| commit | effaf5a240e03020f4ae953e10b764622c3e87cc | |
| author | Thomas Huth <thuth@redhat.com> | |
| Thu, 4 Aug 2022 13:13:00 +0000 (4 15:13 +0200) | ||
| committer | Thomas Huth <thuth@redhat.com> | |
| Tue, 16 Aug 2022 09:37:19 +0000 (16 11:37 +0200) | ||
| tree | 4f348a6f27856c8fb684adbb8aff8ff225a4e7e0 | treesnapshot (tar.gz zip) |
| parent | 9c23d7193497bbada5915351ce06b7952dd86f6a | commitdiff |
hw/usb/hcd-xhci: Fix unbounded loop in xhci_ring_chain_length() (CVE-2020-14394)
The loop condition in xhci_ring_chain_length() is under control of
the guest, and additionally the code does not check for failed DMA
transfers (e.g. if reaching the end of the RAM), so the loop there
could run for a very long time or even forever. Fix it by checking
the return value of dma_memory_read() and by introducing a maximum
loop length.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
Message-Id: <20220804131300.96368-1-thuth@redhat.com>
Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
The loop condition in xhci_ring_chain_length() is under control of
the guest, and additionally the code does not check for failed DMA
transfers (e.g. if reaching the end of the RAM), so the loop there
could run for a very long time or even forever. Fix it by checking
the return value of dma_memory_read() and by introducing a maximum
loop length.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
Message-Id: <20220804131300.96368-1-thuth@redhat.com>
Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
| hw/usb/hcd-xhci.c | diffblobblamehistory |