Re: hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT

Mon, 20 May 2024 10:06:10 -0700 

On Tue, 6 Feb 2024 at 13:25, Cord Amfmgm <dmamf...@gmail.com> wrote:
>
> This changes the ohci validation to not assert if invalid
> data is fed to the ohci controller. The poc suggested in
> https://bugs.launchpad.net/qemu/+bug/1907042
> and then migrated to bug #303 does the following to
> feed it a SETUP pid and EndPt of 1:
>
>         uint32_t MaxPacket = 64;
>         uint32_t TDFormat = 0;
>         uint32_t Skip = 0;
>         uint32_t Speed = 0;
>         uint32_t Direction = 0;  /* #define OHCI_TD_DIR_SETUP 0 */
>         uint32_t EndPt = 1;
>         uint32_t FuncAddress = 0;
>         ed->attr = (MaxPacket << 16) | (TDFormat << 15) | (Skip << 14)
>                    | (Speed << 13) | (Direction << 11) | (EndPt << 7)
>                    | FuncAddress;
>         ed->tailp = /*TDQTailPntr= */ 0;
>         ed->headp = ((/*TDQHeadPntr= */ &td[0]) & 0xfffffff0)
>                    | (/* ToggleCarry= */ 0 << 1);
>         ed->next_ed = (/* NextED= */ 0 & 0xfffffff0)
>
> qemu-fuzz also caught the same issue in #1510. They are
> both fixed by this patch.
>
> The if (td.cbp > td.be) logic in ohci_service_td() causes an
> ohci_die(). My understanding of the OHCI spec 4.3.1.2
> Table 4-2 allows td.cbp to be one byte more than td.be to
> signal the buffer has zero length. The new check in qemu
> appears to have been added since qemu-4.2. This patch
> includes both fixes since they are located very close
> together.

For the "zero length buffer" case, do you have a more detailed
pointer to the bit of the spec that says that "cbp = be + 1" is a
valid way to specify a zero length buffer? Table 4-2 in the copy I
have says for CurrentBufferPointer "a value of 0 indicates
a zero-length data packet or that all bytes have been transferred",
and the sample host OS driver function QueueGeneralRequest()
later in the spec handles a 0 length packet by setting
  TD->HcTD.CBP = TD->HcTD.BE = 0;
(which our emulation's code does handle).

> @@ -936,8 +941,8 @@ static int ohci_service_td(OHCIState *ohci, struct
> ohci_ed *ed)
>          if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
>              len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
>          } else {
> -            if (td.cbp > td.be) {
> -                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
> +            if (td.cbp > td.be + 1) {

I think this has an overflow if td.be is 0xffffffff.

> +                trace_usb_ohci_td_bad_buf(td.cbp, td.be);
>                  ohci_die(ohci);
>                  return 1;
>              }

(On the other hand having looked at the code I'm happy
now that having a len of 0 passed into usb_packet_addbuf()
is OK because we already do that for the "cbp = be = 0"
way of specifying a zero length packet.)

thanks
-- PMM

Reply via email to