[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-
|
From: |
Thomas Huth |
|
Subject: |
[PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962) |
|
Date: |
Sat, 27 Aug 2022 09:03:43 +0200 |
The Tulip NIC can be used to trigger an endless recursion when its
descriptors are set up to its own MMIO address space. Fix it by
limiting the DMA accesses to normal memory.
Fixes: CVE-2022-2962
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
hw/net/tulip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 097e905bec..b9e42c322a 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
static void tulip_desc_read(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
static void tulip_desc_write(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+ const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
stl_be_pci_dma(&s->dev, p, desc->status, attrs);
--
2.31.1
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962),
Thomas Huth <=