diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2015-12-14 09:21:23 +0100 |
|---|---|---|
| committer | Timothy Pearson <tpearson@raptorengineering.com> | 2019-11-29 19:28:18 -0600 |
| commit | e5bfc7d00c78bb53e221d90540eba02a593a543b (patch) | |
| tree | a2328b3fde456e857eaa58b5dfc1a65aecc4185f /hw | |
| parent | d47d821b7422b72924e90c6290d7757541f3a8f1 (diff) | |
| download | hqemu-e5bfc7d00c78bb53e221d90540eba02a593a543b.zip hqemu-e5bfc7d00c78bb53e221d90540eba02a593a543b.tar.gz | |
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: qemu-stable@nongnu.org
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/usb/hcd-ehci.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 4e2161b..d07f228 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, { USBDevice *dev; USBEndpoint *ep; - uint32_t i, len, pid, dir, devaddr, endp; + uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; uint32_t pg, off, ptr1, ptr2, max, mult; ehci->periodic_sched_active = PERIODIC_ACTIVE; @@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, ehci_raise_irq(ehci, USBSTS_INT); } itd->transact[i] &= ~ITD_XACT_ACTIVE; + xfers++; } } - return 0; + return xfers ? 0 : -1; } |
