8360fa3a32
- Fix CVE-2021-3527 in usb/redir: usb-redir-avoid-dynamic-stack-allocation.patch - Fix issues found upstream: hw-block-nvme-consider-metadata-read-aio.patch sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch vfio-ccw-Permit-missing-IRQs.patch vhost-user-blk-Check-that-num-queues-is-.patch vhost-user-blk-Don-t-reconnect-during-in.patch vhost-user-blk-Fail-gracefully-on-too-la.patch vhost-user-blk-Get-more-feature-flags-fr.patch vhost-user-blk-Make-sure-to-set-Error-on.patch virtio-blk-Fix-rollback-path-in-virtio_b.patch virtio-Fail-if-iommu_platform-is-request.patch virtiofsd-Fix-side-effect-in-assert.patch monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch OBS-URL: https://build.opensuse.org/request/show/895224 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=650
54 lines
2.2 KiB
Diff
54 lines
2.2 KiB
Diff
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 May 2021 15:29:12 +0200
|
|
Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
|
|
References: CVE-2021-3527
|
|
|
|
Use autofree heap allocation instead.
|
|
|
|
Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
|
|
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
|
|
---
|
|
hw/usb/redirect.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
|
index 17f06f34179a257e3fd2b354164e..6a75b0dc4ab295a70b4c507c9821 100644
|
|
--- a/hw/usb/redirect.c
|
|
+++ b/hw/usb/redirect.c
|
|
@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
|
|
.endpoint = ep,
|
|
.length = p->iov.size
|
|
};
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
/* No id, we look at the ep when receiving a status back */
|
|
usb_packet_copy(p, buf, p->iov.size);
|
|
usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
|
|
@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
|
|
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
|
&bulk_packet, NULL, 0);
|
|
} else {
|
|
- uint8_t buf[size];
|
|
+ g_autofree uint8_t *buf = g_malloc(size);
|
|
usb_packet_copy(p, buf, size);
|
|
usbredir_log_data(dev, "bulk data out:", buf, size);
|
|
usbredirparser_send_bulk_packet(dev->parser, p->id,
|
|
@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
|
|
USBPacket *p, uint8_t ep)
|
|
{
|
|
struct usb_redir_interrupt_packet_header interrupt_packet;
|
|
- uint8_t buf[p->iov.size];
|
|
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
|
|
|
|
DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
|
|
p->iov.size, p->id);
|