* [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)
@ 2022-08-27 7:03 Thomas Huth
2022-09-09 2:48 ` Jason Wang
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Huth @ 2022-08-27 7:03 UTC (permalink / raw)
To: qemu-devel, Sven Schnelle; +Cc: qemu-stable, Jason Wang, Siqi Chen
The Tulip NIC can be used to trigger an endless recursion when its
descriptors are set up to its own MMIO address space. Fix it by
limiting the DMA accesses to normal memory.
Fixes: CVE-2022-2962
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
hw/net/tulip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 097e905bec..b9e42c322a 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
static void tulip_desc_read(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
static void tulip_desc_write(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
stl_be_pci_dma(&s->dev, p, desc->status, attrs);
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)
2022-08-27 7:03 [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962) Thomas Huth
@ 2022-09-09 2:48 ` Jason Wang
0 siblings, 0 replies; 2+ messages in thread
From: Jason Wang @ 2022-09-09 2:48 UTC (permalink / raw)
To: Thomas Huth; +Cc: qemu-devel, Sven Schnelle, qemu-stable, Siqi Chen
On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <thuth@redhat.com> wrote:
>
> The Tulip NIC can be used to trigger an endless recursion when its
> descriptors are set up to its own MMIO address space. Fix it by
> limiting the DMA accesses to normal memory.
>
> Fixes: CVE-2022-2962
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
> Signed-off-by: Thomas Huth <thuth@redhat.com>
Zheyu has posted a similar path which has been merged:
commit 36a894aeb64a2e02871016da1c37d4a4ca109182
Author: Zheyu Ma <zheyuma97@gmail.com>
Date: Sun Aug 21 20:43:43 2022 +0800
net: tulip: Restrict DMA engine to memories
Thanks
> ---
> hw/net/tulip.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index 097e905bec..b9e42c322a 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
> static void tulip_desc_read(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
> @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
> static void tulip_desc_write(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> stl_be_pci_dma(&s->dev, p, desc->status, attrs);
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-09 2:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-27 7:03 [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962) Thomas Huth
2022-09-09 2:48 ` Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).