qemu: CVE-2017-6505

Quick Emulator built with the USB OHCI Emulation support is vulnerable to an
infinite loop issue. It could occur while processing an endpoint list
descriptor in ohci_service_ed_list().

A guest user/process could use this flaw to crash Qemu process resulting in DoS.

References:
==========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6505
Upstream patch:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

2 files changed, 57 insertions, 0 deletions

diff --git a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch
new file mode 100644
index 0000000..a939e85
--- /dev/null
+++ b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch
@@ -0,0 +1,56 @@
+From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Tue, 7 Feb 2017 02:23:33 -0800
+Subject: [PATCH] usb: ohci: limit the number of link eds
+
+The guest may builds an infinite loop with link eds. This patch
+limit the number of linked ed to avoid this.
+
+CVE: CVE-2017-6505
+Upstream-Status: Backport [backport from v2.9.0-rc0~85^2~8]
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/usb/hcd-ohci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 2cba3e3..21c93e0 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -42,6 +42,8 @@
+ 
+ #define OHCI_MAX_PORTS 15
+ 
++#define ED_LINK_LIMIT 4
++
+ static int64_t usb_frame_time;
+ static int64_t usb_bit_time;
+ 
+@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
+     uint32_t next_ed;
+     uint32_t cur;
+     int active;
+-
++    uint32_t link_cnt = 0;
+     active = 0;
+ 
+     if (head == 0)
+@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
+ 
+         next_ed = ed.next & OHCI_DPTR_MASK;
+ 
++        if (++link_cnt > ED_LINK_LIMIT) {
++            ohci_die(ohci);
++            return 0;
++        }
++
+         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
+             uint32_t addr;
+             /* Cancel pending packets for ED that have been paused.  */
+-- 
+1.9.1
+
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend
index 8a73d1f..8db32c5 100644
--- a/recipes-devtools/qemu/qemu_%.bbappend
+++ b/recipes-devtools/qemu/qemu_%.bbappend
@@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://0001-CVE-2017-2620.patch \
             file://0002-CVE-2017-2620.patch \
             file://CVE-2017-7471.patch \
+            file://CVE-2017-6505.patch \
            "