From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 3 May 2021 15:29:15 +0200 Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527) usb-host and usb-redirect try to batch bulk transfers by combining many small usb packets into a single, large transfer request, to reduce the overhead and improve performance. This patch adds a size limit of 1 MiB for those combined packets to restrict the host resources the guest can bind that way. Signed-off-by: Gerd Hoffmann Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> --- hw/usb/combined-packet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c index 5d57e88..e56802f 100644 --- a/hw/usb/combined-packet.c +++ b/hw/usb/combined-packet.c @@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || next == NULL || /* Work around for Linux usbfs bulk splitting + migration */ - (totalsize == (16 * KiB - 36) && p->int_req)) { + (totalsize == (16 * KiB - 36) && p->int_req) || + /* Next package may grow combined package over 1MiB */ + totalsize > 1 * MiB - ep->max_packet_size) { usb_device_handle_data(ep->dev, first); assert(first->status == USB_RET_ASYNC); if (first->combined) { -- cgit v1.1