motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-10 02:54:58 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

ehci: apply limit to iTD/sidt descriptors

Browse source 
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular iTD queue and let qemu ehci
emulation run in circles forever).  Unfortunately this has two problems:
First it misses the case of siTDs, and second it reportedly breaks
FreeBSD.

So lets go for a different approach: just count the number of iTDs and
siTDs we have seen per frame and apply a limit.  That should really
catch all cases now.

Reported-by: 杜少博 <dushaobo@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Gerd Hoffmann 2016-04-18 09:11:38 +02:00
parent c6c598ca5f
commit 1ae3f2f178
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hw/usb/hcd-ehci.c
View file

@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)
static void ehci_advance_state(EHCIState *ehci, int async)
{
EHCIQueue *q = NULL;
int itd_count = 0;
int again;
do {
@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
case EST_FETCHITD:
again = ehci_state_fetchitd(ehci, async);
itd_count++;
break;
case EST_FETCHSITD:
again = ehci_state_fetchsitd(ehci, async);
itd_count++;
break;
case EST_ADVANCEQUEUE:
@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
break;
}
if (again < 0) {
if (again < 0 || itd_count > 16) {
/* TODO: notify guest (raise HSE irq?) */
fprintf(stderr, "processing error - resetting ehci HC\n");
ehci_reset(ehci);
again = 0;