Am 20.11.2015 um 07:29 schrieb Qinghao Tang:
> I think the patch can solve this vulnerability.
> I confirm that the loop exist , the poc code can prove that.
>
>
> #include
> #include
> #include
> #include
> #define PAGE_OFFSET 0x0C00
> MODULE_LICENSE("GPL");
> static int hello_init(void)
>
Hello Qinghao,
+-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+
| I think the patch can solve this vulnerability.
| I confirm that the loop exist , the poc code can prove that.
Great! Thank you so much for the confirmation and the POC code. I'll send an
updated patch shortly.
Thank you.
--
P
I think the patch can solve this vulnerability.
I confirm that the loop exist , the poc code can prove that.
#include
#include
#include
#include
#define PAGE_OFFSET 0x0C00
MODULE_LICENSE("GPL");
static int hello_init(void)
{
void* pvirt;
void* pphy;
unsigned long* pdbal;
unsigned
Hello Qinghao,
+-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+
| Currently what problem do you have? Perhaps I could provide more support.
Could you please confirm if the proposed patch here fixes the issue.
Secondly there is uncertainty if the CB loop like Jason mentioned earlier is
possi
Currently what problem do you have? Perhaps I could provide more support.
And please give this vulnerability a cve id.
Thanks!
2015-11-04 11:31 GMT+08:00 Jason Wang :
>
>
> On 11/04/2015 02:49 AM, P J P wrote:
> > +-- On Tue, 20 Oct 2015, Jason Wang wrote --+
> > | Can this survive if we had a c
On 11/04/2015 02:49 AM, P J P wrote:
> +-- On Tue, 20 Oct 2015, Jason Wang wrote --+
> | Can this survive if we had a chain like?
> | A->B->A
>
> No, current patch wouldn't cope with it. Though I wonder if such a loop is
> possible?
Just wondering.
Tx.link is unit32_t, but any chance s->cu
+-- On Tue, 20 Oct 2015, Jason Wang wrote --+
| Can this survive if we had a chain like?
| A->B->A
No, current patch wouldn't cope with it. Though I wonder if such a loop is
possible?
| If not, looks like we need to limit the maximum number of commands in a
| chain? (e.g 256)
Okay, I'll u
I will try to test the PoC on real e100.
But this work may need some more time.
发自我的 iPhone
> 在 2015年10月20日,上午11:04,Jason Wang 写道:
>
>
>
>> On 10/17/2015 07:35 PM, Peter Maydell wrote:
>>> On 16 October 2015 at 22:37, Stefan Weil wrote:
>>> Maybe real hardware will run an endless loop?
>>>
On 10/17/2015 07:35 PM, Peter Maydell wrote:
> On 16 October 2015 at 22:37, Stefan Weil wrote:
>> Maybe real hardware will run an endless loop?
>> Or the "endless" loop is terminated because the driver
>> changes the link while the loop is running?
>>
>> The goal of eepro100.c should be emulatio
On 10/17/2015 01:19 AM, P J P wrote:
> +-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+
> | > +if (s->tx.link == s->cu_offset)
> | > +break;
> |
> | Please update the patch to conform to QEMU's coding standards; braces
> | are required even around single-statement blocks.
>
>
On 16 October 2015 at 22:37, Stefan Weil wrote:
> Maybe real hardware will run an endless loop?
> Or the "endless" loop is terminated because the driver
> changes the link while the loop is running?
>
> The goal of eepro100.c should be emulation of the
> real hardware, even of a potential design w
Hello,
+-- On Fri, 16 Oct 2015, Stefan Weil wrote --+
| is this just a theoretical assumption or did you see problems
| with some guest operating system?
|
| To trigger a potential infinite loop, you'll need buggy device
| drivers in the guest.
Right; The issue isn't theoretical, it was seen
Am 16.10.2015 um 19:19 schrieb P J P:
> +-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+
> | > +if (s->tx.link == s->cu_offset)
> | > +break;
> |
> | Please update the patch to conform to QEMU's coding standards; braces
> | are required even around single-statement blocks.
>
>
+-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+
| > +if (s->tx.link == s->cu_offset)
| > +break;
|
| Please update the patch to conform to QEMU's coding standards; braces
| are required even around single-statement blocks.
Done. Please see an updated patch below.
===
>From
On 16/10/2015 13:12, P J P wrote:
>Hello,
>
> An infinite loop issue in hw/net/eepro100.c emulator was reported by Mr
> Qinghao Tang(CC'd here).
>
> Below is a proposed fix patch and details about the issue.
>
> ===
> From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001
>
Hello,
An infinite loop issue in hw/net/eepro100.c emulator was reported by Mr
Qinghao Tang(CC'd here).
Below is a proposed fix patch and details about the issue.
===
From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit
Date: Fri, 16 Oct 2015 11:3
16 matches
Mail list logo