[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
From: |
P J P |
Subject: |
Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow |
Date: |
Thu, 14 Jan 2016 15:53:38 +0530 (IST) |
+-- On Thu, 14 Jan 2016, Michael S. Tsirkin wrote --+
| gem_receive copies a packet received from network into an rxbuf[2048]
| array on stack, with size limited by descriptor length set by guest. If
| guest is malicious and specifies a descriptor length that is too large,
| and should packet size exceed array size, this results in a buffer
| overflow.
|
| diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
| index 3639fc1..15a0786 100644
| --- a/hw/net/cadence_gem.c
| +++ b/hw/net/cadence_gem.c
| @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
| break;
| }
|
| + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
| + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space
0x%x\n",
| + (unsigned)packet_desc_addr,
| + (unsigned)tx_desc_get_length(desc),
| + sizeof(tx_packet) - (p - tx_packet));
| + break;
| + }
| +
Commit message says gem_receive, but the patch fixes gem_transmit() routine.
--
- P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow,
P J P <=
Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/15
Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Maydell, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Alistair Francis, 2016/01/18
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18