From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37077)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a719n-0000vV-DQ
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 08:21:19 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a719j-0007BT-Bq
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 08:21:15 -0500
Received: from mx1.redhat.com ([209.132.183.28]:40145)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1a719j-0007BD-78
	for qemu-devel@nongnu.org; Thu, 10 Dec 2015 08:21:11 -0500
Date: Thu, 10 Dec 2015 18:51:04 +0530 (IST)
From: P J P <ppandit@redhat.com>
Message-ID: <alpine.LFD.2.20.1512101839390.2628@wniryva>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Subject: [Qemu-devel] [PATCH] usb: hcd-ehci: add check to avoid an infinite
	loop
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Qinghao Tang <luodalongde@gmail.com>, Gerd Hoffmann <kraxel@redhat.com>

   Hello Gerd,

An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI 
emulator. In that, a malicious isochronous transfer descriptor(iTD) list could 
unfold an infinite loop in the 'ehci_advance_state' routine, by always 
setting 'again = 0 or 1'.

Please see below a proposed (tested)patch to fix this issue. Does it look 
okay? Not sure if 'count=16' is good for an upper limit.

===
>>From 4c4f46e8cb7ef661c707b2c477187e1f52c21cc9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 10 Dec 2015 18:22:37 +0530
Subject: [PATCH] usb: hcd-ehci: add check to avoid an infinite loop

While communicating with the host controller interface(eHCI),
the driver makes use of an isochronous transfer descriptor(iTD)
list. When processing this list, USB EHCI emulator could run
into an infinite loop in 'ehci_advance_state' routine.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
  hw/usb/hcd-ehci.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..4e7e5db 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2000,7 +2000,7 @@ static int ehci_state_writeback(EHCIQueue *q)
  static void ehci_advance_state(EHCIState *ehci, int async)
  {
      EHCIQueue *q = NULL;
-    int again;
+    int again, count = 0;

      do {
          switch(ehci_get_state(ehci, async)) {
@@ -2076,7 +2076,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
              break;
          }

-        if (again < 0) {
+        count++;
+        if (again < 0 || count > 16) {
              fprintf(stderr, "processing error - resetting ehci HC\n");
              ehci_reset(ehci);
              again = 0;
-- 
2.4.3
===


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F