From nobody Sun Feb 8 18:39:32 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1661584081; cv=none; d=zohomail.com; s=zohoarc; b=Na2Sx6vpDDwh8laKSlUkx8rYQpJwtOMlrKpZM8XY7pIy0oAhEBSBFsSnXbnyuuhqxUBKZpCLzntoKYmZ9bd3pb/1kJQQYdrdpqt1O1di4/f5nNeyTxgxBAZYCPs/6Y0D8sH0/Y47yyZ4lu2yeRiUCii9Lm1aJB7k/0HDUE42dp0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1661584081; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=5C2hgIV/W0d8XO0rc2nBSZ1MafFmxRMro9CEJu6qIY4=; b=ieVrOOh/hLwPg5CcZdc3EhjQbTsERKWcZDC0WQNZiwCmaEF7OPs3Y1oYipPIVALC0MSWagEVLodjmmlQaYYCss3PjItyjxo50uoyfqXRBOVdQOH6UUYUnc6JpVLW9+V/QZBHB0KP0LqrKsLQyrpb304mraRsfGZJ2ZZtRvacoOo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1661584081639416.8175961365672; Sat, 27 Aug 2022 00:08:01 -0700 (PDT) Received: from localhost ([::1]:39334 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oRpvD-0005bS-64 for importer@patchew.org; Sat, 27 Aug 2022 03:07:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45796) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oRprK-0004W3-89 for qemu-devel@nongnu.org; Sat, 27 Aug 2022 03:03:58 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46607) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oRprH-0006Pi-Bn for qemu-devel@nongnu.org; Sat, 27 Aug 2022 03:03:56 -0400 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-284-V0nyg_T7PtypmF0Dk62uNw-1; Sat, 27 Aug 2022 03:03:48 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EA5E51C05AAF; Sat, 27 Aug 2022 07:03:47 +0000 (UTC) Received: from thuth.com (unknown [10.39.192.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7A05AC15BB3; Sat, 27 Aug 2022 07:03:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661583834; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5C2hgIV/W0d8XO0rc2nBSZ1MafFmxRMro9CEJu6qIY4=; b=QSjAD4lIeCuRnQ2oS6MPapo3yw2QAdFSBI73vM7sYpw4W/a83WAisV497VxOzdAIyQwEcP rlmUKB5An0Yx2SA7LVxT76cnHLMXPC7cxqRgwJPzhKCtBPIW1OfyrV8RYAIkyNFEulMlOO lS/Wc7meiQN84FtwrW8Xzd8H4LPrQmU= X-MC-Unique: V0nyg_T7PtypmF0Dk62uNw-1 From: Thomas Huth To: qemu-devel@nongnu.org, Sven Schnelle Cc: qemu-stable@nongnu.org, Jason Wang , Siqi Chen Subject: [PATCH] hw/net/tulip: Fix DMA reentrancy issue with stack overflow (CVE-2022-2962) Date: Sat, 27 Aug 2022 09:03:43 +0200 Message-Id: <20220827070343.85978-1-thuth@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1661584083812100001 Content-Type: text/plain; charset="utf-8" The Tulip NIC can be used to trigger an endless recursion when its descriptors are set up to its own MMIO address space. Fix it by limiting the DMA accesses to normal memory. Fixes: CVE-2022-2962 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171 Signed-off-by: Thomas Huth --- hw/net/tulip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/net/tulip.c b/hw/net/tulip.c index 097e905bec..b9e42c322a 100644 --- a/hw/net/tulip.c +++ b/hw/net/tulip.c @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip =3D { static void tulip_desc_read(TULIPState *s, hwaddr p, struct tulip_descriptor *desc) { - const MemTxAttrs attrs =3D MEMTXATTRS_UNSPECIFIED; + const MemTxAttrs attrs =3D { .memory =3D true }; =20 if (s->csr[0] & CSR0_DBO) { ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, static void tulip_desc_write(TULIPState *s, hwaddr p, struct tulip_descriptor *desc) { - const MemTxAttrs attrs =3D MEMTXATTRS_UNSPECIFIED; + const MemTxAttrs attrs =3D { .memory =3D true }; =20 if (s->csr[0] & CSR0_DBO) { stl_be_pci_dma(&s->dev, p, desc->status, attrs); --=20 2.31.1