xemu/hw/usb
Michael S. Tsirkin 9f8e9895c5 usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541

s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.

setup_len and setup_index should be checked to make sure
they are not negative.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:03 +02:00
..
bus.c usb: sanity check setup_index+setup_len in post_load 2014-05-05 22:15:03 +02:00
ccid-card-emulated.c Add a 'name' parameter to qemu_thread_create 2014-03-09 21:09:38 +02:00
ccid-card-passthru.c devices: Associate devices to their logical category 2013-07-29 10:37:09 -05:00
ccid.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
combined-packet.c usb: Fix iovec memleak on combined-packet free 2013-09-19 11:28:40 +02:00
core.c usb: Add max_streams attribute to endpoint info 2013-11-26 09:21:17 +01:00
desc-msos.c usb: add CompatibleID support to msos 2014-04-22 12:40:57 +02:00
desc.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
desc.h usb: add CompatibleID support to msos 2014-04-22 12:40:57 +02:00
dev-audio.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-bluetooth.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-hid.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-hub.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-mtp.c usb: mtp filesharing 2014-04-23 10:28:14 +02:00
dev-network.c - xhci improvements and fixes. 2014-02-20 15:25:05 +00:00
dev-serial.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-smartcard-reader.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-storage.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-uas.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
dev-wacom.c usb: Remove magic constants from device bmAttributes 2014-02-18 15:39:12 +01:00
hcd-ehci-pci.c qdev:pci: refactor PCIDevice to use generic "hotpluggable" property 2014-02-10 10:26:56 +02:00
hcd-ehci-sysbus.c devices: Associate devices to their logical category 2013-07-29 10:37:09 -05:00
hcd-ehci.c Improvements for usb3 bulk stream (usb core, xhci). 2013-12-06 12:54:36 -08:00
hcd-ehci.h trace: Remove trace.h from hw/usb/hcd-ehci.h (less dependencies) 2013-12-02 21:02:00 +04:00
hcd-musb.c usb: Pass size to usb_bus_new() 2013-08-30 20:14:39 +02:00
hcd-ohci.c hw/usb/hcd-ohci.c: Avoid shifting left into sign bit 2014-03-27 19:22:49 +04:00
hcd-uhci.c uhci: invalidate queue on device address changes 2014-02-18 15:39:13 +01:00
hcd-xhci.c xhci: use DPRINTF() instead of fprintf(stderr, ...) 2014-02-18 15:39:13 +01:00
host-legacy.c qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
host-libusb.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
host-stub.c usb-host: remove usb_host_device_close 2013-02-19 12:30:05 +01:00
host.h usb-host: move legacy cmd line bits 2013-02-19 12:30:05 +01:00
libhw.c dma: eliminate DMAContext 2013-06-20 16:39:52 +02:00
Makefile.objs usb: mtp filesharing 2014-04-23 10:28:14 +02:00
quirks-ftdi-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks-pl2303-ids.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.c usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
quirks.h usbredir: Add support for buffered bulk input (v2) 2013-01-08 10:56:58 +01:00
redirect.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00