qemu/0049-net-mcf-limit-buffer-descriptor-cou.patch

From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count

ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
[BR: CVE-2016-7908 BSC#1002550]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/net/mcf_fec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
 #define DPRINTF(fmt, ...) do {} while(0)
 #endif
 
+#define FEC_MAX_DESC 1024
 #define FEC_MAX_FRAME_SIZE 2032
 
 typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
     uint32_t addr;
     mcf_fec_bd bd;
     int frame_size;
-    int len;
+    int len, descnt = 0;
     uint8_t frame[FEC_MAX_FRAME_SIZE];
     uint8_t *ptr;
 
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
     ptr = frame;
     frame_size = 0;
     addr = s->tx_descriptor;
-    while (1) {
+    while (descnt++ < FEC_MAX_DESC) {
         mcf_fec_read_bd(&bd, addr);
         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
                 addr, bd.flags, bd.length, bd.data);
Accepting request 441247 from home:bfrogers:branches:Virtualization Refine the reproducible build changes to no longer override linux commands, but rather fix via patches only. Also fix all the recent security issues reported. OBS-URL: https://build.opensuse.org/request/show/441247 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=320 2016-11-21 18:05:46 +01:00			`From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001`
			`From: Prasad J Pandit <pjp@fedoraproject.org>`
			`Date: Thu, 22 Sep 2016 16:02:37 +0530`
			`Subject: [PATCH] net: mcf: limit buffer descriptor count`

			`ColdFire Fast Ethernet Controller uses buffer descriptors to manage`
			`data flow to/fro receive & transmit queues. While transmitting`
			`packets, it could continue to read buffer descriptors if a buffer`
			`descriptor has length of zero and has crafted values in bd.flags.`
			`Set upper limit to number of buffer descriptors.`

			`Reported-by: Li Qiang <liqiang6-s@360.cn>`
			`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
			`Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>`
			`Signed-off-by: Jason Wang <jasowang@redhat.com>`
			`(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)`
			`[BR: CVE-2016-7908 BSC#1002550]`
			`Signed-off-by: Bruce Rogers <brogers@suse.com>`
			`---`
			`hw/net/mcf_fec.c \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c`
			`index 0ee8ad9..d31fea1 100644`
			`--- a/hw/net/mcf_fec.c`
			`+++ b/hw/net/mcf_fec.c`
			`@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)`
			`#define DPRINTF(fmt, ...) do {} while(0)`
			`#endif`

			`+#define FEC_MAX_DESC 1024`
			`#define FEC_MAX_FRAME_SIZE 2032`

			`typedef struct {`
			`@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)`
			`uint32_t addr;`
			`mcf_fec_bd bd;`
			`int frame_size;`
			`- int len;`
			`+ int len, descnt = 0;`
			`uint8_t frame[FEC_MAX_FRAME_SIZE];`
			`uint8_t *ptr;`

			`@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)`
			`ptr = frame;`
			`frame_size = 0;`
			`addr = s->tx_descriptor;`
			`- while (1) {`
			`+ while (descnt++ < FEC_MAX_DESC) {`
			`mcf_fec_read_bd(&bd, addr);`
			`DPRINTF("tx_bd %x flags %04x len %d data %08x\n",`
			`addr, bd.flags, bd.length, bd.data);`