A new user interface for you! Read more...

File CVE-2016-7908-qemut-net-Infinite-loop-in-mcf_fec_do_tx.patch of Package xen

References: bsc#1003030 CVE-2016-7908

Subject: net: mcf: limit buffer descriptor count
From: Prasad J Pandit pjp@fedoraproject.org Thu Sep 22 16:02:37 2016 +0530
Date: Tue Sep 27 17:54:22 2016 +0800:
Git: 070c4b92b8cd5390889716677a0b92444d6e087a

ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/mcf_fec.c
@@ -20,6 +20,7 @@ do { printf("mcf_fec: " fmt , ##args); }
 #define DPRINTF(fmt, args...) do {} while(0)
 #endif
 
+#define FEC_MAX_DESC 1024
 #define FEC_MAX_FRAME_SIZE 2032
 
 typedef struct {
@@ -144,7 +145,7 @@ static void mcf_fec_do_tx(mcf_fec_state
     uint32_t addr;
     mcf_fec_bd bd;
     int frame_size;
-    int len;
+    int len, descnt = 0;
     uint8_t frame[FEC_MAX_FRAME_SIZE];
     uint8_t *ptr;
 
@@ -152,7 +153,7 @@ static void mcf_fec_do_tx(mcf_fec_state
     ptr = frame;
     frame_size = 0;
     addr = s->tx_descriptor;
-    while (1) {
+    while (descnt++ < FEC_MAX_DESC) {
         mcf_fec_read_bd(&bd, addr);
         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
                 addr, bd.flags, bd.length, bd.data);