pool/xen
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xen/CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
Charles Arnold 9b39a3d650 - bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in 
ne2000_receive() function
  CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
- bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100:
  infinite loop in processing command block list
  CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
  CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch

- bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on
  incoming migration
  CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
- bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table
  size to avoid integer overflows
  CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch
- Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch

- bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer
  dereference in ehci_caps_write
  CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397
2016-02-03 21:39:15 +00:00

60 lines
2.1 KiB
Diff
Raw Blame History

References: bsc#956832 CVE-2015-8345
Subject: eepro100: Prevent two endless loops
From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
Date: Fri Nov 27 10:39:55 2015 +0800:
Git: 00837731d254908a841d69298a4f9f077babaf24
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
shows an example how an endless loop in function action_command can
be achieved.
During my code review, I noticed a 2nd case which can result in an
endless loop.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Index: xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-dir-remote/hw/net/eepro100.c
+++ xen-4.6.0-testing/tools/qemu-xen-dir-remote/hw/net/eepro100.c
@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
#if 0
uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
#endif
+ if (tx_buffer_size == 0) {
+ /* Prevent an endless loop. */
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
+ }
tbd_address += 8;
TRACE(RXTX, logout
("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100S
static void action_command(EEPRO100State *s)
{
+ /* The loop below won't stop if it gets special handcrafted data.
+ Therefore we limit the number of iterations. */
+ unsigned max_loop_count = 16;
+
for (;;) {
bool bit_el;
bool bit_s;
@@ -870,6 +879,13 @@ static void action_command(EEPRO100State
#if 0
bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
#endif
+
+ if (max_loop_count-- == 0) {
+ /* Prevent an endless loop. */
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
+ break;
+ }
+
s->cu_offset = s->tx.link;
TRACE(OTHER,
logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",
Reference in New Issue View Git Blame Copy Permalink