Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
qemu.28167
hw-usb-hcd-xhci-Fix-unbounded-loop-in-xh.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hw-usb-hcd-xhci-Fix-unbounded-loop-in-xh.patch of Package qemu.28167
From: Thomas Huth <thuth@redhat.com> Date: Thu, 4 Aug 2022 15:13:00 +0200 Subject: hw/usb/hcd-xhci: Fix unbounded loop in xhci_ring_chain_length() (CVE-2020-14394) Git-commit: effaf5a240e03020f4ae953e10b764622c3e87cc References: bsc#1180207, CVE-2020-14394 The loop condition in xhci_ring_chain_length() is under control of the guest, and additionally the code does not check for failed DMA transfers (e.g. if reaching the end of the RAM), so the loop there could run for a very long time or even forever. Fix it by checking the return value of dma_memory_read() and by introducing a maximum loop length. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 Message-Id: <20220804131300.96368-1-thuth@redhat.com> Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Dario Faggioli <dfaggioli@suse.com> --- hw/usb/hcd-xhci.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 395f0923f7633c03f2359d503fbd..42867dd628bcadad2a524e58bf4b 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -21,6 +21,7 @@ #include "qemu/osdep.h" #include "qemu/timer.h" +#include "qemu/log.h" #include "qemu/module.h" #include "qemu/queue.h" #include "migration/vmstate.h" @@ -724,9 +725,13 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) bool control_td_set = 0; uint32_t link_cnt = 0; - while (1) { + do { TRBType type; - dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE); + if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", + __func__); + return -1; + } le64_to_cpus(&trb.parameter); le32_to_cpus(&trb.status); le32_to_cpus(&trb.control); @@ -760,7 +765,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) if (!control_td_set && !(trb.control & TRB_TR_CH)) { return length; } - } + + /* + * According to the xHCI spec, Transfer Ring segments should have + * a maximum size of 64 kB (see chapter "6 Data Structures") + */ + } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); + + qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n", + __func__); + + return -1; } static void xhci_er_reset(XHCIState *xhci, int v)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor