[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow |
Date: |
Thu, 14 Jan 2016 10:03:15 +0000 |
On 14 January 2016 at 09:43, Michael S. Tsirkin <address@hidden> wrote:
> gem_receive copies a packet received from network into an rxbuf[2048]
> array on stack, with size limited by descriptor length set by guest. If
> guest is malicious and specifies a descriptor length that is too large,
> and should packet size exceed array size, this results in a buffer
> overflow.
>
> Reported-by: 刘令 <address@hidden>
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
> hw/net/cadence_gem.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
> index 3639fc1..15a0786 100644
> --- a/hw/net/cadence_gem.c
> +++ b/hw/net/cadence_gem.c
> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
> break;
> }
>
> + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
> + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space
> 0x%x\n",
> + (unsigned)packet_desc_addr,
> + (unsigned)tx_desc_get_length(desc),
> + sizeof(tx_packet) - (p - tx_packet));
> + break;
> + }
Is this what the real hardware does in this situation?
Should we log this as a guest error?
> +
> /* Gather this fragment of the packet from "dma memory" to our
> contig.
> * buffer.
> */
> --
> MST
>
thanks
-- PMM
Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/14
Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/14
Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18