Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

From:	Jason Wang
Subject:	Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow
Date:	Fri, 15 Jan 2016 11:16:31 +0800
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1


On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote:
> gem_receive copies a packet received from network into an rxbuf[2048]
> array on stack, with size limited by descriptor length set by guest.  If
> guest is malicious and specifies a descriptor length that is too large,
> and should packet size exceed array size, this results in a buffer
> overflow.
>
> Reported-by: 刘令 <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
>  hw/net/cadence_gem.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
> index 3639fc1..15a0786 100644
> --- a/hw/net/cadence_gem.c
> +++ b/hw/net/cadence_gem.c
> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
>              break;
>          }
>  
> +        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
> +            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 
> 0x%x\n",
> +                     (unsigned)packet_desc_addr,
> +                     (unsigned)tx_desc_get_length(desc),
> +                     sizeof(tx_packet) - (p - tx_packet));
> +            break;
> +        }
> +
>          /* Gather this fragment of the packet from "dma memory" to our 
> contig.
>           * buffer.
>           */

Looks like we need similar issue in gen_receive(), need to fix that?

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Michael S. Tsirkin, 2016/01/14
- Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Peter Maydell, 2016/01/14
  - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Michael S. Tsirkin, 2016/01/14
  - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/15
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/15
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Alistair Francis, 2016/01/15
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/16
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/17
- Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/14
- Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang <=
  - Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/15
- Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
  - Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
    - Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
    - Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
    - Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Peter Maydell, 2016/01/18
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Alistair Francis, 2016/01/18
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
    - Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18

Prev by Date: Re: [Qemu-devel] [PATCH] intel_iommu: large page support
Next by Date: [Qemu-devel] [PATCH 4/6] migration/ram: Fix some helper functions' parameter to use PageSearchStatus
Previous by thread: Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow
Next by thread: Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow
Index(es):
- Date
- Thread