[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 01/35] ehci: make idt processing more robust
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 01/35] ehci: make idt processing more robust |
Date: |
Mon, 21 Mar 2016 12:27:59 -0500 |
From: Gerd Hoffmann <address@hidden>
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: address@hidden
Reported-by: Qinghao Tang <address@hidden>
Tested-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
Signed-off-by: Michael Roth <address@hidden>
---
hw/usb/hcd-ehci.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..d07f228 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp;
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
+ xfers++;
}
}
- return 0;
+ return xfers ? 0 : -1;
}
--
1.9.1
- [Qemu-devel] [PATCH 00/35] Patch Round-up for stable 2.5.1, freeze on 2016-03-25, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 10/35] ivshmem: remove redundant assignment, fix crash with msi=off, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 12/35] block: Add blk_dev_has_tray(), Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 09/35] ivshmem: no need for opaque argument, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 11/35] net: rocker: fix an incorrect array bounds check, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 17/35] net: set endianness on all backend devices, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 13/35] blockdev: Fix 'change' for slot devices, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 14/35] net/dump: fix nfds->filename leak, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 18/35] ehci: update irq on reset, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 19/35] block/raw-posix: avoid bogus fixup for cylinders on DASD disks, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 01/35] ehci: make idt processing more robust,
Michael Roth <=
- [Qemu-devel] [PATCH 21/35] s390x/css: fix control flags during csch, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 15/35] net/filter: fix nf->netdev_id leak, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 16/35] net: ne2000: check ring buffer control registers, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 24/35] qmp: Fix reference-counting of qnull on empty output visit, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 23/35] cpus: use broadcast on qemu_pause_cond, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 20/35] s390x/ioinst: set type and len for SEI response, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 27/35] e1000: eliminate infinite loops on out-of-bounds transfer start, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 26/35] block: qemu-iotests - add test for snapshot, commit, snapshot bug, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 25/35] block: set device_list.tqe_prev to NULL on BDS removal, Michael Roth, 2016/03/21
- [Qemu-devel] [PATCH 29/35] hw/virtio: fix double use of a virtio flag, Michael Roth, 2016/03/21