|
| 1 | +From 2a3b0261aaf57b4d3cf11bb070f6a2c28f49d61d Mon Sep 17 00:00:00 2001 |
| 2 | +From: Peter Maydell <peter.maydell@linaro.org> |
| 3 | +Date: Mon, 15 Sep 2025 14:29:10 +0100 |
| 4 | +Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint |
| 5 | + |
| 6 | +If the guest feeds invalid data to the UHCI controller, we |
| 7 | +can assert: |
| 8 | +qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. |
| 9 | + |
| 10 | +(see issue 2548 for the repro case). This happens because the guest |
| 11 | +attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not |
| 12 | +valid. The controller code doesn't catch this guest error, so |
| 13 | +instead we hit the assertion in the USB core code. |
| 14 | + |
| 15 | +Catch the case of SETUP to non-zero endpoint, and treat it as a fatal |
| 16 | +error in the TD, in the same way we do for an invalid PID value in |
| 17 | +the TD. |
| 18 | + |
| 19 | +This is the UHCI equivalent of the same bug in OHCI that we fixed in |
| 20 | +commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or |
| 21 | +OUT"). |
| 22 | + |
| 23 | +This bug has been tracked as CVE-2024-8354. |
| 24 | + |
| 25 | +Cc: qemu-stable@nongnu.org |
| 26 | +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 |
| 27 | +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 28 | +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> |
| 29 | +(cherry picked from commit d0af3cd0274e265435170a583c72b9f0a4100dff) |
| 30 | +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> |
| 31 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 32 | +Upstream-reference: https://gitlab.com/qemu-project/qemu/-/commit/2ef88536a905a867260732541dd9a9661120e608.patch |
| 33 | +--- |
| 34 | + hw/usb/hcd-uhci.c | 10 ++++++++-- |
| 35 | + 1 file changed, 8 insertions(+), 2 deletions(-) |
| 36 | + |
| 37 | +diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c |
| 38 | +index d1b5657d7..423b35f86 100644 |
| 39 | +--- a/hw/usb/hcd-uhci.c |
| 40 | ++++ b/hw/usb/hcd-uhci.c |
| 41 | +@@ -724,6 +724,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, |
| 42 | + bool spd; |
| 43 | + bool queuing = (q != NULL); |
| 44 | + uint8_t pid = td->token & 0xff; |
| 45 | ++ uint8_t ep_id = (td->token >> 15) & 0xf; |
| 46 | + UHCIAsync *async; |
| 47 | + |
| 48 | + async = uhci_async_find_td(s, td_addr); |
| 49 | +@@ -767,9 +768,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, |
| 50 | + |
| 51 | + switch (pid) { |
| 52 | + case USB_TOKEN_OUT: |
| 53 | +- case USB_TOKEN_SETUP: |
| 54 | + case USB_TOKEN_IN: |
| 55 | + break; |
| 56 | ++ case USB_TOKEN_SETUP: |
| 57 | ++ /* SETUP is only valid to endpoint 0 */ |
| 58 | ++ if (ep_id == 0) { |
| 59 | ++ break; |
| 60 | ++ } |
| 61 | ++ /* fallthrough */ |
| 62 | + default: |
| 63 | + /* invalid pid : frame interrupted */ |
| 64 | + s->status |= UHCI_STS_HCPERR; |
| 65 | +@@ -816,7 +822,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, |
| 66 | + return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV, |
| 67 | + int_mask); |
| 68 | + } |
| 69 | +- ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf); |
| 70 | ++ ep = usb_ep_get(dev, pid, ep_id); |
| 71 | + q = uhci_queue_new(s, qh_addr, td, ep); |
| 72 | + } |
| 73 | + async = uhci_async_alloc(q, td_addr); |
| 74 | +-- |
| 75 | +2.45.4 |
| 76 | + |
0 commit comments