[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
From: |
Michael Roth |
Subject: |
[PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527) |
Date: |
Tue, 19 Oct 2021 09:09:33 -0500 |
From: Gerd Hoffmann <kraxel@redhat.com>
Use autofree heap allocation instead.
Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
(cherry picked from commit 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/usb/redirect.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 17f06f3417..6a75b0dc4a 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev,
USBPacket *p,
.endpoint = ep,
.length = p->iov.size
};
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
/* No id, we look at the ep when receiving a status back */
usb_packet_copy(p, buf, p->iov.size);
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev,
USBPacket *p,
usbredirparser_send_bulk_packet(dev->parser, p->id,
&bulk_packet, NULL, 0);
} else {
- uint8_t buf[size];
+ g_autofree uint8_t *buf = g_malloc(size);
usb_packet_copy(p, buf, size);
usbredir_log_data(dev, "bulk data out:", buf, size);
usbredirparser_send_bulk_packet(dev->parser, p->id,
@@ -923,7 +923,7 @@ static void
usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
USBPacket *p, uint8_t ep)
{
struct usb_redir_interrupt_packet_header interrupt_packet;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
p->iov.size, p->id);
--
2.25.1
- [PATCH 44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT, (continued)
- [PATCH 44/64] hw/sd/sdcard: Document out-of-range addresses for SEND_WRITE_PROT, Michael Roth, 2021/10/19
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30, Michael Roth, 2021/10/19
- [PATCH 46/64] audio: Never send migration section, Michael Roth, 2021/10/19
- [PATCH 47/64] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/10/19
- [PATCH 48/64] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/10/19
- [PATCH 49/64] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/10/19
- [PATCH 50/64] hmp: Unbreak "change vnc", Michael Roth, 2021/10/19
- [PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB, Michael Roth, 2021/10/19
- [PATCH 51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/10/19
- [PATCH 52/64] uas: add stream number sanity checks., Michael Roth, 2021/10/19
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527),
Michael Roth <=
- [PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 55/64] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545), Michael Roth, 2021/10/19
- [PATCH 56/64] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 57/64] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 58/64] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 59/64] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 60/64] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 05/64] migration/rdma: Fix cm_event used before being initialized, Michael Roth, 2021/10/19
- [PATCH 61/64] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546), Michael Roth, 2021/10/19
- [PATCH 62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582), Michael Roth, 2021/10/19