From patchwork Tue Jan 28 20:13:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 860441 Delivered-To: patch@linaro.org Received: by 2002:a5d:6b8c:0:b0:385:e875:8a9e with SMTP id n12csp543766wrx; Tue, 28 Jan 2025 12:18:21 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCU8bLsjUih6IhnUEh+EgBkFj5Shw7+B/Y4Mno3XXwYEN8uiNOVa+N86ZOhDTJ+zF3qbdJ5Ikw==@linaro.org X-Google-Smtp-Source: AGHT+IGgSb9tpVpWHp2ZPlFBnTYpTRY4qKM+f3sMsIInDkYYc6sK8zXoTCyLKFGPUKNe6PxCB9TZ X-Received: by 2002:a05:620a:294f:b0:7b6:e0aa:48d1 with SMTP id af79cd13be357-7bffcce588bmr46234085a.15.1738095501425; Tue, 28 Jan 2025 12:18:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738095501; cv=none; d=google.com; s=arc-20240605; b=O+GOGDKAVY2SlLTgsZyiI/2WLlJVhdD4AacllFyn+0tIUz5mOT/s0+hJOwWWYuljd4 LJkjF8+K0Ip9LLfmD74H4dZ9tN2vLANnWFz0MW33ZfZpChwAApnLs49/TZL/pPZymymJ 57yo8zWrD6ngmlXAL+ceaFr7Hr13J2Dwk+wAFxgCWmOhXN3oAwpngrHB0Ma724SQx5ws 2nxjAWuTaHxOuiwMZExJizhgeNh6vnJQBrQy8rCotKHn2SoMDP96Yy0MTl6xLEDeXNhj lnxJXrCM6xWTxIkgIXjIY28Qlz71Q1eEm2ut/n39J8H5dX3IVPTUN11BTXtW+C9HP5jR NJwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=D4r0o4ouDgyMwto03p97/ZTNbKwsZTo7cBCLFrtLIeI=; fh=PnYt+qEB9tAfMKoqBm2xjKOFpYyFFGPudh5cVIoieJM=; b=f4uC2v7op1oGu2vZOoCFmOvmCEbEo84/Sa/E98lqVP5zlTKKFDU+0LOkF7Jnq7VjuK JAnZh2H1HdG+8NhQtAUhJQJXAUFYFt9q+IsH/s7ieRlL0eZHTDcUAtJvNlSXtzHzPIHf Yky7Tr6ECl35Hi52IA+cqTEX2KpTd5vNxl61LaVCPekBcH9fuTmN7Cv490Gb4YMhFgYE nDjADNaa0Cpyx79EQ516Mpfs8forB64EnFHu9NfmlIx1zRmom7tubUGR3cMFBNTe9PW0 N5KKszbii35Cy4elMYy7Pi4br8d3oD+a+HdlDu3KAwswnNHC0IrJTrBRB3JYXLLWHYy+ swTw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=z8TqQtIF; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id af79cd13be357-7be9aee141esi1276174885a.308.2025.01.28.12.18.21 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 28 Jan 2025 12:18:21 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=z8TqQtIF; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tcrz4-0004cU-HX; Tue, 28 Jan 2025 15:14:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tcryD-0002S2-Ll for qemu-devel@nongnu.org; Tue, 28 Jan 2025 15:14:02 -0500 Received: from mail-wm1-x32d.google.com ([2a00:1450:4864:20::32d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tcry8-0001ga-Pq for qemu-devel@nongnu.org; Tue, 28 Jan 2025 15:13:58 -0500 Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-4363ae65100so68177995e9.0 for ; Tue, 28 Jan 2025 12:13:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738095235; x=1738700035; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=D4r0o4ouDgyMwto03p97/ZTNbKwsZTo7cBCLFrtLIeI=; b=z8TqQtIF7xIqYyxu4SkEksCVYXflEAg2QhMzux5bMiCNG92UeaefXTvx+BmIOpye4D kHgeMOWvARi6o9aUSYnopoDUY/bMxCoMrgNGrT81LWNee4bJcG1q/DcFrdrxXpoKg+dS zdD7JfdIoDDkwCScqxenUImJGrNhojboeAs45ZxIhjVVh6cJNUmPGTaLOjEL6SvgoyEf xJQhcjla+NntTtc4QMIOu/BmWSblp+NxxlulsN07eolOFgLQ3Gxazp3dJ333S0tdbsf1 Y1rZvhd01q7jGSfkNjx1m6gk6oTRwSx58qwv4d0507r/zftltio7P/t0HN+37HLXGk1G 0GPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738095235; x=1738700035; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=D4r0o4ouDgyMwto03p97/ZTNbKwsZTo7cBCLFrtLIeI=; b=ZCeoAKZRg/voR8qvgpHjQHUT+TiEQfr7H0Zupq0ikHUDbMwvhO2Dgr1p3rDqL/JMl2 Qaj1SZM8FKbzfJum5EgJyox0zgx9Ee1oHkAfYAigXcsFCqqxIO3Hu4J0HVTdDoofeb4I Kr2qnhpcUnULlJv7ZA8Qp8eGlsMLZc+cuaSsSlt7HZYDwWLhJakFj93WuD+Tps7sbwNZ C6YFlISVleS+Enanbtr5V/QlNYycmolwqOIIm5FS/XBQcJpiZWo8HMzCTuAncsfw0vaI ZaC5SzOFf1MIipjNAkVoa9kue5xNng+r+/mstw4VBRLfUBfFVOdDTcSq9LCubL79ASP3 XgbA== X-Gm-Message-State: AOJu0YyXupYtiJYqWCV9OMmXIGYz7fS0eZ5KiSxVygRCRSjKe4uJ3K8+ SQ6szyj+aB0o33IhwdZCHJUOogqQq4ltbLMVkHyLzZvcK6jta7MCu8dHuQmSJdghSUfaTY9W8p7 0 X-Gm-Gg: ASbGncsJrUlI2JOX71g2ok6kDT/uG0CxVy/9HO5oJJ6hoGG0/3PwQX//yFaRX27e4vG a0TeNemNhKizmEKRUjk6FBEhJYNOgwP6w6l+43fHQbqbRpXqpWcnXtXeC3BN6/j2RN9CwdGB7KS gfk29dX8Y8TYS6FB/ZMx5bS5fmqlHcEfOWPkr/F64C+gJPNxR3JXOVdMnYB0wrnSPZahOZ1w2P6 GMd1ILjPH7KOB7hPL484+p6ARboZR8xHM8kzradlxkPVH1IvNOIvLuoYk3z8B6goh9sJ4PmdCOo 8ArQEUr/VWcIdH9eChZMkw== X-Received: by 2002:a05:600c:1e02:b0:434:a802:e9a6 with SMTP id 5b1f17b1804b1-438dc3c22acmr3126435e9.7.1738095235227; Tue, 28 Jan 2025 12:13:55 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-438bd4fa3efsm182524105e9.2.2025.01.28.12.13.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jan 2025 12:13:54 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 36/36] hw/usb/canokey: Fix buffer overflow for OUT packet Date: Tue, 28 Jan 2025 20:13:14 +0000 Message-Id: <20250128201314.44038-37-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250128201314.44038-1-peter.maydell@linaro.org> References: <20250128201314.44038-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::32d; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x32d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Hongren Zheng When USBPacket in OUT direction has larger payload than the ep_out_buffer (of size 512), a buffer overflow would occur. It could be fixed by limiting the size of usb_packet_copy to be at most buffer size. Further optimization gets rid of the ep_out_buffer and directly uses ep_out as the target buffer. This is reported by a security researcher who artificially constructed an OUT packet of size 2047. The report has gone through the QEMU security process, and as this device is for testing purpose and no deployment of it in virtualization environment is observed, it is triaged not to be a security bug. Cc: qemu-stable@nongnu.org Fixes: d7d34918551dc48 ("hw/usb: Add CanoKey Implementation") Reported-by: Juan Jose Lopez Jaimez Signed-off-by: Hongren Zheng Message-id: Z4TfMOrZz6IQYl_h@Sun Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/usb/canokey.h | 4 ---- hw/usb/canokey.c | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/hw/usb/canokey.h b/hw/usb/canokey.h index e528889d332..1b60d734850 100644 --- a/hw/usb/canokey.h +++ b/hw/usb/canokey.h @@ -24,8 +24,6 @@ #define CANOKEY_EP_NUM 3 /* BULK/INTR IN can be up to 1352 bytes, e.g. get key info */ #define CANOKEY_EP_IN_BUFFER_SIZE 2048 -/* BULK OUT can be up to 270 bytes, e.g. PIV import cert */ -#define CANOKEY_EP_OUT_BUFFER_SIZE 512 typedef enum { CANOKEY_EP_IN_WAIT, @@ -59,8 +57,6 @@ typedef struct CanoKeyState { /* OUT pointer to canokey recv buffer */ uint8_t *ep_out[CANOKEY_EP_NUM]; uint32_t ep_out_size[CANOKEY_EP_NUM]; - /* For large BULK OUT, multiple write to ep_out is needed */ - uint8_t ep_out_buffer[CANOKEY_EP_NUM][CANOKEY_EP_OUT_BUFFER_SIZE]; /* Properties */ char *file; /* canokey-file */ diff --git a/hw/usb/canokey.c b/hw/usb/canokey.c index fae212f0530..e2d66179e0b 100644 --- a/hw/usb/canokey.c +++ b/hw/usb/canokey.c @@ -197,8 +197,8 @@ static void canokey_handle_data(USBDevice *dev, USBPacket *p) switch (p->pid) { case USB_TOKEN_OUT: trace_canokey_handle_data_out(ep_out, p->iov.size); - usb_packet_copy(p, key->ep_out_buffer[ep_out], p->iov.size); out_pos = 0; + /* segment packet into (possibly multiple) ep_out */ while (out_pos != p->iov.size) { /* * key->ep_out[ep_out] set by prepare_receive @@ -207,8 +207,8 @@ static void canokey_handle_data(USBDevice *dev, USBPacket *p) * to be the buffer length */ out_len = MIN(p->iov.size - out_pos, key->ep_out_size[ep_out]); - memcpy(key->ep_out[ep_out], - key->ep_out_buffer[ep_out] + out_pos, out_len); + /* usb_packet_copy would update the pos offset internally */ + usb_packet_copy(p, key->ep_out[ep_out], out_len); out_pos += out_len; /* update ep_out_size to actual len */ key->ep_out_size[ep_out] = out_len;