File CVE-2020-14364-xsa335-qemut.patch of Package xen.22546

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2020-14364-xsa335-qemut.patch of Package xen.22546

From c5bd2924c6d6a5bcbffb8b5e7798a88970131c07 Mon Sep 17 00:00:00 2001
Date: Mon, 17 Aug 2020 08:34:22 +0200
Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)

Store calculated setup_len in a local variable, verify it, and only
write it to the struct (USBDevice->setup_len) in case it passed the
sanity checks.

This prevents other code (do_token_{in,out} functions specifically)
from working with invalid USBDevice->setup_len values and overrunning
the USBDevice->setup_buf[] buffer.

Fixes: CVE-2020-14364

Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/hw/usb.c
===================================================================
--- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb.c
+++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/hw/usb.c
@@ -45,15 +45,24 @@ void usb_attach(USBPort *port, USBDevice
 static int do_token_setup(USBDevice *s, USBPacket *p)
 {
     int request, value, index;
+    unsigned int setup_len;
     int ret = 0;
 
     if (p->len != 8)
         return USB_RET_STALL;
  
     memcpy(s->setup_buf, p->data, 8);
-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
     s->setup_index = 0;
 
+    if (setup_len > sizeof(s->data_buf)) {
+        fprintf(stderr,
+            "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+            setup_len, sizeof(s->data_buf));
+        return USB_RET_STALL;
+    }
+    s->setup_len = setup_len;
+
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];

Places

File CVE-2020-14364-xsa335-qemut.patch of Package xen.22546

Places