Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Currently what problem do you have? Perhaps I could provide more support. And please give this vulnerability a cve id. Thanks! 2015-11-04 11:31 GMT+08:00 Jason Wang : > > > On 11/04/2015 02:49 AM, P J P wrote: > > +-- On Tue, 20 Oct 2015, Jason Wang wrote --+ > > | Can this

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello Qinghao, +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ | Currently what problem do you have? Perhaps I could provide more support. Could you please confirm if the proposed patch here fixes the issue. Secondly there is uncertainty if the CB loop like Jason mentioned earlier is

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Am 20.11.2015 um 07:29 schrieb Qinghao Tang: > I think the patch can solve this vulnerability. > I confirm that the loop exist , the poc code can prove that. > > > #include > #include > #include > #include > #define PAGE_OFFSET 0x0C00 > MODULE_LICENSE("GPL"); > static int hello_init(void)

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

I think the patch can solve this vulnerability. I confirm that the loop exist , the poc code can prove that. #include #include #include #include #define PAGE_OFFSET 0x0C00 MODULE_LICENSE("GPL"); static int hello_init(void) { void* pvirt; void* pphy; unsigned long* pdbal;

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello Qinghao, +-- On Fri, 20 Nov 2015, Qinghao Tang wrote --+ | I think the patch can solve this vulnerability. | I confirm that the loop exist , the poc code can prove that. Great! Thank you so much for the confirmation and the POC code. I'll send an updated patch shortly. Thank you. --

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

+-- On Tue, 20 Oct 2015, Jason Wang wrote --+ | Can this survive if we had a chain like? | A->B->A No, current patch wouldn't cope with it. Though I wonder if such a loop is possible? | If not, looks like we need to limit the maximum number of commands in a | chain? (e.g 256) Okay, I'll

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

On 11/04/2015 02:49 AM, P J P wrote: > +-- On Tue, 20 Oct 2015, Jason Wang wrote --+ > | Can this survive if we had a chain like? > | A->B->A > > No, current patch wouldn't cope with it. Though I wonder if such a loop is > possible? Just wondering. Tx.link is unit32_t, but any chance

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

On 10/17/2015 01:19 AM, P J P wrote: > +-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+ > | > +if (s->tx.link == s->cu_offset) > | > +break; > | > | Please update the patch to conform to QEMU's coding standards; braces > | are required even around single-statement blocks. >

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

On 10/17/2015 07:35 PM, Peter Maydell wrote: > On 16 October 2015 at 22:37, Stefan Weil wrote: >> Maybe real hardware will run an endless loop? >> Or the "endless" loop is terminated because the driver >> changes the link while the loop is running? >> >> The goal of eepro100.c

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

I will try to test the PoC on real e100. But this work may need some more time. 发自我的 iPhone > 在 2015年10月20日，上午11:04，Jason Wang 写道： > > > >> On 10/17/2015 07:35 PM, Peter Maydell wrote: >>> On 16 October 2015 at 22:37, Stefan Weil wrote: >>> Maybe real

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello, +-- On Fri, 16 Oct 2015, Stefan Weil wrote --+ | is this just a theoretical assumption or did you see problems | with some guest operating system? | | To trigger a potential infinite loop, you'll need buggy device | drivers in the guest. Right; The issue isn't theoretical, it was

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

On 16 October 2015 at 22:37, Stefan Weil wrote: > Maybe real hardware will run an endless loop? > Or the "endless" loop is terminated because the driver > changes the link while the loop is running? > > The goal of eepro100.c should be emulation of the > real hardware, even of a

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

+-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+ | > +if (s->tx.link == s->cu_offset) | > +break; | | Please update the patch to conform to QEMU's coding standards; braces | are required even around single-statement blocks. Done. Please see an updated patch below. ===

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Am 16.10.2015 um 19:19 schrieb P J P: > +-- On Fri, 16 Oct 2015, Paolo Bonzini wrote --+ > | > +if (s->tx.link == s->cu_offset) > | > +break; > | > | Please update the patch to conform to QEMU's coding standards; braces > | are required even around single-statement blocks. > >

[Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

Hello, An infinite loop issue in hw/net/eepro100.c emulator was reported by Mr Qinghao Tang(CC'd here). Below is a proposed fix patch and details about the issue. === From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit

Re: [Qemu-devel] [PATCH] eepro100: prevent an infinite loop over same command block

On 16/10/2015 13:12, P J P wrote: >Hello, > > An infinite loop issue in hw/net/eepro100.c emulator was reported by Mr > Qinghao Tang(CC'd here). > > Below is a proposed fix patch and details about the issue. > > === > From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001