Hide Forgot
An infinite loop vulnerability was found in gem_transmit() function. Vulnerable code (hw/net/cadence_gem.c): static void gem_transmit(CadenceGEMState *s) { unsigned desc[2]; hwaddr packet_desc_addr; uint8_t tx_packet[2048]; uint8_t *p; unsigned total_bytes; … while (tx_desc_get_used(desc) == 0) { // always be true … /* Last descriptor for this packet; hand the whole thing off */ if (tx_desc_get_last(desc)) {// never go to this branch … } /* read next descriptor */ if (tx_desc_get_wrap(desc)) { packet_desc_addr = s->regs[GEM_TXQBASE]; // the s->tx_desc_addr is always the same } else { packet_desc_addr += 8; } } By setting s->tx_desc_addr's DESC_1_TX_WRAP flag and not setting DESC_1_TX_LAST flag, desc never changes and the while condition remains true, causing infinite loop.
Acknowledgments: Name: Li Qiang (Qihoo 360 Inc.)
Created attachment 1146821 [details] Crash report
Upstream fix ------------ -> git.qemu.org/?p=qemu.git;a=commit;h=cbdab58d469cc52de30f3d0998a15d32d2fac3a0