packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch

40 lines
1.4 KiB
Diff
Raw Normal View History

QEMU update to version 6.2.0-90 - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - target/i386: Change wrong XFRM value in SGX CPUID leaf - target/i386: Enable support for XSAVES based features - target/i386: Add kvm_get_one_msr helper - hw/block/hd-geometry: Do not override specified bios-chs-trans mainline inclusion commit fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix - linux-user/riscv: Align signal frame to 16 bytes mainline inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix - ipmi:smbus: Add a check around a memcpy mainline inclusion commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix - tests/tcg/linux-test: Fix random hangs in test_socket mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: bugfix - qemu-options.hx: Don't claim "-serial" has limit of 4 serial ports Before v2.12, the implementation of serial ports was limited to a value of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for serial ports, so this limit is no longer present, but the documentation for the -serial options still reads: - target/ppc: Modify the uncorrect value irq to n_IRQ - block-migration: Ensure we don't crash during migration cleanup - target/s390x: fix handling of zeroes in vfmin/vfmax mainline inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix - hw/virtio/virtio-iommu: Enforce power-of-two notify for both MAP and UNMAP mainline inclusion commit 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix - configure: Add missing POSIX-required space mainline inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix - vga: fix incorrect line height in 640x200x2 mode mainline inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix - hw/ide/core: set ERR_STAT in unsupported command completion - linux-user/flatload.c: Fix setting of image_info::end_code mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: bugfix - load_elf: fix iterator's type for elf file processing - hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() - hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize() - hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array - chardev/char.c: fix "abstract device type" error message - block/rbd: fix handling of holes in .bdrv_co_block_status - qga: treat get-guest-fsinfo as "best effort" mainline inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix - usb/hcd-xhci: check slotid in xhci_wakeup_endpoint() mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: bugfix - hw/display/bcm2835_fb: Fix framebuffer allocation address mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: bugfix - block/parallels: Fix buffer-based write call mainline inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix - vl: Improve error message for conflicting -incoming and -loadvm - hw/smbios: Fix OEM strings table option validation Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
2024-03-16 14:59:18 +08:00
From d43f2a9725a1211a0db657b9911a54d58ba26b36 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 8 Mar 2024 03:10:14 +0000
Subject: [PATCH] usb/hcd-xhci: check slotid in xhci_wakeup_endpoint()
mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category:
bugfix
---------------------------------------------------------------
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220705174734.2348829-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/usb/hcd-xhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 40300e1bcd..29636795be 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3288,7 +3288,8 @@ static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep,
DPRINTF("%s\n", __func__);
slotid = ep->dev->addr;
- if (slotid == 0 || !xhci->slots[slotid-1].enabled) {
+ if (slotid == 0 || slotid > xhci->numslots ||
+ !xhci->slots[slotid - 1].enabled) {
DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr);
return;
}
--
2.27.0
Reference in New Issue Copy Permalink