diff mbox

usb: hcd-ehci: add check to avoid an infinite loop

Message ID alpine.LFD.2.20.1512101839390.2628@wniryva
State New
Headers show

Commit Message

Prasad Pandit Dec. 10, 2015, 1:21 p.m. UTC 
Hello Gerd,

An infinite loop issue was reported by Mr Qinghao Tang(CC'd), in the USB EHCI 
emulator. In that, a malicious isochronous transfer descriptor(iTD) list could 
unfold an infinite loop in the 'ehci_advance_state' routine, by always 
setting 'again = 0 or 1'.

Please see below a proposed (tested)patch to fix this issue. Does it look 
okay? Not sure if 'count=16' is good for an upper limit.
diff mbox

Patch

===
From 4c4f46e8cb7ef661c707b2c477187e1f52c21cc9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 10 Dec 2015 18:22:37 +0530
Subject: [PATCH] usb: hcd-ehci: add check to avoid an infinite loop

While communicating with the host controller interface(eHCI),
the driver makes use of an isochronous transfer descriptor(iTD)
list. When processing this list, USB EHCI emulator could run
into an infinite loop in 'ehci_advance_state' routine.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
  hw/usb/hcd-ehci.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 4e2161b..4e7e5db 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2000,7 +2000,7 @@  static int ehci_state_writeback(EHCIQueue *q)
  static void ehci_advance_state(EHCIState *ehci, int async)
  {
      EHCIQueue *q = NULL;
-    int again;
+    int again, count = 0;

      do {
          switch(ehci_get_state(ehci, async)) {
@@ -2076,7 +2076,8 @@  static void ehci_advance_state(EHCIState *ehci, int async)
              break;
          }

-        if (again < 0) {
+        count++;
+        if (again < 0 || count > 16) {
              fprintf(stderr, "processing error - resetting ehci HC\n");
              ehci_reset(ehci);
              again = 0;