File 0226-net-eepro100-validate-various-addre.patch of Package qemu-linux-user.20748

From: Jose R Ziviani <jose.ziviani@suse.com>
Date: Thu, 29 Jul 2021 15:56:08 -0600
Subject: net: eepro100: validate various address values

Git-commit: 000000000000000000000000000000000000000000000
References: bsc#1182651, CVE-2021-20255

Patch based on discussion:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

While processing controller commands, eepro100 emulator gets
command unit(CU) base address OR receive unit (RU) base address
OR command block (CB) address from guest. If these values are not
checked, it may lead to an infinite loop kind of issues. Add checks
to avoid it.

Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-By: Jose R Ziviani <jose.ziviani@suse.com>
---
 hw/net/eepro100.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index e761daf55181b39bb1a303270db5..61623a733092efda4185b64399b5 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -276,6 +276,9 @@ typedef struct {
     /* Quasi static device properties (no need to save them). */
     uint16_t stats_size;
     bool has_extended_tcb_support;
+
+    /* Flag to avoid recursions. */
+    bool busy;
 } EEPRO100State;
 
 /* Word indices in EEPROM. */
@@ -834,6 +837,13 @@ static void action_command(EEPRO100State *s)
        Therefore we limit the number of iterations. */
     unsigned max_loop_count = 16;
 
+    if (s->busy) {
+        /* Prevent recursions. */
+        logout("recursion in %s:%u\n", __FILE__, __LINE__);
+        return;
+    }
+    s->busy = true;
+
     for (;;) {
         bool bit_el;
         bool bit_s;
@@ -930,6 +940,7 @@ static void action_command(EEPRO100State *s)
     }
     TRACE(OTHER, logout("CU list empty\n"));
     /* List is empty. Now CU is idle or suspended. */
+    s->busy = false;
 }
 
 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)