51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
|
From: Jason Wang <jasowang@redhat.com>
|
||
|
|
Date: Wed, 24 Feb 2021 13:45:28 +0800
|
||
|
|
Subject: e1000: fail early for evil descriptor
|
||
|
|
|
||
|
|
Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8
|
||
|
|
References: bsc#1182577, CVE-2021-20257
|
||
|
|
|
||
|
|
During procss_tx_desc(), driver can try to chain data descriptor with
|
||
|
|
legacy descriptor, when will lead underflow for the following
|
||
|
|
calculation in process_tx_desc() for bytes:
|
||
|
|
|
||
|
|
if (tp->size + bytes > msh)
|
||
|
|
bytes = msh - tp->size;
|
||
|
|
|
||
|
|
This will lead a infinite loop. So check and fail early if tp->size if
|
||
|
|
greater or equal to msh.
|
||
|
|
|
||
|
|
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
||
|
|
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
|
||
|
|
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
|
||
|
|
Cc: Prasad J Pandit <ppandit@redhat.com>
|
||
|
|
Cc: qemu-stable@nongnu.org
|
||
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||
|
|
---
|
||
|
|
hw/net/e1000.c | 4 ++++
|
||
|
|
1 file changed, 4 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
||
|
|
index d7d05ae30afafb2e7979c74564a6..02a446b89bae0dec0acdefa54760 100644
|
||
|
|
--- a/hw/net/e1000.c
|
||
|
|
+++ b/hw/net/e1000.c
|
||
|
|
@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||
|
|
msh = tp->tso_props.hdr_len + tp->tso_props.mss;
|
||
|
|
do {
|
||
|
|
bytes = split_size;
|
||
|
|
+ if (tp->size >= msh) {
|
||
|
|
+ goto eop;
|
||
|
|
+ }
|
||
|
|
if (tp->size + bytes > msh)
|
||
|
|
bytes = msh - tp->size;
|
||
|
|
|
||
|
|
@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
|
||
|
|
tp->size += split_size;
|
||
|
|
}
|
||
|
|
|
||
|
|
+eop:
|
||
|
|
if (!(txd_lower & E1000_TXD_CMD_EOP))
|
||
|
|
return;
|
||
|
|
if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
|