* [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop @ 2015-12-10 13:21 P J P 2015-12-14 8:30 ` Gerd Hoffmann 0 siblings, 1 reply; 6+ messages in thread From: P J P @ 2015-12-10 13:21 UTC (permalink / raw) To: qemu-devel; +Cc: Qinghao Tang, Gerd Hoffmann Hello Gerd, An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI emulator. In that, a malicious isochronous transfer descriptor(iTD) list could unfold an infinite loop in the 'ehci_advance_state' routine, by always setting 'again = 0 or 1'. Please see below a proposed (tested)patch to fix this issue. Does it look okay? Not sure if 'count=16' is good for an upper limit. === >From 4c4f46e8cb7ef661c707b2c477187e1f52c21cc9 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <pjp@fedoraproject.org> Date: Thu, 10 Dec 2015 18:22:37 +0530 Subject: [PATCH] usb: hcd-ehci: add check to avoid an infinite loop While communicating with the host controller interface(eHCI), the driver makes use of an isochronous transfer descriptor(iTD) list. When processing this list, USB EHCI emulator could run into an infinite loop in 'ehci_advance_state' routine. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> --- hw/usb/hcd-ehci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 4e2161b..4e7e5db 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2000,7 +2000,7 @@ static int ehci_state_writeback(EHCIQueue *q) static void ehci_advance_state(EHCIState *ehci, int async) { EHCIQueue *q = NULL; - int again; + int again, count = 0; do { switch(ehci_get_state(ehci, async)) { @@ -2076,7 +2076,8 @@ static void ehci_advance_state(EHCIState *ehci, int async) break; } - if (again < 0) { + count++; + if (again < 0 || count > 16) { fprintf(stderr, "processing error - resetting ehci HC\n"); ehci_reset(ehci); again = 0; -- 2.4.3 === Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop 2015-12-10 13:21 [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop P J P @ 2015-12-14 8:30 ` Gerd Hoffmann 2015-12-14 10:03 ` P J P 0 siblings, 1 reply; 6+ messages in thread From: Gerd Hoffmann @ 2015-12-14 8:30 UTC (permalink / raw) To: P J P; +Cc: Qinghao Tang, qemu-devel [-- Attachment #1: Type: text/plain, Size: 615 bytes --] On Do, 2015-12-10 at 18:51 +0530, P J P wrote: > Hello Gerd, > > An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI > emulator. In that, a malicious isochronous transfer descriptor(iTD) list could > unfold an infinite loop in the 'ehci_advance_state' routine, by always > setting 'again = 0 or 1'. > > Please see below a proposed (tested)patch to fix this issue. Does it look > okay? Not sure if 'count=16' is good for an upper limit. Can you test the attached patch please? In case it doesn't fix the bug: Can you forward the reproducer to me? thanks, Gerd [-- Attachment #2: Type: text/x-patch, Size: 1290 bytes --] From 6887f2191807c2b3eb7b20a61ba5d63c3695a95d Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <kraxel@redhat.com> Date: Mon, 14 Dec 2015 09:21:23 +0100 Subject: [PATCH] ehci: make idt processing more robust Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/usb/hcd-ehci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 4e2161b..d07f228 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, { USBDevice *dev; USBEndpoint *ep; - uint32_t i, len, pid, dir, devaddr, endp; + uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; uint32_t pg, off, ptr1, ptr2, max, mult; ehci->periodic_sched_active = PERIODIC_ACTIVE; @@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, ehci_raise_irq(ehci, USBSTS_INT); } itd->transact[i] &= ~ITD_XACT_ACTIVE; + xfers++; } } - return 0; + return xfers ? 0 : -1; } -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop 2015-12-14 8:30 ` Gerd Hoffmann @ 2015-12-14 10:03 ` P J P 2015-12-14 10:26 ` Gerd Hoffmann 0 siblings, 1 reply; 6+ messages in thread From: P J P @ 2015-12-14 10:03 UTC (permalink / raw) To: qemu-devel; +Cc: Qinghao Tang, Gerd Hoffmann Hello Gerd, +-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ | Can you test the attached patch please? In case it doesn't fix the bug: Yes, it did fix the infinite loop issue. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop 2015-12-14 10:03 ` P J P @ 2015-12-14 10:26 ` Gerd Hoffmann 2015-12-14 10:46 ` P J P 0 siblings, 1 reply; 6+ messages in thread From: Gerd Hoffmann @ 2015-12-14 10:26 UTC (permalink / raw) To: P J P; +Cc: Qinghao Tang, qemu-devel On Mo, 2015-12-14 at 15:33 +0530, P J P wrote: > Hello Gerd, > > +-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ > | Can you test the attached patch please? In case it doesn't fix the bug: > > Yes, it did fix the infinite loop issue. Good. Is there a cve number for that one which I can add to the commit message? thanks, Gerd ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop 2015-12-14 10:26 ` Gerd Hoffmann @ 2015-12-14 10:46 ` P J P 2015-12-14 10:58 ` Gerd Hoffmann 0 siblings, 1 reply; 6+ messages in thread From: P J P @ 2015-12-14 10:46 UTC (permalink / raw) To: Gerd Hoffmann; +Cc: Qinghao Tang, qemu-devel +-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ | Good. Is there a cve number for that one which I can add to the commit | message? No, not yet. I'll request one, once it is approved for the upstream. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop 2015-12-14 10:46 ` P J P @ 2015-12-14 10:58 ` Gerd Hoffmann 0 siblings, 0 replies; 6+ messages in thread From: Gerd Hoffmann @ 2015-12-14 10:58 UTC (permalink / raw) To: P J P; +Cc: Qinghao Tang, qemu-devel On Mo, 2015-12-14 at 16:16 +0530, P J P wrote: > +-- On Mon, 14 Dec 2015, Gerd Hoffmann wrote --+ > | Good. Is there a cve number for that one which I can add to the commit > | message? > > No, not yet. I'll request one, once it is approved for the upstream. Ok, sending out for review without cve number then. cheers, Gerd ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-14 10:58 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-12-10 13:21 [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite loop P J P 2015-12-14 8:30 ` Gerd Hoffmann 2015-12-14 10:03 ` P J P 2015-12-14 10:26 ` Gerd Hoffmann 2015-12-14 10:46 ` P J P 2015-12-14 10:58 ` Gerd Hoffmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).