48 lines
1.2 KiB
Diff
48 lines
1.2 KiB
Diff
From a95ada20170af0a71529c1583846e402cdbb850b Mon Sep 17 00:00:00 2001
|
|
From: Yan Wang <wangyan122@huawei.com>
|
|
Date: Thu, 10 Feb 2022 10:41:40 +0800
|
|
Subject: [PATCH] xhci: check reg to avoid OOB read
|
|
|
|
Add a sanity check to fix OOB read access.
|
|
|
|
Signed-off-by: Yan Wang <wangyan122@huawei.com>
|
|
---
|
|
hw/usb/hcd-xhci.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|
index e01700039b..08cd63e159 100644
|
|
--- a/hw/usb/hcd-xhci.c
|
|
+++ b/hw/usb/hcd-xhci.c
|
|
@@ -27,6 +27,7 @@
|
|
#include "hw/qdev-properties.h"
|
|
#include "trace.h"
|
|
#include "qapi/error.h"
|
|
+#include "qemu/log.h"
|
|
|
|
#include "hcd-xhci.h"
|
|
|
|
@@ -3017,14 +3018,17 @@ static void xhci_runtime_write(void *ptr, hwaddr reg,
|
|
XHCIInterrupter *intr;
|
|
int v;
|
|
|
|
- trace_usb_xhci_runtime_write(reg, val);
|
|
-
|
|
if (reg < 0x20) {
|
|
trace_usb_xhci_unimplemented("runtime write", reg);
|
|
return;
|
|
}
|
|
v = (reg - 0x20) / 0x20;
|
|
+ if (v >= xhci->numintrs) {
|
|
+ qemu_log("intr nr out of range (%d >= %d)\n", v, xhci->numintrs);
|
|
+ return;
|
|
+ }
|
|
intr = &xhci->intr[v];
|
|
+ trace_usb_xhci_runtime_write(reg, val);
|
|
|
|
switch (reg & 0x1f) {
|
|
case 0x00: /* IMAN */
|
|
--
|
|
2.27.0
|
|
|