aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2016-04-19 12:10:30 +0100
committerPeter Maydell <peter.maydell@linaro.org>2016-04-19 12:10:30 +0100
commitef5d5641f5f35f64a7f150bb3593dae0c08f236d (patch)
treed902faa4504a0bfc6ed6f87bfadd2665f7e73163
parentbb97bfd90194eb3c6995b446643af4818a142805 (diff)
parenta49923d2837d20510d645d3758f1ad87c32d0730 (diff)
downloadqemu-arm-ef5d5641f5f35f64a7f150bb3593dae0c08f236d.tar.gz
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20160419-1' into staging
ehci: fix (s)iTD looping issue (CVE-2015-8558) in a different way. # gpg: Signature made Tue 19 Apr 2016 07:22:22 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-usb-20160419-1: Revert "ehci: make idt processing more robust" ehci: apply limit to iTD/sidt descriptors Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r--hw/usb/hcd-ehci.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 159f58d5a0..43a8f7abcc 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci,
{
USBDevice *dev;
USBEndpoint *ep;
- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+ uint32_t i, len, pid, dir, devaddr, endp;
uint32_t pg, off, ptr1, ptr2, max, mult;
ehci->periodic_sched_active = PERIODIC_ACTIVE;
@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci,
ehci_raise_irq(ehci, USBSTS_INT);
}
itd->transact[i] &= ~ITD_XACT_ACTIVE;
- xfers++;
}
}
- return xfers ? 0 : -1;
+ return 0;
}
@@ -2011,6 +2010,7 @@ static int ehci_state_writeback(EHCIQueue *q)
static void ehci_advance_state(EHCIState *ehci, int async)
{
EHCIQueue *q = NULL;
+ int itd_count = 0;
int again;
do {
@@ -2035,10 +2035,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
case EST_FETCHITD:
again = ehci_state_fetchitd(ehci, async);
+ itd_count++;
break;
case EST_FETCHSITD:
again = ehci_state_fetchsitd(ehci, async);
+ itd_count++;
break;
case EST_ADVANCEQUEUE:
@@ -2087,7 +2089,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
break;
}
- if (again < 0) {
+ if (again < 0 || itd_count > 16) {
+ /* TODO: notify guest (raise HSE irq?) */
fprintf(stderr, "processing error - resetting ehci HC\n");
ehci_reset(ehci);
again = 0;