| Message ID | 20200915182259.68522-1-ppandit@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | hw: usb: hcd-ohci: fix oob access and loop issues | expand |
On Tue, Sep 15, 2020 at 11:52:57PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > Hello, > > * While servicing transfer descriptors(TD) in ohci_service[_iso]_td > routines, it may lead to out-of-bounds access and/or infinite loop > issues, as the OHCI controller driver may supply malicious values > to derive frame_number, start_addr, end_addr etc. variables. > > * This series breaks earlier single patch into two. > One for an out-of-bounds access issue and another to fix infinite > loop case. > -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05145.html Added to usb patch queue. thanks, Gerd
From: Prasad J Pandit <pjp@fedoraproject.org> Hello, * While servicing transfer descriptors(TD) in ohci_service[_iso]_td routines, it may lead to out-of-bounds access and/or infinite loop issues, as the OHCI controller driver may supply malicious values to derive frame_number, start_addr, end_addr etc. variables. * This series breaks earlier single patch into two. One for an out-of-bounds access issue and another to fix infinite loop case. -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05145.html Thank you. -- Prasad J Pandit (2): hw: usb: hcd-ohci: check len and frame_number variables hw: usb: hcd-ohci: check for processed TD before retire hw/usb/hcd-ohci.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) -- 2.26.2