Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
qemu.28164
net-eepro100-validate-various-address-va.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File net-eepro100-validate-various-address-va.patch of Package qemu.28164
From: Jose R Ziviani <jose.ziviani@suse.com> Date: Thu, 29 Jul 2021 15:56:08 -0600 Subject: net: eepro100: validate various address values Git-commit: 000000000000000000000000000000000000000000000 References: bsc#1182651, CVE-2021-20255 Patch based on discussion: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html While processing controller commands, eepro100 emulator gets command unit(CU) base address OR receive unit (RU) base address OR command block (CB) address from guest. If these values are not checked, it may lead to an infinite loop kind of issues. Add checks to avoid it. Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-By: Jose R Ziviani <jose.ziviani@suse.com> --- hw/net/eepro100.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c index cc2dd8b1c997e864d2ec6bf74051..de235e863731e3abb6956fd02739 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -279,6 +279,9 @@ typedef struct { /* Quasi static device properties (no need to save them). */ uint16_t stats_size; bool has_extended_tcb_support; + + /* Flag to avoid recursions. */ + bool busy; } EEPRO100State; /* Word indices in EEPROM. */ @@ -837,6 +840,13 @@ static void action_command(EEPRO100State *s) Therefore we limit the number of iterations. */ unsigned max_loop_count = 16; + if (s->busy) { + /* Prevent recursions. */ + logout("recursion in %s:%u\n", __FILE__, __LINE__); + return; + } + s->busy = true; + for (;;) { bool bit_el; bool bit_s; @@ -933,6 +943,7 @@ static void action_command(EEPRO100State *s) } TRACE(OTHER, logout("CU list empty\n")); /* List is empty. Now CU is idle or suspended. */ + s->busy = false; } static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor