From: Jon Maloy <jmaloy@redhat.com>
To: qemu-devel@nongnu.org
Cc: jmaloy@redhat.com
Subject: [PATCH] e1000: fix tx re-entrancy problem
Date: Thu, 21 Oct 2021 12:10:47 -0400 [thread overview]
Message-ID: <20211021161047.578751-1-jmaloy@redhat.com> (raw)
The fact that the MMIO handler is not re-entrant causes an infinite
loop under certain conditions:
Guest write to TDT -> Loopback -> RX (DMA to TDT) -> TX
We now eliminate the effect of this problem locally in e1000, by adding
a boolean in struct E1000State indicating when the TX side is busy. This
will cause any entering new call to return early instead of interfering
with the ongoing work, and eliminates any risk of looping.
This is intended to address CVE-2021-20257.
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/net/e1000.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index a30546c5d5..f5bc81296d 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -107,6 +107,7 @@ struct E1000State_st {
e1000x_txd_props props;
e1000x_txd_props tso_props;
uint16_t tso_frames;
+ bool busy;
} tx;
struct {
@@ -763,6 +764,11 @@ start_xmit(E1000State *s)
return;
}
+ if (s->tx.busy) {
+ return;
+ }
+ s->tx.busy = true;
+
while (s->mac_reg[TDH] != s->mac_reg[TDT]) {
base = tx_desc_base(s) +
sizeof(struct e1000_tx_desc) * s->mac_reg[TDH];
@@ -789,6 +795,7 @@ start_xmit(E1000State *s)
break;
}
}
+ s->tx.busy = false;
set_ics(s, 0, cause);
}
--
2.31.1
next reply other threads:[~2021-10-21 16:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-21 16:10 Jon Maloy [this message]
2021-10-27 4:40 ` [PATCH] e1000: fix tx re-entrancy problem Jason Wang
2021-12-16 9:36 ` Philippe Mathieu-Daudé
2021-12-16 15:51 ` Jon Maloy
2021-12-16 18:35 ` Philippe Mathieu-Daudé
2021-12-16 19:01 ` Alexander Bulekov
2021-12-16 20:22 ` Jon Maloy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211021161047.578751-1-jmaloy@redhat.com \
--to=jmaloy@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.