| Message ID | 1460971643-1499-1-git-send-email-kraxel@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
+-- On Mon, 18 Apr 2016, Gerd Hoffmann wrote --+ | Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a | DoS by the guest (create a circular itd queue and let qemu ehci | emulation run in circles forever). Unfortunaly this has two problems: | First it misses the case of sitds, and second it reportly breaks | freebsd. | | So lets go for a different approach: just count the number of itds and | sitds we have seen per frame and apply a limit. That should really | catch all cases now. idt -> iTD sidt -> siTD Unfortualy -> Unfortunately reportly -> reportedly freebsd -> FreeBSD Perhaps it'll help to add "Fixes: 156a2e4(CVE-2015-8558)" to the commit log? (just a thought) Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 159f58d..923f110 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) static void ehci_advance_state(EHCIState *ehci, int async) { EHCIQueue *q = NULL; + int idt_count = 0; int again; do { @@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) case EST_FETCHITD: again = ehci_state_fetchitd(ehci, async); + idt_count++; break; case EST_FETCHSITD: again = ehci_state_fetchsitd(ehci, async); + idt_count++; break; case EST_ADVANCEQUEUE: @@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async) ehci_reset(ehci); again = 0; } + + /* limit the amout of idts we are willing to process each frame */ + if (idt_count > 16) { + again = 0; + } } while (again); }
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a DoS by the guest (create a circular itd queue and let qemu ehci emulation run in circles forever). Unfortunaly this has two problems: First it misses the case of sitds, and second it reportly breaks freebsd. So lets go for a different approach: just count the number of itds and sitds we have seen per frame and apply a limit. That should really catch all cases now. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/usb/hcd-ehci.c | 8 ++++++++ 1 file changed, 8 insertions(+)