Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-28 Thread Laszlo Ersek
On 01/28/16 06:47, Jason Wang wrote: > > > On 01/28/2016 02:35 AM, Laszlo Ersek wrote: >> Hello Jason, >> >> On 01/22/16 07:15, Jason Wang wrote: >>> >>> On 01/22/2016 02:11 PM, Michael Tokarev wrote: 22.01.2016 06:09, Jason Wang wrote: > On 01/19/2016 09:17 PM, Laszlo Ersek wrote: >

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-27 Thread Jason Wang
On 01/28/2016 02:35 AM, Laszlo Ersek wrote: > Hello Jason, > > On 01/22/16 07:15, Jason Wang wrote: >> >> On 01/22/2016 02:11 PM, Michael Tokarev wrote: >>> 22.01.2016 06:09, Jason Wang wrote: On 01/19/2016 09:17 PM, Laszlo Ersek wrote: > The start_xmit() and e1000_receive_iov() function

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-27 Thread Laszlo Ersek
Hello Jason, On 01/22/16 07:15, Jason Wang wrote: > > > On 01/22/2016 02:11 PM, Michael Tokarev wrote: >> 22.01.2016 06:09, Jason Wang wrote: >>> On 01/19/2016 09:17 PM, Laszlo Ersek wrote: The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-22 Thread Laszlo Ersek
On 01/22/16 07:15, Jason Wang wrote: > > > On 01/22/2016 02:11 PM, Michael Tokarev wrote: >> 22.01.2016 06:09, Jason Wang wrote: >>> On 01/19/2016 09:17 PM, Laszlo Ersek wrote: The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-21 Thread Jason Wang
On 01/22/2016 02:11 PM, Michael Tokarev wrote: > 22.01.2016 06:09, Jason Wang wrote: >> On 01/19/2016 09:17 PM, Laszlo Ersek wrote: >>> The start_xmit() and e1000_receive_iov() functions implement DMA transfers >>> iterating over a set of descriptors that the guest's e1000 driver >>> prepares: >

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-21 Thread Michael Tokarev
22.01.2016 06:09, Jason Wang wrote: > On 01/19/2016 09:17 PM, Laszlo Ersek wrote: >> The start_xmit() and e1000_receive_iov() functions implement DMA transfers >> iterating over a set of descriptors that the guest's e1000 driver >> prepares: ... > Applied in my -net. This is CVE-2016-1981, btw. /

Re: [Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-21 Thread Jason Wang
On 01/19/2016 09:17 PM, Laszlo Ersek wrote: > The start_xmit() and e1000_receive_iov() functions implement DMA transfers > iterating over a set of descriptors that the guest's e1000 driver > prepares: > > - the TDLEN and RDLEN registers store the total size of the descriptor > area, > > - while

[Qemu-devel] [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer start

2016-01-19 Thread Laszlo Ersek
The start_xmit() and e1000_receive_iov() functions implement DMA transfers iterating over a set of descriptors that the guest's e1000 driver prepares: - the TDLEN and RDLEN registers store the total size of the descriptor area, - while the TDH and RDH registers store the offset (in whole tx / r