[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 5/5] ehci: make idt processing more robust
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PULL 5/5] ehci: make idt processing more robust |
Date: |
Tue, 15 Dec 2015 11:02:33 +0100 |
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: address@hidden
Reported-by: Qinghao Tang <address@hidden>
Tested-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..d07f228 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp;
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
+ xfers++;
}
}
- return 0;
+ return xfers ? 0 : -1;
}
--
1.8.3.1
- [Qemu-devel] [PULL 0/5] usb: ehci idt fix, event support for mtp, Gerd Hoffmann, 2015/12/15
- [Qemu-devel] [PULL 2/5] usb-mtp: free objects on a mtp reset, Gerd Hoffmann, 2015/12/15
- [Qemu-devel] [PULL 4/5] usb-mtp: add support for basic mtp events, Gerd Hoffmann, 2015/12/15
- [Qemu-devel] [PULL 3/5] usb-mtp: Add support for inotify based file monitoring, Gerd Hoffmann, 2015/12/15
- [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust,
Gerd Hoffmann <=
- [Qemu-devel] [PULL 1/5] usb-mtp: use a list for keeping track of children, Gerd Hoffmann, 2015/12/15
- Re: [Qemu-devel] [PULL 0/5] usb: ehci idt fix, event support for mtp, Peter Maydell, 2015/12/17