diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2023-08-24 17:48:18 +0100 |
|---|---|---|
| committer | Philippe Mathieu-Daudé <philmd@linaro.org> | 2023-08-31 19:47:43 +0200 |
| commit | f8324611c1ec100fd601842d3943cbf8acd1420f (patch) | |
| tree | d4904a110956b8516b51ed84e741bf0a5e58c28b /hw/usb | |
| parent | 2a8537cfbcf3d0a14e88c5bb42a43a6c8ed5955e (diff) | |
| download | focaccia-qemu-f8324611c1ec100fd601842d3943cbf8acd1420f.tar.gz focaccia-qemu-f8324611c1ec100fd601842d3943cbf8acd1420f.zip | |
hw/usb/hcd-xhci: Avoid variable-length array in xhci_get_port_bandwidth()
In xhci_get_port_bandwidth(), we use a variable-length array to construct the buffer to send back to the guest. Avoid the VLA by using dma_memory_set() to directly request the memory system to fill the guest memory with a string of '80's. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20230824164818.2652452-1-peter.maydell@linaro.org>
Diffstat (limited to 'hw/usb')
| -rw-r--r-- | hw/usb/hcd-xhci.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index b89b618ec2..324177ad5d 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2434,7 +2434,6 @@ static void xhci_detach_slot(XHCIState *xhci, USBPort *uport) static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx) { dma_addr_t ctx; - uint8_t bw_ctx[xhci->numports+1]; DPRINTF("xhci_get_port_bandwidth()\n"); @@ -2442,11 +2441,10 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx) DPRINTF("xhci: bandwidth context at "DMA_ADDR_FMT"\n", ctx); - /* TODO: actually implement real values here */ - bw_ctx[0] = 0; - memset(&bw_ctx[1], 80, xhci->numports); /* 80% */ - if (dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx), - MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + /* TODO: actually implement real values here. This is 80% for all ports. */ + if (stb_dma(xhci->as, ctx, 0, MEMTXATTRS_UNSPECIFIED) != MEMTX_OK || + dma_memory_set(xhci->as, ctx + 1, 80, xhci->numports, + MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory write failed!\n", __func__); return CC_TRB_ERROR; |