From 534a1c7f012e2099ce83bcab35c25cd587c9f3af Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 29 Aug 2017 10:29:29 +0200 Subject: qemu: CVE-2017-6505 Quick Emulator built with the USB OHCI Emulation support is vulnerable to an infinite loop issue. It could occur while processing an endpoint list descriptor in ohci_service_ed_list(). A guest user/process could use this flaw to crash Qemu process resulting in DoS. References: ========== https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6505 Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-devtools/qemu/qemu/CVE-2017-6505.patch | 56 ++++++++++++++++++++++++++ recipes-devtools/qemu/qemu_%.bbappend | 1 + 2 files changed, 57 insertions(+) create mode 100644 recipes-devtools/qemu/qemu/CVE-2017-6505.patch (limited to 'recipes-devtools') diff --git a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch new file mode 100644 index 0000000..a939e85 --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch @@ -0,0 +1,56 @@ +From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 7 Feb 2017 02:23:33 -0800 +Subject: [PATCH] usb: ohci: limit the number of link eds + +The guest may builds an infinite loop with link eds. This patch +limit the number of linked ed to avoid this. + +CVE: CVE-2017-6505 +Upstream-Status: Backport [backport from v2.9.0-rc0~85^2~8] + +Signed-off-by: Li Qiang +Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sona Sarmadi +--- + hw/usb/hcd-ohci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 2cba3e3..21c93e0 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -42,6 +42,8 @@ + + #define OHCI_MAX_PORTS 15 + ++#define ED_LINK_LIMIT 4 ++ + static int64_t usb_frame_time; + static int64_t usb_bit_time; + +@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) + uint32_t next_ed; + uint32_t cur; + int active; +- ++ uint32_t link_cnt = 0; + active = 0; + + if (head == 0) +@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) + + next_ed = ed.next & OHCI_DPTR_MASK; + ++ if (++link_cnt > ED_LINK_LIMIT) { ++ ohci_die(ohci); ++ return 0; ++ } ++ + if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { + uint32_t addr; + /* Cancel pending packets for ED that have been paused. */ +-- +1.9.1 + diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend index 8a73d1f..8db32c5 100644 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ b/recipes-devtools/qemu/qemu_%.bbappend @@ -4,4 +4,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0001-CVE-2017-2620.patch \ file://0002-CVE-2017-2620.patch \ file://CVE-2017-7471.patch \ + file://CVE-2017-6505.patch \ " -- cgit v1.2.3-54-g00ecf