File CVE-2021-20255-qemut-eepro100-stack-overflow-vi... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-20255-qemut-eepro100-stack-overflow-via-infinite-recursion.patch of Package xen

References: bsc#1182654, CVE-2021-20255

Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
@@ -253,6 +253,9 @@ typedef struct {
 
     /* Data in mem is always in the byte order of the controller (le). */
     uint8_t mem[PCI_MEM_SIZE];
+
+    /* Flag to avoid recursions. */
+    bool busy;
 } EEPRO100State;
 
 /* Default values for MDI (PHY) registers */
@@ -675,6 +678,15 @@ static void eepro100_cu_command(EEPRO100
         }
         set_cu_state(s, cu_active);
         s->cu_offset = s->pointer;
+
+        if (s->busy) {
+            /* Prevent recursions. */
+            logout("recursion in %s:%u\n", __FILE__, __LINE__);
+            return;
+        }
+
+        s->busy = true;
+
       next_command:
         cb_address = s->cu_base + s->cu_offset;
         cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
@@ -693,6 +705,7 @@ static void eepro100_cu_command(EEPRO100
         if (max_loop_count-- == 0) {
             /* Prevent an endless loop. (see goto next_command) */
             logout("loop in %s:%u\n", __FILE__, __LINE__);
+            s->busy = false;
             break;
         }
 
@@ -826,6 +839,7 @@ static void eepro100_cu_command(EEPRO100
         }
         logout("CU list empty\n");
         /* List is empty. Now CU is idle or suspended. */
+        s->busy = false;
         break;
     case CU_RESUME:
         if (get_cu_state(s) != cu_suspended) {
@@ -838,6 +852,15 @@ static void eepro100_cu_command(EEPRO100
         if (get_cu_state(s) == cu_suspended) {
             logout("CU resuming\n");
             set_cu_state(s, cu_active);
+
+            if (s->busy) {
+                /* Prevent recursions. */
+                logout("recursion in %s:%u\n", __FILE__, __LINE__);
+                return;
+            }
+
+            s->busy = true;
+
             goto next_command;
         }
         break;

Places

File CVE-2021-20255-qemut-eepro100-stack-overflow-via-infinite-recursion.patch of Package xen

Places