From: Prasad J Pandit <p...@fedoraproject.org> While setting up a packet in xhci_setup_packet() routine, usb_packet_map() may return an error. Check this return value before further processing the packet, to avoid use-after-free issue.
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fxhci_uaf_2 #0 __interceptor_free (/lib64/libasan.so.6+0xb0307) #1 qemu_vfree ../util/oslib-posix.c:247 #2 address_space_unmap ../exec.c:3635 #3 dma_memory_unmap ../include/sysemu/dma.h:145 #4 usb_packet_unmap ../hw/usb/libhw.c:65 #5 usb_packet_map ../hw/usb/libhw.c:54 #6 xhci_setup_packet ../hw/usb/hcd-xhci.c:1618 #7 xhci_fire_ctl_transfer ../hw/usb/hcd-xhci.c:1722 #8 xhci_kick_epctx ../hw/usb/hcd-xhci.c:1991 #9 xhci_kick_ep ../hw/usb/hcd-xhci.c:1861 #10 xhci_doorbell_write ../hw/usb/hcd-xhci.c:3162 ... Reported-by: Ruhr-University <bugs-sys...@rub.de> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/usb/hcd-xhci.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 67a18fe2b6..848e7e935f 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1615,7 +1615,14 @@ static int xhci_setup_packet(XHCITransfer *xfer) xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */ usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid, xfer->trbs[0].addr, false, xfer->int_req); - usb_packet_map(&xfer->packet, &xfer->sgl); + if (usb_packet_map(&xfer->packet, &xfer->sgl) < 0) { + DPRINTF("xhci: setup packet failed: pid: 0x%x addr %d ep %d\n", + xfer->packet.pid, ep->dev->addr, ep->nr); + usb_packet_cleanup(&xfer->packet); + qemu_sglist_destroy(&xfer->sgl); + return -1; + } + DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", xfer->packet.pid, ep->dev->addr, ep->nr); return 0; -- 2.26.2
