net: eepro100: validate various address values

Git-commit: 000000000000000000000000000000000000000000000
References: bsc#1182651, CVE-2021-20255

Patch based on discussion:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

While processing controller commands, eepro100 emulator gets
command unit(CU) base address OR receive unit (RU) base address
OR command block (CB) address from guest. If these values are not
checked, it may lead to an infinite loop kind of issues. Add checks
to avoid it.

Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-By: Jose R Ziviani <jose.ziviani@suse.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index cc2dd8b1c..de235e863 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -279,6 +279,9 @@ typedef struct {
     /* Quasi static device properties (no need to save them). */
     uint16_t stats_size;
     bool has_extended_tcb_support;
+
+    /* Flag to avoid recursions. */
+    bool busy;
 } EEPRO100State;
 
 /* Word indices in EEPROM. */
@@ -837,6 +840,13 @@ static void action_command(EEPRO100State *s)
        Therefore we limit the number of iterations. */
     unsigned max_loop_count = 16;
 
+    if (s->busy) {
+        /* Prevent recursions. */
+        logout("recursion in %s:%u\n", __FILE__, __LINE__);
+        return;
+    }
+    s->busy = true;
+
     for (;;) {
         bool bit_el;
         bool bit_s;
@@ -933,6 +943,7 @@ static void action_command(EEPRO100State *s)
     }
     TRACE(OTHER, logout("CU list empty\n"));
     /* List is empty. Now CU is idle or suspended. */
+    s->busy = false;
 }
 
 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)