rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity
qemu/usb-hid-avoid-dynamic-stack-allocation.patch
José Ricardo Ziviani c57c3c69e6 Accepting request 911318 from home:jziviani:branches:Virtualization 
- usb: unbounded stack allocation in usbredir
  (bsc#1186012, CVE-2021-3527)
  hw-usb-Do-not-build-USB-subsystem-if-not.patch
  hw-usb-host-stub-Remove-unused-header.patch
  usb-hid-avoid-dynamic-stack-allocation.patch
  usb-limit-combined-packets-to-1-MiB-CVE-.patch
  usb-mtp-avoid-dynamic-stack-allocation.patch
- usbredir: free call on invalid pointer in bufp_alloc
  (bsc#1189145, CVE-2021-3682)
  usbredir-fix-free-call.patch

OBS-URL: https://build.opensuse.org/request/show/911318
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=664
2021-08-10 20:38:06 +00:00

49 lines
1.6 KiB
Diff
Raw Blame History

From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 3 May 2021 15:29:11 +0200
Subject: usb/hid: avoid dynamic stack allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03
References: bsc#1186012, CVE-2021-3527
Use autofree heap allocation instead.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210503132915.2335822-2-kraxel@redhat.com>
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
---
hw/usb/dev-hid.c | 2 +-
hw/usb/dev-wacom.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
index fc39bab79f94b0a0d06c23fc650d..1c7ae97c3033442dba820db492bd 100644
--- a/hw/usb/dev-hid.c
+++ b/hw/usb/dev-hid.c
@@ -656,7 +656,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
{
USBHIDState *us = USB_HID(dev);
HIDState *hs = &us->hid;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
index b595048635090242b5e771a11436..ed687bc9f1eb1b20b7e8ab0db35a 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -301,7 +301,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
{
USBWacomState *s = (USBWacomState *) dev;
- uint8_t buf[p->iov.size];
+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
int len = 0;
switch (p->pid) {
View Git Blame Copy Permalink