Headline
CVE-2022-2962: net: tulip: Restrict DMA engine to memories (36a894ae) · Commits · QEMU / QEMU · GitLab
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn’t check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Commit 36a894ae authored Aug 21, 2022 by Committed by Jason Wang Sep 02, 2022
Browse files
net: tulip: Restrict DMA engine to memories
The DMA engine is started by I/O access and then itself accesses the I/O registers, triggering a reentrancy bug.
The following log can reveal it: ==5637==ERROR: AddressSanitizer: stack-overflow #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673 #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12 #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18 #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 #10 0x5595435fb082 in dma…
- Changes 1
…
…
@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
static void tulip_desc_read(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
…
…
@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
static void tulip_desc_write(TULIPState *s, hwaddr p,
struct tulip_descriptor *desc)
{
const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
const MemTxAttrs attrs = { .memory = true };
if (s->csr[0] & CSR0_DBO) {
stl_be_pci_dma(&s->dev, p, desc->status, attrs);
…
…
Related news
Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.
Ubuntu Security Notice 5772-1 - It was discovered that QEMU incorrectly handled bulk transfers from SPICE clients. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that QEMU did not properly manage memory when it transfers the USB packets. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.