An infinite loop vulnerability in e1000_receive_iov() function was found. Vulnerable code (hw/net/e1000.c): static ssize_t e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) { ... do { desc_size = total_size - desc_offset; if (desc_size > s->rxbuf_size) { desc_size = s->rxbuf_size; } base = rx_desc_base(s) + sizeof(desc) * s->mac_reg[RDH];// we can set base pci_dma_read(d, base, &desc, sizeof(desc)); desc.special = vlan_special; desc.status |= (vlan_status | E1000_RXD_STAT_DD); if (desc.buffer_addr) {// set desc.buffer_addr = NULL ... } else { // as per intel docs; skip descriptors with null buf addr DBGOUT(RX, "Null RX descriptor!!\n"); } pci_dma_write(d, base, &desc, sizeof(desc)); if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])//set this always to be true s->mac_reg[RDH] = 0; /* see comment in start_xmit; same here */ if (s->mac_reg[RDH] == rdh_start) { DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); set_ics(s, 0, E1000_ICS_RXO); return -1; } } while (desc_offset < total_size);// desc_offset will always be 0, infinite loop ... return size; } By setting desc.buffer_addr = NULL, lot of statements are to be ignored and by setting s->mac_reg[RDH], s->mac_reg[RDLEN] and some other variables properly, infinite loop in do while cycle can be reached.
Acknowledgments: Name: Li Qiang (Qihoo 360 Inc.)
Created attachment 1152885 [details] DoS result
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1420081]
*** This bug has been marked as a duplicate of bug 1298570 ***