mirror
/
qemu
mirror of https://gitlab.com/qemu-project/qemu
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
staging
stable-10.0
staging-10.0
stable-10.1
staging-10.1
stable-7.2
staging-7.2
tracing
stable-9.2
staging-9.2
staging-8.2
stable-8.2
stable-9.1
staging-9.1
stable-9.0
staging-9.0
stable-8.1
staging-8.1
stable-8.0
staging-8.0
block
stable-6.1
stable-6.0
stable-5.0
stable-4.2
stable-4.1
stable-4.0
stable-3.1
stable-3.0
stable-2.12
stable-2.11
stable-2.10
stable-2.9
stable-2.8
stable-2.7
stable-2.6
stable-2.5
stable-2.4
stable-2.3
stable-2.2
stable-2.1
stable-2.0
stable-1.7
stable-1.6
stable-1.5
stable-1.4
stable-1.3
stable-1.2
stable-1.1
stable-1.0
stable-0.15
stable-0.14
stable-0.13
stable-0.12
stable-0.11
stable-0.10
v10.0.6
v10.1.2
v7.2.21
v10.1.1
v10.0.5
v7.2.20
v10.0.4
v10.1.0
v10.1.0-rc4
v10.1.0-rc3
v10.1.0-rc2
v10.1.0-rc1
v10.1.0-rc0
v7.2.19
v10.0.3
v10.0.2
v10.0.1
v9.2.4
v7.2.18
v10.0.0
v10.0.0-rc4
v10.0.0-rc3
v10.0.0-rc2
v7.2.17
v8.2.10
v9.2.3
v10.0.0-rc1
v10.0.0-rc0
v9.2.2
v8.2.9
v7.2.16
v9.2.1
v9.1.3
v9.2.0
v9.2.0-rc3
v9.2.0-rc2
v9.1.2
v9.0.4
v8.2.8
v7.2.15
v9.2.0-rc1
v9.2.0-rc0
v9.1.1
v9.0.3
v8.2.7
v7.2.14
v9.1.0
v9.1.0-rc4
v9.1.0-rc3
v9.1.0-rc2
v9.1.0-rc1
v9.1.0-rc0
v9.0.2
v8.2.6
v7.2.13
v9.0.1
v8.2.5
v7.2.12
v8.2.4
v8.2.3
v7.2.11
v9.0.0
v9.0.0-rc4
v9.0.0-rc3
v9.0.0-rc2
v9.0.0-rc1
v9.0.0-rc0
v8.2.2
v7.2.10
v8.2.1
v8.1.5
v7.2.9
v8.1.4
v7.2.8
v8.2.0
v8.2.0-rc4
v8.2.0-rc3
v8.2.0-rc2
v8.2.0-rc1
v7.2.7
v8.1.3
v8.2.0-rc0
v8.1.2
v8.1.1
v7.2.6
v8.0.5
v8.1.0
v8.1.0-rc4
v8.1.0-rc3
v7.2.5
v8.0.4
v8.1.0-rc2
v8.1.0-rc1
v8.1.0-rc0
v8.0.3
v7.2.4
v8.0.2
v8.0.1
v7.2.3
v7.2.2
v8.0.0
v8.0.0-rc4
v8.0.0-rc3
v7.2.1
v8.0.0-rc2
v8.0.0-rc1
v8.0.0-rc0
v7.2.0
v7.2.0-rc4
v7.2.0-rc3
v7.2.0-rc2
v7.2.0-rc1
v7.2.0-rc0
v7.1.0
v7.1.0-rc4
v7.1.0-rc3
v7.1.0-rc2
v7.1.0-rc1
v7.1.0-rc0
v7.0.0
v7.0.0-rc4
v7.0.0-rc3
v7.0.0-rc2
v7.0.0-rc1
v7.0.0-rc0
v6.1.1
v6.2.0
v6.2.0-rc4
v6.2.0-rc3
v6.2.0-rc2
v6.2.0-rc1
v6.2.0-rc0
v6.0.1
v6.1.0
v6.1.0-rc4
v6.1.0-rc3
v6.1.0-rc2
v6.1.0-rc1
v6.1.0-rc0
v6.0.0
v6.0.0-rc5
v6.0.0-rc4
v6.0.0-rc3
v6.0.0-rc2
v6.0.0-rc1
v6.0.0-rc0
v5.2.0
v5.2.0-rc4
v5.2.0-rc3
v5.2.0-rc2
v5.2.0-rc1
v5.2.0-rc0
v5.0.1
v5.1.0
v5.1.0-rc3
v5.1.0-rc2
v5.1.0-rc1
v5.1.0-rc0
v4.2.1
v5.0.0
v5.0.0-rc4
v5.0.0-rc3
v5.0.0-rc2
v5.0.0-rc1
v5.0.0-rc0
v4.2.0
v4.2.0-rc5
v4.2.0-rc4
v4.2.0-rc3
v4.2.0-rc2
v4.1.1
v4.2.0-rc1
v4.2.0-rc0
v4.0.1
v3.1.1.1
v4.1.0
v4.1.0-rc5
v4.1.0-rc4
v3.1.1
v4.1.0-rc3
v4.1.0-rc2
v4.1.0-rc1
v4.1.0-rc0
v4.0.0
v4.0.0-rc4
v3.0.1
v4.0.0-rc3
v4.0.0-rc2
v4.0.0-rc1
v4.0.0-rc0
v3.1.0
v3.1.0-rc5
v3.1.0-rc4
v3.1.0-rc3
v3.1.0-rc2
v3.1.0-rc1
v3.1.0-rc0
v3.0.0
v3.0.0-rc4
v2.12.1
v3.0.0-rc3
v3.0.0-rc2
v3.0.0-rc1
v3.0.0-rc0
v2.11.2
v2.12.0
v2.12.0-rc4
v2.12.0-rc3
v2.12.0-rc2
v2.12.0-rc1
v2.12.0-rc0
v2.11.1
v2.10.2
v2.11.0
v2.11.0-rc5
v2.11.0-rc4
v2.11.0-rc3
v2.11.0-rc2
v2.11.0-rc1
v2.11.0-rc0
v2.10.1
v2.9.1
v2.10.0
v2.10.0-rc4
v2.10.0-rc3
v2.10.0-rc2
v2.10.0-rc1
v2.10.0-rc0
v2.8.1.1
v2.9.0
v2.9.0-rc5
v2.9.0-rc4
v2.9.0-rc3
v2.8.1
v2.9.0-rc2
v2.9.0-rc1
v2.9.0-rc0
v2.7.1
v2.8.0
v2.8.0-rc4
v2.8.0-rc3
v2.8.0-rc2
v2.8.0-rc1
v2.8.0-rc0
v2.6.2
v2.7.0
v2.7.0-rc5
v2.7.0-rc4
v2.6.1
v2.7.0-rc3
v2.7.0-rc2
v2.7.0-rc1
v2.7.0-rc0
v2.6.0
v2.5.1.1
v2.6.0-rc5
v2.6.0-rc4
v2.6.0-rc3
v2.6.0-rc2
v2.6.0-rc1
v2.6.0-rc0
v2.5.1
v2.5.0
v2.5.0-rc4
v2.5.0-rc3
v2.5.0-rc2
v2.5.0-rc1
v2.5.0-rc0
v2.4.1
v2.4.0.1
v2.3.1
v2.4.0
v2.4.0-rc4
v2.4.0-rc3
v2.4.0-rc2
v2.4.0-rc1
v2.4.0-rc0
v2.3.0
v2.3.0-rc4
v2.3.0-rc3
v2.3.0-rc2
v2.3.0-rc1
v2.3.0-rc0
v2.2.1
v2.1.3
v2.2.0
v2.2.0-rc5
v2.2.0-rc4
v2.2.0-rc3
v2.2.0-rc2
v2.2.0-rc1
v2.2.0-rc0
v2.1.2
v2.1.1
v2.1.0
v2.1.0-rc5
v2.1.0-rc4
v2.1.0-rc3
v2.1.0-rc2
v2.1.0-rc1
v2.1.0-rc0
v2.0.0
v2.0.0-rc3
v2.0.0-rc2
v2.0.0-rc1
v2.0.0-rc0
v1.4.0
v1.4.0-rc2
v1.4.0-rc1
v1.4.0-rc0
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.2.0-rc1
v1.0
v1.0-rc4
v0.14.1
initial
release_0_10_0
release_0_10_1
release_0_10_2
release_0_5_1
release_0_6_0
release_0_6_1
release_0_7_0
release_0_7_1
release_0_8_1
release_0_8_2
release_0_9_0
release_0_9_1
v0.1.0
v0.1.1
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.11.0
v0.11.0-rc0
v0.11.0-rc1
v0.11.0-rc2
v0.11.1
v0.12.0
v0.12.0-rc0
v0.12.0-rc1
v0.12.0-rc2
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.13.0
v0.13.0-rc0
v0.13.0-rc1
v0.13.0-rc2
v0.13.0-rc3
v0.14.0
v0.14.0-rc0
v0.14.0-rc1
v0.14.0-rc2
v0.15.0
v0.15.0-rc0
v0.15.0-rc1
v0.15.0-rc2
v0.15.1
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.1
v0.8.2
v0.9.0
v0.9.1
v1.0-rc0
v1.0-rc1
v1.0-rc2
v1.0-rc3
v1.0.1
v1.1-rc0
v1.1-rc1
v1.1-rc2
v1.1.0
v1.1.0-rc2
v1.1.0-rc3
v1.1.0-rc4
v1.1.1
v1.1.2
v1.2.0-rc0
v1.2.1
v1.2.2
v1.3.0
v1.3.0-rc0
v1.3.0-rc1
v1.3.0-rc2
v1.3.1
v1.4.1
v1.4.2
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.6.1
v1.6.2
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.1
v1.7.2
v2.0.1
v2.0.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
qemu/hw/usb
History
Peter Maydell d0af3cd027 hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 
If the guest feeds invalid data to the UHCI controller, we
can assert:
qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.

(see issue 2548 for the repro case).  This happens because the guest
attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
valid.  The controller code doesn't catch this guest error, so
instead we hit the assertion in the USB core code.

Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
error in the TD, in the same way we do for an invalid PID value in
the TD.

This is the UHCI equivalent of the same bug in OHCI that we fixed in
commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
OUT").

This bug has been tracked as CVE-2024-8354.

Cc: qemu-stable@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
 		4 weeks ago
..
Kconfig Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 8 months ago
bus-stub.c include: Rename sysemu/ -> system/ 10 months ago
bus.c qom: Make InterfaceInfo[] uses const 6 months ago
canokey.c qom: Have class_init() take a const data argument 6 months ago
canokey.h hw/usb/canokey: Fix buffer overflow for OUT packet 9 months ago
ccid-card-emulated.c qom: Have class_init() take a const data argument 6 months ago
ccid-card-passthru.c qom: Have class_init() take a const data argument 6 months ago
ccid.h Use OBJECT_DECLARE_TYPE when possible 5 years ago
chipidea.c qom: Have class_init() take a const data argument 6 months ago
combined-packet.c usb: limit combined packets to 1 MiB (CVE-2021-3527) 5 years ago
core.c usb: add pcap support. 5 years ago
desc-msos.c hw/usb: Fix typo in comments and print 4 years ago
desc.c hw/usb: Silence compiler warnings in USB code when compiling with -Wshadow 2 years ago
desc.h usb: allow max 8192 bytes for desc 4 years ago
dev-audio.c qom: Have class_init() take a const data argument 6 months ago
dev-hid.c hw/usb/dev-hid: Support side and extra mouse buttons for usb-tablet 3 months ago
dev-hub.c qom: Have class_init() take a const data argument 6 months ago
dev-mtp.c qom: Have class_init() take a const data argument 6 months ago
dev-network.c hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response 1 month ago
dev-serial.c qom: Have class_init() take a const data argument 6 months ago
dev-smartcard-reader.c qom: Make InterfaceInfo[] uses const 6 months ago
dev-storage-bot.c qom: Have class_init() take a const data argument 6 months ago
dev-storage-classic.c qom: Have class_init() take a const data argument 6 months ago
dev-storage.c qom: Have class_init() take a const data argument 6 months ago
dev-uas.c qom: Have class_init() take a const data argument 6 months ago
dev-wacom.c qom: Have class_init() take a const data argument 6 months ago
hcd-dwc2.c qom: Have class_init() take a const data argument 6 months ago
hcd-dwc2.h include: Rename sysemu/ -> system/ 10 months ago
hcd-dwc3.c qom: Have class_init() take a const data argument 6 months ago
hcd-ehci-pci.c qom: Make InterfaceInfo[] uses const 6 months ago
hcd-ehci-sysbus.c qom: Have class_init() take a const data argument 6 months ago
hcd-ehci.c hw/usb/hcd-ehci: Fix debug printf format string 9 months ago
hcd-ehci.h include: Rename sysemu/ -> system/ 10 months ago
hcd-ohci-pci.c qom: Make InterfaceInfo[] uses const 6 months ago
hcd-ohci-sysbus.c qom: Have class_init() take a const data argument 6 months ago
hcd-ohci.c hw/usb/hcd-ohci: skip automatic zero-init of large array 4 months ago
hcd-ohci.h include: Rename sysemu/ -> system/ 10 months ago
hcd-uhci.c hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint 4 weeks ago
hcd-uhci.h qom: Have class_init() take a const data argument 6 months ago
hcd-xhci-nec.c qom: Have class_init() take a const data argument 6 months ago
hcd-xhci-pci.c qom: Make InterfaceInfo[] uses const 6 months ago
hcd-xhci-pci.h hw/usb/hcd-xhci-pci: Adds property for disabling mapping in IRQ mode 8 months ago
hcd-xhci-sysbus.c qom: Have class_init() take a const data argument 6 months ago
hcd-xhci-sysbus.h usb/xhci: add include/hw/usb/xhci.h header file 5 years ago
hcd-xhci.c hw/usb/hcd-xhci: Unmap canceled packet 6 months ago
hcd-xhci.h hw/usb/hcd-xhci-pci: Adds property for disabling mapping in IRQ mode 8 months ago
host-libusb.c qom: Have class_init() take a const data argument 6 months ago
imx-usb-phy.c qom: Have class_init() take a const data argument 6 months ago
libhw.c include: Rename sysemu/ -> system/ 10 months ago
meson.build Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX 8 months ago
pcap.c usb/pcap: set flag_setup 5 years ago
quirks-ftdi-ids.h hw/usb: Fix typo in comments and print 4 years ago
quirks-pl2303-ids.h hw/usb: fix tab indentation 3 years ago
quirks.c hw/usb/quirks: Use smaller types to reduce .rodata by 10KiB 6 years ago
quirks.h hw/usb: spelling fixes 2 years ago
redirect.c qom: Have class_init() take a const data argument 6 months ago
trace-events hw/usb/hcd-ohci: Fix ohci_service_td: accept zero-length TDs where CBP=BE+1 1 year ago
trace.h trace: switch position of headers to what Meson requires 5 years ago
u2f-emulated.c qom: Have class_init() take a const data argument 6 months ago
u2f-passthru.c qom: Have class_init() take a const data argument 6 months ago
u2f.c qom: Have class_init() take a const data argument 6 months ago
u2f.h hw/usb/u2f: Declare QOM macros using OBJECT_DECLARE_TYPE() 3 years ago
vt82c686-uhci-pci.c hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts 2 years ago
xen-usb.c hw/xen: Prefer QOM cast for XenLegacyDevice 8 months ago
xlnx-usb-subsystem.c qom: Have class_init() take a const data argument 6 months ago
xlnx-versal-usb2-ctrl-regs.c qom: Have class_init() take a const data argument 6 months ago