File CVE-2016-4037-qemuu-usb-Infinite-loop-vulnerability-in-usb_ehci-using-siTD-process.patch of Package xen.11298

References: bsc#976111 CVE-2016-4037

Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular itd queue and let qemu ehci
emulation run in circles forever).  Unfortunaly this has two problems:
First it misses the case of sitds, and second it reportly breaks
freebsd.

So lets go for a different approach: just count the number of itds and
sitds we have seen per frame and apply a limit.  That should really
catch all cases now.

Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/hcd-ehci.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -2091,6 +2091,7 @@ static int ehci_state_writeback(EHCIQueu
 static void ehci_advance_state(EHCIState *ehci, int async)
 {
     EHCIQueue *q = NULL;
+    int idt_count = 0;
     int again;
 
     do {
@@ -2115,10 +2116,12 @@ static void ehci_advance_state(EHCIState
 
         case EST_FETCHITD:
             again = ehci_state_fetchitd(ehci, async);
+            idt_count++;
             break;
 
         case EST_FETCHSITD:
             again = ehci_state_fetchsitd(ehci, async);
+            idt_count++;
             break;
 
         case EST_ADVANCEQUEUE:
@@ -2172,6 +2175,11 @@ static void ehci_advance_state(EHCIState
             ehci_reset(ehci);
             again = 0;
         }
+
+        /* limit the amout of idts we are willing to process each frame */
+        if (idt_count > 16) {
+            again = 0;
+        }
     }
     while (again);
 }