File CVE-2021-20257-qemut-infinite-loop-issue-in-the... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-20257-qemut-infinite-loop-issue-in-the-e1000-NIC-emulator.patch of Package xen

References: bsc#1182846

While processing transmit (tx) descriptors in process_tx_desc()
various descriptor fields are not checked properly. This may lead
to infinite loop like issue. Add checks to avoid them.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/e1000.c | 6 ++++++
 1 file changed, 6 insertions(+)

Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -22,6 +22,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA  02110-1301 USA
  */
 
+#include <assert.h>
 
 #include "hw.h"
 #include "pci.h"
@@ -452,10 +453,12 @@ process_tx_desc(E1000State *s, struct e1
         
     addr = le64_to_cpu(dp->buffer_addr);
     if (tp->tse && tp->cptse) {
+        assert(tp->hdr_len);
         hdr = tp->hdr_len;
         msh = hdr + tp->mss;
         do {
             bytes = split_size;
+            assert(msh > tp->size);
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
 
@@ -464,12 +467,14 @@ process_tx_desc(E1000State *s, struct e1
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
             tp->size = sz;
+            assert(tp->size);   /* sz may get truncated */
             addr += bytes;
             if (sz == msh) {
                 xmit_seg(s);
                 memmove(tp->data, tp->header, hdr);
                 tp->size = hdr;
             }
+            assert(split_size >= bytes);
             split_size -= bytes;
         } while (bytes && split_size);
     } else if (!tp->tse && tp->cptse) {
@@ -477,12 +482,14 @@ process_tx_desc(E1000State *s, struct e1
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
         split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+        assert(tp->size && split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
 
     if (!(txd_lower & E1000_TXD_CMD_EOP))
         return;
+    assert(tp->size && tp->hdr_len);
     if (!(tp->tse && tp->cptse && tp->size < hdr))
         xmit_seg(s);
     tp->tso_frames = 0;

Places

File CVE-2021-20257-qemut-infinite-loop-issue-in-the-e1000-NIC-emulator.patch of Package xen

Places