|
 |
78f4db5 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
78f4db5 |
Date: Mon, 14 Dec 2015 09:21:23 +0100
|
|
|
78f4db5 |
Subject: [PATCH] ehci: make idt processing more robust
|
|
|
78f4db5 |
|
|
|
78f4db5 |
Make ehci_process_itd return an error in case we didn't do any actual
|
|
|
78f4db5 |
iso transfer because we've found no active transaction. That'll avoid
|
|
|
78f4db5 |
ehci happily run in circles forever if the guest builds a loop out of
|
|
|
78f4db5 |
idts.
|
|
|
78f4db5 |
|
|
|
78f4db5 |
This is CVE-2015-8558.
|
|
|
78f4db5 |
|
|
|
78f4db5 |
Cc: qemu-stable@nongnu.org
|
|
|
78f4db5 |
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
|
78f4db5 |
Tested-by: P J P <ppandit@redhat.com>
|
|
|
78f4db5 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
78f4db5 |
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
|
|
|
78f4db5 |
---
|
|
|
78f4db5 |
hw/usb/hcd-ehci.c | 5 +++--
|
|
|
78f4db5 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
78f4db5 |
|
|
|
78f4db5 |
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|
|
78f4db5 |
index 4e2161b..d07f228 100644
|
|
|
78f4db5 |
--- a/hw/usb/hcd-ehci.c
|
|
|
78f4db5 |
+++ b/hw/usb/hcd-ehci.c
|
|
|
78f4db5 |
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
|
78f4db5 |
{
|
|
|
78f4db5 |
USBDevice *dev;
|
|
|
78f4db5 |
USBEndpoint *ep;
|
|
|
78f4db5 |
- uint32_t i, len, pid, dir, devaddr, endp;
|
|
|
78f4db5 |
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
|
|
78f4db5 |
uint32_t pg, off, ptr1, ptr2, max, mult;
|
|
|
78f4db5 |
|
|
|
78f4db5 |
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
|
|
78f4db5 |
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
|
78f4db5 |
ehci_raise_irq(ehci, USBSTS_INT);
|
|
|
78f4db5 |
}
|
|
|
78f4db5 |
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
|
|
78f4db5 |
+ xfers++;
|
|
|
78f4db5 |
}
|
|
|
78f4db5 |
}
|
|
|
78f4db5 |
- return 0;
|
|
|
78f4db5 |
+ return xfers ? 0 : -1;
|
|
|
78f4db5 |
}
|
|
|
78f4db5 |
|
|
|
78f4db5 |
|