[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527)
From: |
Michael Roth |
Subject: |
[PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527) |
Date: |
Tue, 19 Oct 2021 09:09:34 -0500 |
From: Gerd Hoffmann <kraxel@redhat.com>
usb-host and usb-redirect try to batch bulk transfers by combining many
small usb packets into a single, large transfer request, to reduce the
overhead and improve performance.
This patch adds a size limit of 1 MiB for those combined packets to
restrict the host resources the guest can bind that way.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
(cherry picked from commit 05a40b172e4d691371534828078be47e7fff524c)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/usb/combined-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
index 5d57e883dc..e56802f89a 100644
--- a/hw/usb/combined-packet.c
+++ b/hw/usb/combined-packet.c
@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
next == NULL ||
/* Work around for Linux usbfs bulk splitting + migration */
- (totalsize == (16 * KiB - 36) && p->int_req)) {
+ (totalsize == (16 * KiB - 36) && p->int_req) ||
+ /* Next package may grow combined package over 1MiB */
+ totalsize > 1 * MiB - ep->max_packet_size) {
usb_device_handle_data(ep->dev, first);
assert(first->status == USB_RET_ASYNC);
if (first->combined) {
--
2.25.1
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30, (continued)
- [PATCH 45/64] hw/sd/sdcard: Fix assertion accessing out-of-range addresses with CMD30, Michael Roth, 2021/10/19
- [PATCH 46/64] audio: Never send migration section, Michael Roth, 2021/10/19
- [PATCH 47/64] target/arm: Don't skip M-profile reset entirely in user mode, Michael Roth, 2021/10/19
- [PATCH 48/64] virtio-net: fix use after unmap/free for sg, Michael Roth, 2021/10/19
- [PATCH 49/64] qemu-nbd: Change default cache mode to writeback, Michael Roth, 2021/10/19
- [PATCH 50/64] hmp: Unbreak "change vnc", Michael Roth, 2021/10/19
- [PATCH 04/64] monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB, Michael Roth, 2021/10/19
- [PATCH 51/64] virtio-mem-pci: Fix memory leak when creating MEMORY_DEVICE_SIZE_CHANGE event, Michael Roth, 2021/10/19
- [PATCH 52/64] uas: add stream number sanity checks., Michael Roth, 2021/10/19
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527),
Michael Roth <=
- [PATCH 55/64] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545), Michael Roth, 2021/10/19
- [PATCH 56/64] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 57/64] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 58/64] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 59/64] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 60/64] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 05/64] migration/rdma: Fix cm_event used before being initialized, Michael Roth, 2021/10/19
- [PATCH 61/64] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546), Michael Roth, 2021/10/19
- [PATCH 62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582), Michael Roth, 2021/10/19
- [PATCH 63/64] pvrdma: Ensure correct input on ring init (CVE-2021-3607), Michael Roth, 2021/10/19