On 15.09.2025 16:29, Peter Maydell wrote:
If the guest feeds invalid data to the UHCI controller, we can assert: qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.(see issue 2548 for the repro case). This happens because the guest attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not valid. The controller code doesn't catch this guest error, so instead we hit the assertion in the USB core code. Catch the case of SETUP to non-zero endpoint, and treat it as a fatal error in the TD, in the same way we do for an invalid PID value in the TD. This is the UHCI equivalent of the same bug in OHCI that we fixed in commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT"). This bug has been tracked as CVE-2024-8354. Cc: [email protected] Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]> Thank you for this Peter! /mjt
