File CVE-2016-8576-qemuu-usb-xHCI-infinite-loop-vulnerability-in-xhci_ring_fetch.patch of Package xen.7317

References: bsc#1004016 CVE-2016-8576

From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Fri, 7 Oct 2016 10:15:29 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process

USB xHCI controller uses ring of Transfer Request Blocks(TRB)
to process USB commands. These are processed by loop in
'xhci_ring_fetch'. A guest user could make it read and process
a same TRB infinitely. Limit number of command TRBs to avoid it.

Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/hcd-xhci.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-xhci.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-xhci.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-xhci.c
@@ -52,6 +52,8 @@
  * to the specs when it gets them */
 #define ER_FULL_HACK
 
+#define TRB_LINK_LIMIT  4
+
 #define LEN_CAP         0x40
 #define LEN_OPER        (0x400 + 0x10 * MAXPORTS)
 #define LEN_RUNTIME     ((MAXINTRS + 1) * 0x20)
@@ -965,6 +967,7 @@ static TRBType xhci_ring_fetch(XHCIState
                                dma_addr_t *addr)
 {
     PCIDevice *pci_dev = PCI_DEVICE(xhci);
+    uint32_t link_cnt = 0;
 
     while (1) {
         TRBType type;
@@ -991,6 +994,9 @@ static TRBType xhci_ring_fetch(XHCIState
             ring->dequeue += TRB_SIZE;
             return type;
         } else {
+            if (++link_cnt > TRB_LINK_LIMIT) {
+                return 0;
+            }
             ring->dequeue = xhci_mask64(trb->parameter);
             if (trb->control & TRB_LK_TC) {
                 ring->ccs = !ring->ccs;
@@ -1008,6 +1014,7 @@ static int xhci_ring_chain_length(XHCISt
     bool ccs = ring->ccs;
     /* hack to bundle together the two/three TDs that make a setup transfer */
     bool control_td_set = 0;
+    uint32_t link_cnt = 0;
 
     while (1) {
         TRBType type;
@@ -1023,6 +1030,9 @@ static int xhci_ring_chain_length(XHCISt
         type = TRB_TYPE(trb);
 
         if (type == TR_LINK) {
+            if (++link_cnt > TRB_LINK_LIMIT) {
+                return -length;
+            }
             dequeue = xhci_mask64(trb.parameter);
             if (trb.control & TRB_LK_TC) {
                 ccs = !ccs;