9b39a3d650
ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397
60 lines
2.3 KiB
Diff
60 lines
2.3 KiB
Diff
References: bsc#956832 CVE-2015-8345
|
|
|
|
Subject: eepro100: Prevent two endless loops
|
|
From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
|
|
Date: Fri Nov 27 10:39:55 2015 +0800:
|
|
Git: 00837731d254908a841d69298a4f9f077babaf24
|
|
|
|
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
|
|
shows an example how an endless loop in function action_command can
|
|
be achieved.
|
|
|
|
During my code review, I noticed a 2nd case which can result in an
|
|
endless loop.
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
|
|
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
|
|
===================================================================
|
|
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
|
|
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
|
|
@@ -657,6 +657,10 @@ static void eepro100_cu_command(EEPRO100
|
|
{
|
|
eepro100_tx_t tx;
|
|
uint32_t cb_address;
|
|
+ /* The loop below won't stop if it gets special handcrafted data.
|
|
+ Therefore we limit the number of iterations. */
|
|
+ unsigned max_loop_count = 16;
|
|
+
|
|
switch (val) {
|
|
case CU_NOP:
|
|
/* No operation. */
|
|
@@ -685,6 +689,13 @@ static void eepro100_cu_command(EEPRO100
|
|
bool bit_nc = ((command & 0x0010) != 0);
|
|
//~ bool bit_sf = ((command & 0x0008) != 0);
|
|
uint16_t cmd = command & 0x0007;
|
|
+
|
|
+ if (max_loop_count-- == 0) {
|
|
+ /* Prevent an endless loop. (see goto next_command) */
|
|
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
|
|
+ break;
|
|
+ }
|
|
+
|
|
s->cu_offset = le32_to_cpu(tx.link);
|
|
switch (cmd) {
|
|
case CmdNOp:
|
|
@@ -726,6 +737,11 @@ static void eepro100_cu_command(EEPRO100
|
|
uint32_t tx_buffer_address = ldl_phys(tbd_address);
|
|
uint16_t tx_buffer_size = lduw_phys(tbd_address + 4);
|
|
//~ uint16_t tx_buffer_el = lduw_phys(tbd_address + 6);
|
|
+ if (tx_buffer_size == 0) {
|
|
+ /* Prevent an endless loop. */
|
|
+ logout("loop in %s:%u\n", __FILE__, __LINE__);
|
|
+ break;
|
|
+ }
|
|
tbd_address += 8;
|
|
logout
|
|
("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
|