Blame 0002-ehci-make-idt-processing-more-robust.patch

78f4db
From: Gerd Hoffmann <kraxel@redhat.com>
78f4db
Date: Mon, 14 Dec 2015 09:21:23 +0100
78f4db
Subject: [PATCH] ehci: make idt processing more robust
78f4db
78f4db
Make ehci_process_itd return an error in case we didn't do any actual
78f4db
iso transfer because we've found no active transaction.  That'll avoid
78f4db
ehci happily run in circles forever if the guest builds a loop out of
78f4db
idts.
78f4db
78f4db
This is CVE-2015-8558.
78f4db
78f4db
Cc: qemu-stable@nongnu.org
78f4db
Reported-by: Qinghao Tang <luodalongde@gmail.com>
78f4db
Tested-by: P J P <ppandit@redhat.com>
78f4db
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
78f4db
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
78f4db
---
78f4db
 hw/usb/hcd-ehci.c | 5 +++--
78f4db
 1 file changed, 3 insertions(+), 2 deletions(-)
78f4db
78f4db
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
78f4db
index 4e2161b..d07f228 100644
78f4db
--- a/hw/usb/hcd-ehci.c
78f4db
+++ b/hw/usb/hcd-ehci.c
78f4db
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
78f4db
 {
78f4db
     USBDevice *dev;
78f4db
     USBEndpoint *ep;
78f4db
-    uint32_t i, len, pid, dir, devaddr, endp;
78f4db
+    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
78f4db
     uint32_t pg, off, ptr1, ptr2, max, mult;
78f4db
 
78f4db
     ehci->periodic_sched_active = PERIODIC_ACTIVE;
78f4db
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
78f4db
                 ehci_raise_irq(ehci, USBSTS_INT);
78f4db
             }
78f4db
             itd->transact[i] &= ~ITD_XACT_ACTIVE;
78f4db
+            xfers++;
78f4db
         }
78f4db
     }
78f4db
-    return 0;
78f4db
+    return xfers ? 0 : -1;
78f4db
 }
78f4db
 
78f4db