From da2a0a5d09a9524bc5566bf06dddf38da7635290 Mon Sep 17 00:00:00 2001 From: zhangpengrui Date: Wed, 22 Oct 2025 17:55:50 +0800 Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354) Signed-off-by: zhangpengrui --- ...don-t-assert-for-SETUP-to-non-0-endp.patch | 73 +++++++++++++++++++ qemu.spec | 6 +- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch diff --git a/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch new file mode 100644 index 00000000..f21e0ca9 --- /dev/null +++ b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch @@ -0,0 +1,73 @@ +From 71410efdc9d21fe5eea642d2d4b1bb61d3af599a Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Mon, 15 Sep 2025 14:29:10 +0100 +Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 + endpoint(CVE-2024-8354) + +If the guest feeds invalid data to the UHCI controller, we +can assert: +qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. + +(see issue 2548 for the repro case). This happens because the guest +attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not +valid. The controller code doesn't catch this guest error, so +instead we hit the assertion in the USB core code. + +Catch the case of SETUP to non-zero endpoint, and treat it as a fatal +error in the TD, in the same way we do for an invalid PID value in +the TD. + +This is the UHCI equivalent of the same bug in OHCI that we fixed in +commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or +OUT"). + +This bug has been tracked as CVE-2024-8354. + +Cc: qemu-stable@nongnu.org +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 +Signed-off-by: Peter Maydell +Reviewed-by: Michael Tokarev +--- + hw/usb/hcd-uhci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c +index 333413acdd..2de342bf58 100644 +--- a/hw/usb/hcd-uhci.c ++++ b/hw/usb/hcd-uhci.c +@@ -776,6 +776,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + bool spd; + bool queuing = (q != NULL); + uint8_t pid = td->token & 0xff; ++ uint8_t ep_id = (td->token >> 15) & 0xf; + UHCIAsync *async; + + async = uhci_async_find_td(s, td_addr); +@@ -819,9 +820,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + + switch (pid) { + case USB_TOKEN_OUT: +- case USB_TOKEN_SETUP: + case USB_TOKEN_IN: + break; ++ case USB_TOKEN_SETUP: ++ /* SETUP is only valid to endpoint 0 */ ++ if (ep_id == 0) { ++ break; ++ } ++ /* fallthrough */ + default: + /* invalid pid : frame interrupted */ + s->status |= UHCI_STS_HCPERR; +@@ -868,7 +874,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV, + int_mask); + } +- ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf); ++ ep = usb_ep_get(dev, pid, ep_id); + q = uhci_queue_new(s, qh_addr, td, ep); + } + async = uhci_async_alloc(q, td_addr); +-- +2.33.0 + diff --git a/qemu.spec b/qemu.spec index 878892ca..8ab1c6fc 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 89 +Release: 90 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -430,6 +430,7 @@ Patch0417: qdev-properties-add-size32-property-type.patch Patch0418: softmmu-Support-concurrent-bounce-buffers-CVE-2024-8.patch Patch0419: mac_dbdma-Remove-leftover-dma_memory_unmap-calls-CVE.patch Patch0420: Fix-the-missing-hmp_nbd_server_start-change-in-CVE-2.patch +Patch0421: hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch BuildRequires: flex BuildRequires: bison @@ -830,6 +831,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 22 2025 Pengrui Zhang - 10:4.1.0-90 +- hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354) + * Mon Jan 06 2025 xiaoyuliang - 10:4.1.0-89 - nbd: Fix the missing hmp_nbd_server_start change in CVE-2024-7409 -- Gitee