On Wed, 17 Sept 2025 at 15:03, Michael Tokarev <[email protected]> wrote: > > On 15.09.2025 16:29, Peter Maydell wrote: > > If the guest feeds invalid data to the UHCI controller, we > > can assert: > > qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == > > USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. > > > > (see issue 2548 for the repro case). This happens because the guest > > attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not > > valid. The controller code doesn't catch this guest error, so > > instead we hit the assertion in the USB core code. > > > > Catch the case of SETUP to non-zero endpoint, and treat it as a fatal > > error in the TD, in the same way we do for an invalid PID value in > > the TD. > > > > This is the UHCI equivalent of the same bug in OHCI that we fixed in > > commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or > > OUT"). > > > > This bug has been tracked as CVE-2024-8354. > > > > Cc: [email protected] > > Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 > > Signed-off-by: Peter Maydell <[email protected]> > > Reviewed-by: Michael Tokarev <[email protected]>
Thanks; I'll queue this via target-arm.next unless anybody objects to that. -- PMM
