------------------------------------------------------------------------
*From*: Gerd Hoffmann
*Subject*: [Qemu-devel] [PATCH 1/2] ehci: apply limit to itd/sidt
descriptors
*Date*: Mon, 18 Apr 2016 11:27:22 +0200
------------------------------------------------------------------------
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
DoS by the guest (create a circular itd queue and let qemu ehci
emulation run in circles forever). Unfortunaly this has two problems:
First it misses the case of sitds, and second it reportly breaks
freebsd.
So lets go for a different approach: just count the number of itds and
sitds we have seen per frame and apply a limit. That should really
catch all cases now.
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ehci.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c
index 159f58d..923f110 100644
--- a/tools/qemu-xen/hw/usb/hcd-ehci.c
+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c
@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)
static void ehci_advance_state(EHCIState *ehci, int async)
{
EHCIQueue *q = NULL;
+ int idt_count = 0;
int again;
do {
@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
case EST_FETCHITD:
again = ehci_state_fetchitd(ehci, async);
+ idt_count++;
break;
case EST_FETCHSITD:
again = ehci_state_fetchsitd(ehci, async);
+ idt_count++;
break;
case EST_ADVANCEQUEUE:
@@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async)
ehci_reset(ehci);
again = 0;
}
+
+ /* limit the amout of idts we are willing to process each frame */
+ if (idt_count > 16) {
+ again = 0;
+ }
}
while (again);
}
--
1.8.3.1