- bsc#964947 - VUL-0: CVE-2015-5278: xen: Infinite loop in

ne2000_receive() function CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch - bsc#956832 - VUL-0: CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch - bsc#964644 - VUL-0: CVE-2013-4533: xen pxa2xx: buffer overrun on incoming migration CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch - bsc#964925 - VUL-0: CVE-2014-0222: xen: qcow1: validate L2 table size to avoid integer overflows CVE-2014-0222-blktap-qcow1-validate-l2-table-size.patch - Dropped CVE-2014-0222-qemuu-qcow1-validate-l2-table-size.patch - bsc#964415 - VUL-1: CVE-2016-2198: xen: usb: ehci null pointer dereference in ehci_caps_write CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=397
2016-02-03 21:39:15 +00:00
parent fbfd58d3a2
commit 9b39a3d650
8 changed files with 265 additions and 66 deletions
--- a/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
+++ b/CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
@@ -1,34 +1,59 @@
 References: bsc#956832 CVE-2015-8345

-From: Prasad J Pandit <address@hidden>
-Date: Fri, 16 Oct 2015 11:33:27 +0530
-Subject: eepro100: prevent an infinite loop over same command block
+Subject: eepro100: Prevent two endless loops
+From: Stefan Weil sw@weilnetz.de Fri Nov 20 08:42:33 2015 +0100
+Date: Fri Nov 27 10:39:55 2015 +0800:
+Git: 00837731d254908a841d69298a4f9f077babaf24

-action_command() routine executes a chain of commands located
-in the Command Block List(CBL). Each Command Block(CB) has a
-link to the next CB in the list, given by 's->tx.link'.
-This is used in conjunction with the base address 's->cu_base'.
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.

-An infinite loop unfolds if the 'link' to the next CB is
-same as the previous one, the loop ends up executing the same
-command over and over again.
+During my code review, I noticed a 2nd case which can result in an
+endless loop.

-Reported-by: Qinghao Tang <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
---
- hw/net/eepro100.c | 2 ++
- 1 file changed, 2 insertions(+)
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Jason Wang <jasowang@redhat.com>

 Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
 ===================================================================
 --- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
 +++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
-@@ -674,6 +674,8 @@ static void eepro100_cu_command(EEPRO100
-       next_command:
-         cb_address = s->cu_base + s->cu_offset;
-         cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
-+        if (tx.link == s->cu_offset)
+@@ -657,6 +657,10 @@ static void eepro100_cu_command(EEPRO100
+ {
+     eepro100_tx_t tx;
+     uint32_t cb_address;
+    /* The loop below won't stop if it gets special handcrafted data.
+       Therefore we limit the number of iterations. */
+    unsigned max_loop_count = 16;
+
+     switch (val) {
+     case CU_NOP:
+         /* No operation. */
+@@ -685,6 +689,13 @@ static void eepro100_cu_command(EEPRO100
+         bool bit_nc = ((command & 0x0010) != 0);
+         //~ bool bit_sf = ((command & 0x0008) != 0);
+         uint16_t cmd = command & 0x0007;
+
+        if (max_loop_count-- == 0) {
+            /* Prevent an endless loop. (see goto next_command) */
+            logout("loop in %s:%u\n", __FILE__, __LINE__);
 +            break;
-         uint16_t status = le16_to_cpu(tx.status);
-         uint16_t command = le16_to_cpu(tx.command);
-         logout
+        }
+
+         s->cu_offset = le32_to_cpu(tx.link);
+         switch (cmd) {
+         case CmdNOp:
+@@ -726,6 +737,11 @@ static void eepro100_cu_command(EEPRO100
+                 uint32_t tx_buffer_address = ldl_phys(tbd_address);
+                 uint16_t tx_buffer_size = lduw_phys(tbd_address + 4);
+                 //~ uint16_t tx_buffer_el = lduw_phys(tbd_address + 6);
+                if (tx_buffer_size == 0) {
+                    /* Prevent an endless loop. */
+                    logout("loop in %s:%u\n", __FILE__, __LINE__);
+                    break;
+                }
+                 tbd_address += 8;
+                 logout
+                     ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",