From 36aaba8935eed9e893bbab1bfa7dafd81b6766e1 Mon Sep 17 00:00:00 2001
From: Zhang Bo <oscar.zhangbo@huawei.com>
Date: Fri, 30 Sep 2022 12:24:58 +0800
Subject: [PATCH] net: tulip: Restrict DMA engine to memories(CVE-2022-2962)

fix CVE-2022-2962.
The DMA engine is started by I/O access and then itself accesses the
I/O registers, triggering a teentrancy bug.
Fix this bug by restricting the DMA engine to memories regions.

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Jason Wang <jasonwang@redhat.com>
Signed-off-by: Zhang Bo <oscar.zhangbo@huawei.com>
---
 hw/net/tulip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index d5b6cc5ee6..5f8badefca 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = {
 static void tulip_desc_read(TULIPState *s, hwaddr p,
         struct tulip_descriptor *desc)
 {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+    const MemTxAttrs attrs = { .memory = true };
 
     if (s->csr[0] & CSR0_DBO) {
         ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
 static void tulip_desc_write(TULIPState *s, hwaddr p,
         struct tulip_descriptor *desc)
 {
-    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
+    const MemTxAttrs attrs = { .memory = true };
 
     if (s->csr[0] & CSR0_DBO) {
         stl_be_pci_dma(&s->dev, p, desc->status, attrs);
-- 
Gitee