On Mon, May 12, 2014 at 03:16:07PM +0300, Michael S. Tsirkin wrote:
> Correct post load checks:
> 1. dev->setup_len == sizeof(dev->data_buf)
> seems fine, no need to fail migration
> 2. When state is DATA, passing index > len
>will cause memcpy with negative length,
>resulting in heap o
Hi,
> And SETUP_STATE_PARAM?
Shortcut for small control transfers on xhci. Doesn't go through the
idle -> setup -> data -> ack state engine.
security-wise: you can't go from 'param' to 'data' without 'setup'
inbetween. beside that index should still be zero at the point where
len is modifie
On Tue, May 13, 2014 at 10:44:45AM +0200, Gerd Hoffmann wrote:
> On Di, 2014-05-13 at 11:32 +0300, Michael S. Tsirkin wrote:
> > On Tue, May 13, 2014 at 09:50:09AM +0200, Gerd Hoffmann wrote:
> > > Hi,
> > >
> > > > +(dev->setup_state == SETUP_STATE_DATA &&
> > >
> > > Fails to build, S
On Di, 2014-05-13 at 11:32 +0300, Michael S. Tsirkin wrote:
> On Tue, May 13, 2014 at 09:50:09AM +0200, Gerd Hoffmann wrote:
> > Hi,
> >
> > > +(dev->setup_state == SETUP_STATE_DATA &&
> >
> > Fails to build, SETUP_STATE_DATA is not defined here.
> >
> > I think we can simply drop that
On Tue, May 13, 2014 at 09:50:09AM +0200, Gerd Hoffmann wrote:
> Hi,
>
> > +(dev->setup_state == SETUP_STATE_DATA &&
>
> Fails to build, SETUP_STATE_DATA is not defined here.
>
> I think we can simply drop that check, index should never ever be larger
> than len, no matter what the sta
Hi,
> +(dev->setup_state == SETUP_STATE_DATA &&
Fails to build, SETUP_STATE_DATA is not defined here.
I think we can simply drop that check, index should never ever be larger
than len, no matter what the state is.
cheers,
Gerd
> Sent: Monday, May 12, 2014 8:16 PM
> > To: qemu-devel@nongnu.org
> > Cc: Gerd Hoffmann; dgilb...@redhat.com
> > Subject: [Qemu-devel] [PATCH] usb: fix up post load checks
> >
> > Correct post load checks:
> > 1. dev->setup_len == sizeof(dev->dat
Gerd Hoffmann; dgilb...@redhat.com
> Subject: [Qemu-devel] [PATCH] usb: fix up post load checks
>
> Correct post load checks:
> 1. dev->setup_len == sizeof(dev->data_buf)
> seems fine, no need to fail migration
> 2. When state is DATA, passing index > len
>will cause
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
seems fine, no need to fail migration
2. When state is DATA, passing index > len
will cause memcpy with negative length,
resulting in heap overflow
First of the issues was reported by dgilbert.
Reported-by: "Dr. David
