]> git.ipfire.org Git - thirdparty/qemu.git/commit
projects / thirdparty / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c806bbe) | patch
hw/usb/canokey: Fix buffer overflow for OUT packet
authorHongren Zheng <i@zenithal.me>
Mon, 13 Jan 2025 09:38:56 +0000 (17:38 +0800)
committerMichael Tokarev <mjt@tls.msk.ru>
Wed, 29 Jan 2025 19:29:03 +0000 (22:29 +0300)
commite82fbf01b61fef16fe0bd354198aeb42f920a4ba
tree047c2492250d4acd312cfa09b27aebc4a6da1e0dtree
parentc806bbe8c161d0524648fc6fe024ceefbb833071commit | diff
hw/usb/canokey: Fix buffer overflow for OUT packet

When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.

It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.

This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.

Cc: qemu-stable@nongnu.org
Fixes: d7d34918551dc48 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <thatjiaozi@gmail.com>
Signed-off-by: Hongren Zheng <i@zenithal.me>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 664280abddcb3cacc9c6204706bb739fcc1316f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
hw/usb/canokey.c diff | blob | blame | history
hw/usb/canokey.h diff | blob | blame | history
Mirror of https://git.qemu.org/git/qemu.git