From fb5dab239c691d4dbaae14e7598c305c7d793451 Mon Sep 17 00:00:00 2001
From: zhangpengrui <zhangpengrui@huawei.com>
Date: Thu, 23 Oct 2025 09:43:52 +0800
Subject: [PATCH] QEMU update to version 6.2.0-110:

Signed-off-by: zhangpengrui <zhangpengrui@huawei.com>
---
 ...don-t-assert-for-SETUP-to-non-0-endp.patch | 73 +++++++++++++++++++
 qemu.spec                                     |  6 +-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch

diff --git a/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch
new file mode 100644
index 00000000..ed49e227
--- /dev/null
+++ b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch
@@ -0,0 +1,73 @@
+From 55a9c193910dc6f5ffe4d92d8b179fc460e65252 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Mon, 15 Sep 2025 14:29:10 +0100
+Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0
+ endpoint(CVE-2024-8354)
+
+If the guest feeds invalid data to the UHCI controller, we
+can assert:
+qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
+
+(see issue 2548 for the repro case).  This happens because the guest
+attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
+valid.  The controller code doesn't catch this guest error, so
+instead we hit the assertion in the USB core code.
+
+Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
+error in the TD, in the same way we do for an invalid PID value in
+the TD.
+
+This is the UHCI equivalent of the same bug in OHCI that we fixed in
+commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
+OUT").
+
+This bug has been tracked as CVE-2024-8354.
+
+Cc: qemu-stable@nongnu.org
+Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/usb/hcd-uhci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
+index 00a8de2fba..5ed931d337 100644
+--- a/hw/usb/hcd-uhci.c
++++ b/hw/usb/hcd-uhci.c
+@@ -763,6 +763,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
+     bool spd;
+     bool queuing = (q != NULL);
+     uint8_t pid = td->token & 0xff;
++    uint8_t ep_id = (td->token >> 15) & 0xf;
+     UHCIAsync *async;
+ 
+     async = uhci_async_find_td(s, td_addr);
+@@ -806,9 +807,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
+ 
+     switch (pid) {
+     case USB_TOKEN_OUT:
+-    case USB_TOKEN_SETUP:
+     case USB_TOKEN_IN:
+         break;
++    case USB_TOKEN_SETUP:
++        /* SETUP is only valid to endpoint 0 */
++        if (ep_id == 0) {
++            break;
++        }
++        /* fallthrough */
+     default:
+         /* invalid pid : frame interrupted */
+         s->status |= UHCI_STS_HCPERR;
+@@ -855,7 +861,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
+             return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV,
+                                         int_mask);
+         }
+-        ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
++        ep = usb_ep_get(dev, pid, ep_id);
+         q = uhci_queue_new(s, qh_addr, td, ep);
+     }
+     async = uhci_async_alloc(q, td_addr);
+-- 
+2.33.0
+
diff --git a/qemu.spec b/qemu.spec
index 0d466da6..6e73c6ea 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -3,7 +3,7 @@
 
 Name: qemu
 Version: 6.2.0
-Release: 109
+Release: 110
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -1185,6 +1185,7 @@ Patch1170: qemu-Support-specifying-the-cache-size-presented-to-.patch
 Patch1171: vdpa-Fix-dirty-page-bitmap-synchronization-not-done-.patch
 Patch1172: qemu6.2.0-Add-trace-to-measure-hot-migrate-downtime.patch
 Patch1173: migration-Extand-the-fdtable-in-the-incoming-phase-o.patch
+Patch1174: hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -1783,6 +1784,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Oct 22 2025 Pengrui Zhang<zhangpengrui@huawei.com> - 10:6.2.0-110
+- hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354)
+
 * Thu May 22 2025 <fengjiabo1@huawei.com> - 10:6.2.0-109
 - migration:Extand the fdtable in the incoming phase of migration
 - qemu6.2.0: Add trace to measure hot migrate downtime
-- 
Gitee