CVE-2021-20257: [PATCH] e1000: fail early for evil descriptor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Jason Wang

Subject:

[PATCH] e1000: fail early for evil descriptor

Date:

Wed, 24 Feb 2021 13:45:28 +0800

During procss_tx_desc(), driver can try to chain data descriptor with legacy descriptor, when will lead underflow for the following calculation in process_tx_desc() for bytes:

        if (tp->size + bytes > msh)
            bytes = msh - tp->size;

This will lead a infinite loop. So check and fail early if tp->size if greater or equal to msh.

Reported-by: Alexander Bulekov [email protected] Reported-by: Cheolwoo Myung [email protected] Reported-by: Ruhr-University Bochum [email protected] Cc: Prasad J Pandit [email protected] Signed-off-by: Jason Wang [email protected]

---

hw/net/e1000.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/hw/net/e1000.c b/hw/net/e1000.c index d8da2f6528…4345d863e6 100644 — a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) msh = tp->tso_props.hdr_len + tp->tso_props.mss; do { bytes = split_size;

•        if (tp->size >= msh) {
  

•            goto eop;
  

•        }
         if (tp->size + bytes > msh)
             bytes = msh - tp->size;
  

@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) tp->size += split_size; }

+eop: if (!(txd_lower & E1000_TXD_CMD_EOP)) return; if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { – 2.25.1

• [PATCH] e1000: fail early for evil descriptor, Jason Wang <=

  • Re: [PATCH] e1000: fail early for evil descriptor, Jason Wang, 2021/02/26

• Prev by Date: [PATCH qemu v14] spapr: Implement Open Firmware client interface

• Next by Date: Re: [PATCH qemu v14] spapr: Implement Open Firmware client interface

• Previous by thread: [PATCH qemu v14] spapr: Implement Open Firmware client interface

• Next by thread: Re: [PATCH] e1000: fail early for evil descriptor

• Index(es):

  • Date
  • Thread