On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <th...@redhat.com> wrote: > > The Tulip NIC can be used to trigger an endless recursion when its > descriptors are set up to its own MMIO address space. Fix it by > limiting the DMA accesses to normal memory. > > Fixes: CVE-2022-2962 > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171 > Signed-off-by: Thomas Huth <th...@redhat.com>
Zheyu has posted a similar path which has been merged: commit 36a894aeb64a2e02871016da1c37d4a4ca109182 Author: Zheyu Ma <zheyum...@gmail.com> Date: Sun Aug 21 20:43:43 2022 +0800 net: tulip: Restrict DMA engine to memories Thanks > --- > hw/net/tulip.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/net/tulip.c b/hw/net/tulip.c > index 097e905bec..b9e42c322a 100644 > --- a/hw/net/tulip.c > +++ b/hw/net/tulip.c > @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = { > static void tulip_desc_read(TULIPState *s, hwaddr p, > struct tulip_descriptor *desc) > { > - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; > + const MemTxAttrs attrs = { .memory = true }; > > if (s->csr[0] & CSR0_DBO) { > ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); > @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, > static void tulip_desc_write(TULIPState *s, hwaddr p, > struct tulip_descriptor *desc) > { > - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; > + const MemTxAttrs attrs = { .memory = true }; > > if (s->csr[0] & CSR0_DBO) { > stl_be_pci_dma(&s->dev, p, desc->status, attrs); > -- > 2.31.1 >