From fc0bca7bd2685b8f8e3c37f19ce74967870ef952 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Thu, 21 Oct 2021 12:10:47 -0400 Subject: [PATCH 2/2] e1000: fix tx re-entrancy problem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Jon Maloy RH-MergeRequest: 73: e1000: fix tx re-entrancy problem RH-Commit: [1/1] 3088ea275ddcee1ba0d47f7cff195af3e256f15f (jmaloy/qemu-kvm) RH-Bugzilla: 2025011 RH-Acked-by: Miroslav Rezanina RH-Acked-by: Philippe Mathieu-Daudé RH-Acked-by: Laurent Vivier The fact that the MMIO handler is not re-entrant causes an infinite loop under certain conditions: Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX We now eliminate the effect of this problem locally in e1000, by adding a boolean in struct E1000State indicating when the TX side is busy. This will cause any entering new call to return early instead of interfering with the ongoing work, and eliminates any risk of looping. This is intended to address CVE-2021-20257. Signed-off-by: Jon Maloy Signed-off-by: Jason Wang (cherry picked from commit 25ddb946e6301f42cff3094ea1c25fb78813e7e9) Signed-off-by: Jon Maloy --- hw/net/e1000.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 8680b7d46b..1963a5b243 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -105,6 +105,7 @@ typedef struct E1000State_st { e1000x_txd_props props; e1000x_txd_props tso_props; uint16_t tso_frames; + bool busy; } tx; struct { @@ -749,6 +750,11 @@ start_xmit(E1000State *s) return; } + if (s->tx.busy) { + return; + } + s->tx.busy = true; + while (s->mac_reg[TDH] != s->mac_reg[TDT]) { base = tx_desc_base(s) + sizeof(struct e1000_tx_desc) * s->mac_reg[TDH]; @@ -775,6 +781,7 @@ start_xmit(E1000State *s) break; } } + s->tx.busy = false; set_ics(s, 0, cause); } -- 2.27.0