File CVE-2021-20255-qemut-eepro100-stack-overflow-via-infinite-recursion.patch of Package xen.23721
References: bsc#1182654, CVE-2021-20255
Index: xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
===================================================================
--- xen-4.7.6-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
+++ xen-4.7.6-testing/tools/qemu-xen-traditional-dir-remote/hw/eepro100.c
@@ -253,6 +253,9 @@ typedef struct {
/* Data in mem is always in the byte order of the controller (le). */
uint8_t mem[PCI_MEM_SIZE];
+
+ /* Flag to avoid recursions. */
+ bool busy;
} EEPRO100State;
/* Default values for MDI (PHY) registers */
@@ -675,6 +678,15 @@ static void eepro100_cu_command(EEPRO100
}
set_cu_state(s, cu_active);
s->cu_offset = s->pointer;
+
+ if (s->busy) {
+ /* Prevent recursions. */
+ logout("recursion in %s:%u\n", __FILE__, __LINE__);
+ return;
+ }
+
+ s->busy = true;
+
next_command:
cb_address = s->cu_base + s->cu_offset;
cpu_physical_memory_read(cb_address, (uint8_t *) & tx, sizeof(tx));
@@ -693,6 +705,7 @@ static void eepro100_cu_command(EEPRO100
if (max_loop_count-- == 0) {
/* Prevent an endless loop. (see goto next_command) */
logout("loop in %s:%u\n", __FILE__, __LINE__);
+ s->busy = false;
break;
}
@@ -826,6 +839,7 @@ static void eepro100_cu_command(EEPRO100
}
logout("CU list empty\n");
/* List is empty. Now CU is idle or suspended. */
+ s->busy = false;
break;
case CU_RESUME:
if (get_cu_state(s) != cu_suspended) {
@@ -838,6 +852,15 @@ static void eepro100_cu_command(EEPRO100
if (get_cu_state(s) == cu_suspended) {
logout("CU resuming\n");
set_cu_state(s, cu_active);
+
+ if (s->busy) {
+ /* Prevent recursions. */
+ logout("recursion in %s:%u\n", __FILE__, __LINE__);
+ return;
+ }
+
+ s->busy = true;
+
goto next_command;
}
break;
