[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (
|
From: |
Jason Wang |
|
Subject: |
Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962) |
|
Date: |
Fri, 9 Sep 2022 10:48:50 +0800 |
On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <thuth@redhat.com> wrote:
>
> The Tulip NIC can be used to trigger an endless recursion when its
> descriptors are set up to its own MMIO address space. Fix it by
> limiting the DMA accesses to normal memory.
>
> Fixes: CVE-2022-2962
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
> Signed-off-by: Thomas Huth <thuth@redhat.com>
Zheyu has posted a similar path which has been merged:
commit 36a894aeb64a2e02871016da1c37d4a4ca109182
Author: Zheyu Ma <zheyuma97@gmail.com>
Date: Sun Aug 21 20:43:43 2022 +0800
net: tulip: Restrict DMA engine to memories
Thanks
> ---
> hw/net/tulip.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index 097e905bec..b9e42c322a 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
> static void tulip_desc_read(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
> @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
> static void tulip_desc_write(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> stl_be_pci_dma(&s->dev, p, desc->status, attrs);
> --
> 2.31.1
>
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962),
Jason Wang <=