On 21/09/2016 19:50, P J P wrote: > +-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+ > | On 21/09/2016 15:45, P J P wrote: > | > DPRINTF("tx_bd %x flags %04x len %d data %08x\n", > | > addr, bd.flags, bd.length, bd.data); > | > - if ((bd.flags & FEC_BD_R) == 0) { > | > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) { > | > /* Run out of descriptors to transmit. */ > | > break; > | > } > | > | Is this a bug? > > Yes, a guest user can control the contents of buffer descriptor 'bd' and > could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop > run infinite iterations.
Not exactly, because addr changes on every call to mcf_fec_read_bd. You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are incorrect. Paolo > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >