File 0407-usb-hid-avoid-dynamic-stack-allocat.patch of Package qemu.29142
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 3 May 2021 15:29:11 +0200
Subject: usb/hid: avoid dynamic stack allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03
References: bsc#1186012, CVE-2021-3527
Use autofree heap allocation instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210503132915.2335822-2-kraxel@redhat.com>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
hw/usb/dev-hid.c | 5 ++++-
hw/usb/dev-wacom.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
index 24d05f76f90c559122198e4a4907..0fb822957b980c44b7f0162ca795 100644
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@@ -658,7 +658,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
{
USBHIDState *us = USB_HID(dev);
HIDState *hs = &us->hid;
- uint8_t buf[p->iov.size];
+ uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
@@ -669,6 +669,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
}
if (!hid_has_events(hs)) {
p->status = USB_RET_NAK;
+ g_free(buf);
return;
}
hid_set_next_idle(hs);
@@ -688,6 +689,8 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
p->status = USB_RET_STALL;
break;
}
+
+ g_free(buf);
}
static void usb_hid_handle_destroy(USBDevice *dev)
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index c4702dbba098abcec3798f3731c2..64ebe864bc95eae22d4a7d903a1c 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -304,7 +304,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
{
USBWacomState *s = (USBWacomState *) dev;
- uint8_t buf[p->iov.size];
+ uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
@@ -312,6 +312,7 @@ static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
if (p->ep->nr == 1) {
if (!(s->changed || s->idle)) {
p->status = USB_RET_NAK;
+ g_free(buf);
return;
}
s->changed = 0;
@@ -327,6 +328,8 @@ static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
default:
p->status = USB_RET_STALL;
}
+
+ g_free(buf);
}
static void usb_wacom_handle_destroy(USBDevice *dev)
