Commit 156a2e4d authored by Gerd Hoffmann's avatar Gerd Hoffmann
Browse files

ehci: make idt processing more robust 



Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction.  That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.

This is CVE-2015-8558.

Cc: qemu-stable@nongnu.org
Reported-by: default avatarQinghao Tang <luodalongde@gmail.com>
Tested-by: default avatarP J P <ppandit@redhat.com>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent 93d592e3

hw/usb/hcd-ehci.c

+3 −2
Original line number Diff line number Diff line
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, 
{

    USBDevice *dev;

    USBEndpoint *ep;

    uint32_t i, len, pid, dir, devaddr, endp;

    uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;

    uint32_t pg, off, ptr1, ptr2, max, mult;



    ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, 
                ehci_raise_irq(ehci, USBSTS_INT);

            }

            itd->transact[i] &= ~ITD_XACT_ACTIVE;

            xfers++;

        }

    }

    return 0;

    return xfers ? 0 : -1;

}