File CVE-2017-6505-qemut-usb-an-infinite-loop-issue-in-ohci_service_ed_list.patch of Package xen.26348

References: bsc#1028235 CVE-2017-6505

Subject: usb: ohci: limit the number of link eds
From: Li Qiang liqiang6-s@360.cn Tue Feb 7 02:23:33 2017 -0800
Date: Tue Feb 21 08:11:42 2017 +0100:
Git: 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb

The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.7.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
===================================================================
--- xen-4.7.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
+++ xen-4.7.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
@@ -50,6 +50,8 @@
 
 #define OHCI_MAX_PORTS 15
 
+#define ED_LINK_LIMIT 4
+
 static int64_t usb_frame_time;
 static int64_t usb_bit_time;
 
@@ -998,7 +1000,7 @@ static int ohci_service_ed_list(OHCIStat
     uint32_t next_ed;
     uint32_t cur;
     int active;
-
+    uint32_t link_cnt = 0;
     active = 0;
 
     if (head == 0)
@@ -1012,6 +1014,10 @@ static int ohci_service_ed_list(OHCIStat
 
         next_ed = ed.next & OHCI_DPTR_MASK;
 
+        if (++link_cnt > ED_LINK_LIMIT) {
+            return 0;
+        }
+
         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
             uint32_t addr;
             /* Cancel pending packets for ED that have been paused.  */