[Qemu-devel] [PULL V2 04/17] cadence_gem: fix buffer overflow

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL V2 04/17] cadence_gem: fix buffer overflow

From:	Jason Wang
Subject:	[Qemu-devel] [PULL V2 04/17] cadence_gem: fix buffer overflow
Date:	Thu, 4 Feb 2016 16:31:33 +0800

From: "Michael S. Tsirkin" <address@hidden>

gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: 刘令 <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
 hw/net/cadence_gem.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index e513d9d..0346f3e 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
             break;
         }
 
+        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
+            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
+                     (unsigned)packet_desc_addr,
+                     (unsigned)tx_desc_get_length(desc),
+                     sizeof(tx_packet) - (p - tx_packet));
+            break;
+        }
+
         /* Gather this fragment of the packet from "dma memory" to our contig.
          * buffer.
          */
-- 
2.5.0

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PULL V2 00/17] Net patches, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 01/17] net/slirp: Tell the users when they are using deprecated options, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 02/17] qemu-doc: Do not promote deprecated -smb and -redir options, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 05/17] slirp: goto bad in udp_input if sosendto fails, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 06/17] slirp: Generalizing and neutralizing ARP code, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 07/17] slirp: Adding address family switch for produced frames, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 03/17] net: cadence_gem: check packet size in gem_recieve, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 04/17] cadence_gem: fix buffer overflow, Jason Wang <=
- [Qemu-devel] [PULL V2 08/17] slirp: Make Socket structure IPv6 compatible, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 09/17] slirp: Factorizing address translation, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 10/17] slirp: Factorizing and cleaning solookup(), Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 11/17] slirp: Add sockaddr_equal, make solookup family-agnostic, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 12/17] slirp: Make udp_attach IPv6 compatible, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 13/17] slirp: Adding family argument to tcp_fconnect(), Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 14/17] e1000: eliminate infinite loops on out-of-bounds transfer start, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 15/17] net: netmap: use nm_open() to open netmap ports, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 16/17] net: always walk through filters in reverse if traffic is egress, Jason Wang, 2016/02/04
- [Qemu-devel] [PULL V2 17/17] net/filter: Fix the output information for command 'info network', Jason Wang, 2016/02/04

Prev by Date: [Qemu-devel] [PULL V2 03/17] net: cadence_gem: check packet size in gem_recieve
Next by Date: [Qemu-devel] [PULL V2 08/17] slirp: Make Socket structure IPv6 compatible
Previous by thread: [Qemu-devel] [PULL V2 03/17] net: cadence_gem: check packet size in gem_recieve
Next by thread: [Qemu-devel] [PULL V2 08/17] slirp: Make Socket structure IPv6 compatible
Index(es):
- Date
- Thread