Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction.  That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.

This is CVE-2015-8558.

Cc: qemu-stable@nongnu.org
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  • Loading branch information
kraxel committed Dec 15, 2015
1 parent 93d592e commit 156a2e4
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions hw/usb/hcd-ehci.c
Expand Up @@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
uint32_t i, len, pid, dir, devaddr, endp;
uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
uint32_t pg, off, ptr1, ptr2, max, mult;

ehci->periodic_sched_active = PERIODIC_ACTIVE;
Expand Down Expand Up @@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
xfers++;
}
}
return 0;
return xfers ? 0 : -1;
}


Expand Down

0 comments on commit 156a2e4

Please sign in to comment.