On Sat, Aug 27, 2022 at 3:03 PM Thomas Huth <th...@redhat.com> wrote:
>
> The Tulip NIC can be used to trigger an endless recursion when its
> descriptors are set up to its own MMIO address space. Fix it by
> limiting the DMA accesses to normal memory.
>
> Fixes: CVE-2022-2962
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1171
> Signed-off-by: Thomas Huth <th...@redhat.com>
Zheyu has posted a similar path which has been merged:
commit 36a894aeb64a2e02871016da1c37d4a4ca109182
Author: Zheyu Ma <zheyum...@gmail.com>
Date: Sun Aug 21 20:43:43 2022 +0800
net: tulip: Restrict DMA engine to memories
Thanks
> ---
> hw/net/tulip.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/tulip.c b/hw/net/tulip.c
> index 097e905bec..b9e42c322a 100644
> --- a/hw/net/tulip.c
> +++ b/hw/net/tulip.c
> @@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
> static void tulip_desc_read(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
> @@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
> static void tulip_desc_write(TULIPState *s, hwaddr p,
> struct tulip_descriptor *desc)
> {
> - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> + const MemTxAttrs attrs = { .memory = true };
>
> if (s->csr[0] & CSR0_DBO) {
> stl_be_pci_dma(&s->dev, p, desc->status, attrs);
> --
> 2.31.1
>
