qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (


From: Jason Wang
Subject: Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)
Date: Fri, 9 Sep 2022 10:48:50 +0800

On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <thuth@redhat.com> wrote:
>
> The Tulip NIC can be used to trigger an endless recursion when its
> descriptors are set up to its own MMIO address space. Fix it by
> limiting the DMA accesses to normal memory.
>
> Fixes: CVE-2022-2962
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
> Signed-off-by: Thomas Huth <thuth@redhat.com>

Zheyu has posted a similar path which has been merged:

commit 36a894aeb64a2e02871016da1c37d4a4ca109182
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sun Aug 21 20:43:43 2022 +0800

    net: tulip: Restrict DMA engine to memories

Thanks

> ---
>  hw/net/tulip.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index 097e905bec..b9e42c322a 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
>  static void tulip_desc_read(TULIPState *s, hwaddr p,
>          struct tulip_descriptor *desc)
>  {
> -    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +    const MemTxAttrs attrs = { .memory = true };
>
>      if (s->csr[0] & CSR0_DBO) {
>          ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
> @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
>  static void tulip_desc_write(TULIPState *s, hwaddr p,
>          struct tulip_descriptor *desc)
>  {
> -    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +    const MemTxAttrs attrs = { .memory = true };
>
>      if (s->csr[0] & CSR0_DBO) {
>          stl_be_pci_dma(&s->dev, p, desc->status, attrs);
> --
> 2.31.1
>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]