From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52654) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a8OWJ-0000pp-Tt for qemu-devel@nongnu.org; Mon, 14 Dec 2015 03:30:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a8OWF-0007oT-Te for qemu-devel@nongnu.org; Mon, 14 Dec 2015 03:30:11 -0500 Received: from mx1.redhat.com ([209.132.183.28]:50459) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a8OWF-0007nZ-PL for qemu-devel@nongnu.org; Mon, 14 Dec 2015 03:30:07 -0500 Message-ID: <1450081804.25336.3.camel@redhat.com> From: Gerd Hoffmann Date: Mon, 14 Dec 2015 09:30:04 +0100 In-Reply-To: References: Content-Type: multipart/mixed; boundary="=-pjX3/2ZddKNpi97vy+qS" Mime-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P Cc: Qinghao Tang , qemu-devel@nongnu.org --=-pjX3/2ZddKNpi97vy+qS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Do, 2015-12-10 at 18:51 +0530, P J P wrote: > Hello Gerd, >=20 > An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB = EHCI=20 > emulator. In that, a malicious isochronous transfer descriptor(iTD) list = could=20 > unfold an infinite loop in the 'ehci_advance_state' routine, by always= =20 > setting 'again =3D 0 or 1'. >=20 > Please see below a proposed (tested)patch to fix this issue. Does it look= =20 > okay? Not sure if 'count=3D16' is good for an upper limit. Can you test the attached patch please? In case it doesn't fix the bug: Can you forward the reproducer to me? thanks, Gerd --=-pjX3/2ZddKNpi97vy+qS Content-Description: Content-Disposition: inline; filename="0001-ehci-make-idt-processing-more-robust.patch" Content-Type: text/x-patch; name="0001-ehci-make-idt-processing-more-robust.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA2ODg3ZjIxOTE4MDdjMmIzZWI3YjIwYTYxYmE1ZDYzYzM2OTVhOTVkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBHZXJkIEhvZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KRGF0 ZTogTW9uLCAxNCBEZWMgMjAxNSAwOToyMToyMyArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIGVoY2k6 IG1ha2UgaWR0IHByb2Nlc3NpbmcgbW9yZSByb2J1c3QKCk1ha2UgZWhjaV9wcm9jZXNzX2l0ZCBy ZXR1cm4gYW4gZXJyb3IgaW4gY2FzZSB3ZSBkaWRuJ3QgZG8gYW55IGFjdHVhbAppc28gdHJhbnNm ZXIgYmVjYXVzZSB3ZSd2ZSBmb3VuZCBubyBhY3RpdmUgdHJhbnNhY3Rpb24uICBUaGF0J2xsIGF2 b2lkCmVoY2kgaGFwcGlseSBydW4gaW4gY2lyY2xlcyBmb3JldmVyIGlmIHRoZSBndWVzdCBidWls ZHMgYSBsb29wIG91dCBvZgppZHRzLgoKU2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8a3Jh eGVsQHJlZGhhdC5jb20+Ci0tLQogaHcvdXNiL2hjZC1laGNpLmMgfCA1ICsrKy0tCiAxIGZpbGUg Y2hhbmdlZCwgMyBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2h3 L3VzYi9oY2QtZWhjaS5jIGIvaHcvdXNiL2hjZC1laGNpLmMKaW5kZXggNGUyMTYxYi4uZDA3ZjIy OCAxMDA2NDQKLS0tIGEvaHcvdXNiL2hjZC1laGNpLmMKKysrIGIvaHcvdXNiL2hjZC1laGNpLmMK QEAgLTEzODksNyArMTM4OSw3IEBAIHN0YXRpYyBpbnQgZWhjaV9wcm9jZXNzX2l0ZChFSENJU3Rh dGUgKmVoY2ksCiB7CiAgICAgVVNCRGV2aWNlICpkZXY7CiAgICAgVVNCRW5kcG9pbnQgKmVwOwot ICAgIHVpbnQzMl90IGksIGxlbiwgcGlkLCBkaXIsIGRldmFkZHIsIGVuZHA7CisgICAgdWludDMy X3QgaSwgbGVuLCBwaWQsIGRpciwgZGV2YWRkciwgZW5kcCwgeGZlcnMgPSAwOwogICAgIHVpbnQz Ml90IHBnLCBvZmYsIHB0cjEsIHB0cjIsIG1heCwgbXVsdDsKIAogICAgIGVoY2ktPnBlcmlvZGlj X3NjaGVkX2FjdGl2ZSA9IFBFUklPRElDX0FDVElWRTsKQEAgLTE0NzksOSArMTQ3OSwxMCBAQCBz dGF0aWMgaW50IGVoY2lfcHJvY2Vzc19pdGQoRUhDSVN0YXRlICplaGNpLAogICAgICAgICAgICAg ICAgIGVoY2lfcmFpc2VfaXJxKGVoY2ksIFVTQlNUU19JTlQpOwogICAgICAgICAgICAgfQogICAg ICAgICAgICAgaXRkLT50cmFuc2FjdFtpXSAmPSB+SVREX1hBQ1RfQUNUSVZFOworICAgICAgICAg ICAgeGZlcnMrKzsKICAgICAgICAgfQogICAgIH0KLSAgICByZXR1cm4gMDsKKyAgICByZXR1cm4g eGZlcnMgPyAwIDogLTE7CiB9CiAKIAotLSAKMS44LjMuMQoK --=-pjX3/2ZddKNpi97vy+qS--