| Andrew Geissler | c723b72 | 2021-01-08 16:14:09 -0600 | [diff] [blame] | 1 | From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001 |
| 2 | From: Prasad J Pandit <pjp@fedoraproject.org> |
| 3 | Date: Wed, 11 Nov 2020 18:36:36 +0530 |
| 4 | Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null |
| 5 | descriptor |
| 6 | |
| 7 | While receiving packets via e1000e_write_packet_to_guest() routine, |
| 8 | 'desc_offset' is advanced only when RX descriptor is processed. And |
| 9 | RX descriptor is not processed if it has NULL buffer address. |
| 10 | This may lead to an infinite loop condition. Increament 'desc_offset' |
| 11 | to process next descriptor in the ring to avoid infinite loop. |
| 12 | |
| 13 | Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> |
| 14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| 15 | Signed-off-by: Jason Wang <jasowang@redhat.com> |
| 16 | |
| 17 | Upstream-Status: Backport |
| 18 | CVE: CVE-2020-28916 |
| 19 | [https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a] |
| 20 | Signed-off-by: Li Wang <li.wang@windriver.com> |
| 21 | --- |
| 22 | hw/net/e1000e_core.c | 8 ++++---- |
| 23 | 1 file changed, 4 insertions(+), 4 deletions(-) |
| 24 | |
| 25 | diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c |
| 26 | index bcd186c..d3e3cdc 100644 |
| 27 | --- a/hw/net/e1000e_core.c |
| 28 | +++ b/hw/net/e1000e_core.c |
| 29 | @@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, |
| 30 | (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); |
| 31 | } |
| 32 | } |
| 33 | - desc_offset += desc_size; |
| 34 | - if (desc_offset >= total_size) { |
| 35 | - is_last = true; |
| 36 | - } |
| 37 | } else { /* as per intel docs; skip descriptors with null buf addr */ |
| 38 | trace_e1000e_rx_null_descriptor(); |
| 39 | } |
| 40 | + desc_offset += desc_size; |
| 41 | + if (desc_offset >= total_size) { |
| 42 | + is_last = true; |
| 43 | + } |
| 44 | |
| 45 | e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, |
| 46 | rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); |
| 47 | -- |
| 48 | 2.17.1 |
| 49 | |