[pve-devel] [PATCH kvm] Fix CVE-2016-4037
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Apr 25 15:08:05 CEST 2016
usb: Infinite loop vulnerability in usb_ehci using siTD process
---
...-ehci-apply-limit-to-iTD-sidt-descriptors.patch | 62 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 63 insertions(+)
create mode 100644 debian/patches/extra/CVE-2016-4037-ehci-apply-limit-to-iTD-sidt-descriptors.patch
diff --git a/debian/patches/extra/CVE-2016-4037-ehci-apply-limit-to-iTD-sidt-descriptors.patch b/debian/patches/extra/CVE-2016-4037-ehci-apply-limit-to-iTD-sidt-descriptors.patch
new file mode 100644
index 0000000..cd298cd
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-4037-ehci-apply-limit-to-iTD-sidt-descriptors.patch
@@ -0,0 +1,62 @@
+From 04d46122655ea02ca47a9572bcce87a23c458e9a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel at redhat.com>
+Date: Mon, 18 Apr 2016 09:11:38 +0200
+Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
+DoS by the guest (create a circular iTD queue and let qemu ehci
+emulation run in circles forever). Unfortunately this has two problems:
+First it misses the case of siTDs, and second it reportedly breaks
+FreeBSD.
+
+So lets go for a different approach: just count the number of iTDs and
+siTDs we have seen per frame and apply a limit. That should really
+catch all cases now.
+
+Reported-by: 杜少博 <dushaobo at 360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+---
+ hw/usb/hcd-ehci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 9b7ef92..99ae453 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -2009,6 +2009,7 @@ static int ehci_state_writeback(EHCIQueue *q)
+ static void ehci_advance_state(EHCIState *ehci, int async)
+ {
+ EHCIQueue *q = NULL;
++ int itd_count = 0;
+ int again;
+
+ do {
+@@ -2033,10 +2034,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+
+ case EST_FETCHITD:
+ again = ehci_state_fetchitd(ehci, async);
++ itd_count++;
+ break;
+
+ case EST_FETCHSITD:
+ again = ehci_state_fetchsitd(ehci, async);
++ itd_count++;
+ break;
+
+ case EST_ADVANCEQUEUE:
+@@ -2085,7 +2088,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
+ break;
+ }
+
+- if (again < 0) {
++ if (again < 0 || itd_count > 16) {
++ /* TODO: notify guest (raise HSE irq?) */
+ fprintf(stderr, "processing error - resetting ehci HC\n");
+ ehci_reset(ehci);
+ again = 0;
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 806692e..f8de9d4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -53,3 +53,4 @@ extra/CVE-2016-2858-0004-rng-add-request-queue-support-to-rng-random.patch
extra/0005-virtio-rng-ask-for-more-data-if-queue-is-not-fully-d.patch
extra/0001-target-i386-do-not-read-write-MSR_TSC_AUX-from-KVM-i.patch
extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
+extra/CVE-2016-4037-ehci-apply-limit-to-iTD-sidt-descriptors.patch
--
2.1.4
More information about the pve-devel
mailing list