diff mbox series

[master] usb: Check USB_TOKEN_SETUP in usb_ep_get(CVE-2024-8354)

Message ID 20250213125403.4138883-1-madmarri@cisco.com (mailing list archive)
State New
Headers show
Series [master] usb: Check USB_TOKEN_SETUP in usb_ep_get(CVE-2024-8354) | expand

Commit Message

Madhu Marri Feb. 13, 2025, 12:54 p.m. UTC 
USB_TOKEN_SETUP packet not being handled in usb_ep_get function.
This causes the program to hit the assertion that checks for only
USB_TOKEN_IN or USB_TOKEN_OUT, leading to the failure and core
dump when the USB_TOKEN_SETUP packet is processed.

Added a check for USB_TOKEN_SETUP to avoid triggering an assertion
failure and crash.

Fixes: CVE-2024-8354
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2548

Signed-off-by: Madhu Marri <madmarri@cisco.com>
---
 hw/usb/core.c | 6 ++++++
 1 file changed, 6 insertions(+)
diff mbox series

Patch

diff --git a/hw/usb/core.c b/hw/usb/core.c
index 975f76250a..df2aec5aca 100644
--- a/hw/usb/core.c
+++ b/hw/usb/core.c
@@ -741,6 +741,12 @@  struct USBEndpoint *usb_ep_get(USBDevice *dev, int pid, int ep)
     if (ep == 0) {
         return &dev->ep_ctl;
     }
+
+    if (pid == USB_TOKEN_SETUP) {
+        /* Do not handle setup packets here */
+        return &dev->ep_ctl;
+    }
+
     assert(pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT);
     assert(ep > 0 && ep <= USB_MAX_ENDPOINTS);
     eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;