.c b/hw/usb/core.c index 5abd128b6bc5..5234dcc73fea 100644 --- tools/qemu-xen/hw/usb/core.c.orig +++ tools/qemu-xen/hw/usb/core.c @@@@ -129,6 +129,7 @@@@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) static void do_token_setup(USBDevice *s, USBPacket *p) { int request, value, index; + unsigned int setup_len; if (p->iov.size != 8) { p->status = USB_RET_STALL; @@@@ -138,14 +139,15 @@@@ static void do_token_setup(USBDevice *s, USBPacket *p) usb_packet_copy(p, s->setup_buf, p->iov.size); s->setup_index = 0; p->actual_length = 0; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - if (s->setup_len > sizeof(s->data_buf)) { + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + if (setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); + setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } + s->setup_len = setup_len; request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; @@@@ -259,26 +261,28 @@@@ static void do_token_out(USBDevice *s, USBPacket *p) static void do_parameter(USBDevice *s, USBPacket *p) { int i, request, value, index; + unsigned int setup_len; for (i = 0; i < 8; i++) { s->setup_buf[i] = p->parameter >> (i*8); } s->setup_state = SETUP_STATE_PARAM; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; s->setup_index = 0; request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; index = (s->setup_buf[5] << 8) | s->setup_buf[4]; - if (s->setup_len > sizeof(s->data_buf)) { + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + if (setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); + setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } + s->setup_len = setup_len; if (p->pid == USB_TOKEN_OUT) { usb_packet_copy(p, s->data_buf, s->setup_len); -- 2.18.4 @ 1.1 log @Always use system-supplied IOCTL definitions, remove xen-provided include files. Build seabios and ipxe, they're needed by qemu-xen (ipxe not strictly needed but it's convenient to have) Switch default device model from qemu-xen-traditional to qemu-xen (the former being unmaintained) Add upstream patch for XSA335 security issue. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: $ @