Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jason Wang <jasowang@redhat.com> |
| 3 | Date: Wed, 24 Feb 2021 13:45:28 +0800 |
| 4 | Subject: [PATCH] e1000: fail early for evil descriptor |
| 5 | |
| 6 | During procss_tx_desc(), driver can try to chain data descriptor with |
| 7 | legacy descriptor, when will lead underflow for the following |
| 8 | calculation in process_tx_desc() for bytes: |
| 9 | |
| 10 | if (tp->size + bytes > msh) |
| 11 | bytes = msh - tp->size; |
| 12 | |
| 13 | This will lead a infinite loop. So check and fail early if tp->size if |
| 14 | greater or equal to msh. |
| 15 | |
| 16 | Reported-by: Alexander Bulekov <alxndr@bu.edu> |
| 17 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> |
| 18 | Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> |
| 19 | Cc: Prasad J Pandit <ppandit@redhat.com> |
| 20 | Cc: qemu-stable@nongnu.org |
| 21 | Signed-off-by: Jason Wang <jasowang@redhat.com> |
| 22 | |
| 23 | Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] |
| 24 | CVE: CVE-2021-20257 |
| 25 | |
| 26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| 27 | --- |
| 28 | hw/net/e1000.c | 4 ++++ |
| 29 | 1 file changed, 4 insertions(+) |
| 30 | |
| 31 | diff --git a/hw/net/e1000.c b/hw/net/e1000.c |
| 32 | index cf22c4f07..c3564c7ce 100644 |
| 33 | --- a/hw/net/e1000.c |
| 34 | +++ b/hw/net/e1000.c |
| 35 | @@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) |
| 36 | msh = tp->tso_props.hdr_len + tp->tso_props.mss; |
| 37 | do { |
| 38 | bytes = split_size; |
| 39 | + if (tp->size >= msh) { |
| 40 | + goto eop; |
| 41 | + } |
| 42 | if (tp->size + bytes > msh) |
| 43 | bytes = msh - tp->size; |
| 44 | |
| 45 | @@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) |
| 46 | tp->size += split_size; |
| 47 | } |
| 48 | |
| 49 | +eop: |
| 50 | if (!(txd_lower & E1000_TXD_CMD_EOP)) |
| 51 | return; |
| 52 | if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { |
| 53 | -- |
| 54 | 2.29.2 |
| 55 | |