xen/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch

References: bsc#944697

From: P J P <address@hidden>

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
 hw/net/e1000.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1
                 memmove(tp->data, tp->header, hdr);
                 tp->size = hdr;
             }
-        } while (split_size -= bytes);
+            split_size -= bytes;
+        } while (bytes && split_size);
     } else if (!tp->tse && tp->cptse) {
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer dereference in vapic_write() CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch - bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref in sosendto() CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=404 2016-03-01 22:45:58 +01:00			`References: bsc#944697`

			`From: P J P <address@hidden>`

			`While processing transmit descriptors, it could lead to an infinite`
			`loop if 'bytes' was to become zero; Add a check to avoid it.`

			`[The guest can force 'bytes' to 0 by setting the hdr_len and mss`
			`descriptor fields to 0.`
			`--Stefan]`

			`Signed-off-by: P J P <address@hidden>`
			`Signed-off-by: Stefan Hajnoczi <address@hidden>`
			`---`
			`hw/net/e1000.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`===================================================================`
			`--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c`
			`@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1`
			`memmove(tp->data, tp->header, hdr);`
			`tp->size = hdr;`
			`}`
			`- } while (split_size -= bytes);`
			`+ split_size -= bytes;`
			`+ } while (bytes && split_size);`
			`} else if (!tp->tse && tp->cptse) {`
			`// context descriptor TSE is not set, while data descriptor TSE is set`
			`DBGOUT(TXERR, "TCP segmentaion Error\n");`