1. Patchew
  2. QEMU
  3. View series

[PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)

Thomas Huth posted 1 patch 3 years, 5 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20220827070343.85978-1-thuth@redhat.com
Maintainers: Sven Schnelle <svens@stackframe.org>, Jason Wang <jasowang@redhat.com>
hw/net/tulip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)
Posted by Thomas Huth 3 years, 5 months ago 
The Tulip NIC can be used to trigger an endless recursion when its
descriptors are set up to its own MMIO address space. Fix it by
limiting the DMA accesses to normal memory.

Fixes: CVE-2022-2962
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/net/tulip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 097e905bec..b9e42c322a 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
 static void tulip_desc_read(TULIPState *s, hwaddr p,
         struct tulip_descriptor *desc)
 {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+    const MemTxAttrs attrs = { .memory = true };
 
     if (s->csr[0] & CSR0_DBO) {
         ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
 static void tulip_desc_write(TULIPState *s, hwaddr p,
         struct tulip_descriptor *desc)
 {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+    const MemTxAttrs attrs = { .memory = true };
 
     if (s->csr[0] & CSR0_DBO) {
         stl_be_pci_dma(&s->dev, p, desc->status, attrs);
-- 
2.31.1
Re: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962)
Posted by Jason Wang 3 years, 5 months ago 
On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <thuth@redhat.com> wrote:
>
> The Tulip NIC can be used to trigger an endless recursion when its
> descriptors are set up to its own MMIO address space. Fix it by
> limiting the DMA accesses to normal memory.
>
> Fixes: CVE-2022-2962
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
> Signed-off-by: Thomas Huth <thuth@redhat.com>

Zheyu has posted a similar path which has been merged:

commit 36a894aeb64a2e02871016da1c37d4a4ca109182
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sun Aug 21 20:43:43 2022 +0800

    net: tulip: Restrict DMA engine to memories

Thanks

> ---
>  hw/net/tulip.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index 097e905bec..b9e42c322a 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
>  static void tulip_desc_read(TULIPState *s, hwaddr p,
>          struct tulip_descriptor *desc)
>  {
> -    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +    const MemTxAttrs attrs = { .memory = true };
>
>      if (s->csr[0] & CSR0_DBO) {
>          ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
> @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
>  static void tulip_desc_write(TULIPState *s, hwaddr p,
>          struct tulip_descriptor *desc)
>  {
> -    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +    const MemTxAttrs attrs = { .memory = true };
>
>      if (s->csr[0] & CSR0_DBO) {
>          stl_be_pci_dma(&s->dev, p, desc->status, attrs);
> --
> 2.31.1
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.