1. Patchew
  2. QEMU
  3. View series

[PATCH v2 0/2] hw: usb: hcd-ohci: fix oob access and loop issues

P J P posted 2 patches 3 years, 7 months ago
Test docker-quick@centos7 failed
Test docker-mingw@fedora failed
Test checkpatch failed
Test FreeBSD failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200915182259.68522-1-ppandit@redhat.com
Maintainers: Gerd Hoffmann <kraxel@redhat.com>
hw/usb/hcd-ohci.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
[PATCH v2 0/2] hw: usb: hcd-ohci: fix oob access and loop issues
Posted by P J P 3 years, 7 months ago 
From: Prasad J Pandit <pjp@fedoraproject.org>

Hello,

* While servicing transfer descriptors(TD) in ohci_service[_iso]_td
  routines, it may lead to out-of-bounds access and/or infinite loop
  issues, as the OHCI controller driver may supply malicious values
  to derive frame_number, start_addr, end_addr etc. variables.

* This series breaks earlier single patch into two.
  One for an out-of-bounds access issue and another to fix infinite
  loop case.
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05145.html

Thank you.
--
Prasad J Pandit (2):
  hw: usb: hcd-ohci: check len and frame_number variables
  hw: usb: hcd-ohci: check for processed TD before retire

 hw/usb/hcd-ohci.c | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

--
2.26.2
Re: [PATCH v2 0/2] hw: usb: hcd-ohci: fix oob access and loop issues
Posted by Gerd Hoffmann 3 years, 7 months ago 
On Tue, Sep 15, 2020 at 11:52:57PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> Hello,
> 
> * While servicing transfer descriptors(TD) in ohci_service[_iso]_td
>   routines, it may lead to out-of-bounds access and/or infinite loop
>   issues, as the OHCI controller driver may supply malicious values
>   to derive frame_number, start_addr, end_addr etc. variables.
> 
> * This series breaks earlier single patch into two.
>   One for an out-of-bounds access issue and another to fix infinite
>   loop case.
>   -> https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05145.html

Added to usb patch queue.

thanks,
  Gerd

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.