[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet()
From: |
Mauro Matteo Cascella |
Subject: |
[PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet() |
Date: |
Mon, 12 Oct 2020 17:03:56 +0200 |
Check the value of mps before it is used as divisor. Since HCCHAR_MPS is guest
controllable, this prevents a malicious/buggy guest from crashing the QEMU
process on the host.
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Gaoning Pan <gaoning.pgn@antgroup.com>
Reported-by: Xingwei Lin <linyi.lxw@antfin.com>
---
hw/usb/hcd-dwc2.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
index 97688d21bf..91476fd781 100644
--- a/hw/usb/hcd-dwc2.c
+++ b/hw/usb/hcd-dwc2.c
@@ -324,6 +324,12 @@ babble:
}
}
+ if (mps == 0) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Bad HCCHAR_MPS set to zero\n", __func__);
+ return;
+ }
+
tpcnt = actual / mps;
if (actual % mps) {
tpcnt++;
--
2.26.2
- [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(),
Mauro Matteo Cascella <=
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Paul Zimmerman, 2020/10/12
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Gerd Hoffmann, 2020/10/13
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Paul Zimmerman, 2020/10/13
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Gerd Hoffmann, 2020/10/13
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Mauro Matteo Cascella, 2020/10/14
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Paul Zimmerman, 2020/10/15
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Gerd Hoffmann, 2020/10/15
- Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet(), Gerd Hoffmann, 2020/10/14