[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch

From a0dad3b2a4841f70f96145a2f60ffd04e5d584ad Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 16 Feb 2016 15:34:14 +0530
Subject: [PATCH] usb: ohci avoid multiple eof timers

When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
state, it creates an eof timer object in 'ohci_bus_start'.
It does not check if one already exists. This results in memory
leakage and null dereference issue. Add a check to avoid it.

Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Conflicts:
	hw/usb/hcd-ohci.c
---
 hw/usb/hcd-ohci.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index ffab561..ccd5ac4 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -1348,6 +1348,16 @@ static void ohci_frame_boundary(void *opaque)
  */
 static int ohci_bus_start(OHCIState *ohci)
 {
+    if (!ohci->eof_timer) {
+        ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+                                        ohci_frame_boundary, ohci);
+    }
+    if (!ohci->eof_timer) {
+        trace_usb_ohci_bus_eof_timer_failed(ohci->name);
+        ohci_die(ohci);
+        return 0;
+    }
+
     trace_usb_ohci_start(ohci->name);
 
     /* Delay the first SOF event by one frame time as
-- 
2.1.4
Commit	Line	Data
430fd895 TL	1	From a0dad3b2a4841f70f96145a2f60ffd04e5d584ad Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 16 Feb 2016 15:34:14 +0530
	4	Subject: [PATCH] usb: ohci avoid multiple eof timers
	5
	6	When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
	7	state, it creates an eof timer object in 'ohci_bus_start'.
	8	It does not check if one already exists. This results in memory
	9	leakage and null dereference issue. Add a check to avoid it.
	10
	11	Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13
	14	Conflicts:
	15	hw/usb/hcd-ohci.c
	16	---
	17	hw/usb/hcd-ohci.c \| 10 ++++++++++
	18	1 file changed, 10 insertions(+)
	19
	20	diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
	21	index ffab561..ccd5ac4 100644
	22	--- a/hw/usb/hcd-ohci.c
	23	+++ b/hw/usb/hcd-ohci.c
	24	@@ -1348,6 +1348,16 @@ static void ohci_frame_boundary(void *opaque)
	25	*/
	26	static int ohci_bus_start(OHCIState *ohci)
	27	{
	28	+ if (!ohci->eof_timer) {
	29	+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
	30	+ ohci_frame_boundary, ohci);
	31	+ }
	32	+ if (!ohci->eof_timer) {
	33	+ trace_usb_ohci_bus_eof_timer_failed(ohci->name);
	34	+ ohci_die(ohci);
	35	+ return 0;
	36	+ }
	37	+
	38	trace_usb_ohci_start(ohci->name);
	39
	40	/* Delay the first SOF event by one frame time as
	41	--
	42	2.1.4
	43