File CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_a... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch of Package xen (Revision dbf2eede0f22d32a0cc48154739aa8fe)

Currently displaying revision dbf2eede0f22d32a0cc48154739aa8fe , Show latest

References: bsc#959006 CVE-2015-8558

Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction.  That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.

Reported-by: Qinghao Tang <address@hidden>
Tested-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/hcd-ehci.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Index: xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -1472,7 +1472,7 @@ static int ehci_process_itd(EHCIState *e
 {
     USBDevice *dev;
     USBEndpoint *ep;
-    uint32_t i, len, pid, dir, devaddr, endp;
+    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
     uint32_t pg, off, ptr1, ptr2, max, mult;
 
     ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1562,9 +1562,10 @@ static int ehci_process_itd(EHCIState *e
                 ehci_raise_irq(ehci, USBSTS_INT);
             }
             itd->transact[i] &= ~ITD_XACT_ACTIVE;
+            xfers++;
         }
     }
-    return 0;
+    return xfers ? 0 : -1;
 }

Places

File CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch of Package xen (Revision dbf2eede0f22d32a0cc48154739aa8fe)

Places