X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=debian%2Fpatches%2Fold%2FCVE-2015-8558-ehci_make_idt_processing_more_robust.patch;fp=debian%2Fpatches%2Fold%2FCVE-2015-8558-ehci_make_idt_processing_more_robust.patch;h=743b68d2ec423ce718b336e95deef605fe461a72;hb=8e7c96604a7bd795fd445e772ab77f74155af301;hp=0000000000000000000000000000000000000000;hpb=259e9b41bf9ac008252f3b46bb597e662d3fc966;p=pve-qemu-kvm.git diff --git a/debian/patches/old/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch b/debian/patches/old/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch new file mode 100644 index 0000000..743b68d --- /dev/null +++ b/debian/patches/old/CVE-2015-8558-ehci_make_idt_processing_more_robust.patch @@ -0,0 +1,49 @@ +From: Gerd Hoffmann +Subject: [Qemu-devel] [PULL 5/5] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + +-- +1.8.3.1 + + + +