[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Guest OS hangs on usb_add
From: |
TJ |
Subject: |
Re: [Qemu-devel] Guest OS hangs on usb_add |
Date: |
Fri, 25 Jun 2010 13:23:01 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100624 Thunderbird/3.0.5 ThunderBrowse/3.2.8.1 |
On 06/25/10 12:32, Gianni Tedesco wrote:
> A device MAY provide extended descriptors in 2 ways mentioned in the
> spec, but ISTR finding at least one device in the wild with standard
> descriptors extended which were not so much used by the "host" but by
> application software. So not sure about your patch, a quirks blacklist
> based on idDevice/idProduct might be the better fix here.
Makes sense. I should add vend/prod id check.
> However the more serious problem is spinning on zero length descriptor
> when truncated descriptors are not valid and zero length (in fact < 2)
> is totally unacceptable. Following patch checks for truncation.
Gianni, Please check my later patch submitted last night. I basically did the
same thing you did, but with few differences:
- if descriptor size is < 2, goto fail
- if the descriptor is USB_DT_CONFIG, we can skip through all the sub
descriptors using wTotalLength field.
- otherwise, simply skip it
One thing to also watch out for is the string descriptors. I might be wrong, but
it appears (from reading the doc) that string descriptors (at least for the
device descriptor) can be interspersed with the config descriptors, in which
case (config_descr_len < USB_DT_CONFIG_SIZE) without checking descriptor type
might unwittingly lead to failure.
-TJ
> diff --git a/hw/usb.h b/hw/usb.h
> index 00d2802..efd4a65 100644
> --- a/hw/usb.h
> +++ b/hw/usb.h
> @@ -117,6 +117,14 @@
> #define USB_DT_INTERFACE 0x04
> #define USB_DT_ENDPOINT 0x05
>
> +/*
> + * Descriptor sizes per descriptor type
> + */
> +#define USB_DT_DEVICE_SIZE 18
> +#define USB_DT_CONFIG_SIZE 9
> +#define USB_DT_INTERFACE_SIZE 9
> +#define USB_DT_ENDPOINT_SIZE 7
> +
> #define USB_ENDPOINT_XFER_CONTROL 0
> #define USB_ENDPOINT_XFER_ISOC 1
> #define USB_ENDPOINT_XFER_BULK 2
> diff --git a/usb-linux.c b/usb-linux.c
> index 88273ff..d259290 100644
> --- a/usb-linux.c
> +++ b/usb-linux.c
> @@ -299,7 +299,7 @@ static int usb_host_claim_interfaces(USBHostDevice *dev,
> int configuration)
>
> i = 0;
> dev_descr_len = dev->descr[0];
> - if (dev_descr_len > dev->descr_len) {
> + if ( dev_descr_len < USB_DT_DEVICE_SIZE || dev_descr_len >
> dev->descr_len) {
> goto fail;
> }
>
> @@ -314,6 +314,8 @@ static int usb_host_claim_interfaces(USBHostDevice *dev,
> int configuration)
> continue;
> }
> config_descr_len = dev->descr[i];
> + if ( config_descr_len < USB_DT_CONFIG_SIZE )
> + goto fail;
>
> printf("husb: config #%d need %d\n", dev->descr[i + 5],
> configuration);
>
Re: [Qemu-devel] Guest OS hangs on usb_add, Markus Armbruster, 2010/06/24