Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow

qemu-arm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow

From:	P J P
Subject:	Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
Date:	Thu, 14 Jan 2016 15:53:38 +0530 (IST)

+-- On Thu, 14 Jan 2016, Michael S. Tsirkin wrote --+
| gem_receive copies a packet received from network into an rxbuf[2048]
| array on stack, with size limited by descriptor length set by guest.  If
| guest is malicious and specifies a descriptor length that is too large,
| and should packet size exceed array size, this results in a buffer
| overflow.
| 
| diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
| index 3639fc1..15a0786 100644
| --- a/hw/net/cadence_gem.c
| +++ b/hw/net/cadence_gem.c
| @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
|              break;
|          }
|  
| +        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
| +            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 
0x%x\n",
| +                     (unsigned)packet_desc_addr,
| +                     (unsigned)tx_desc_get_length(desc),
| +                     sizeof(tx_packet) - (p - tx_packet));
| +            break;
| +        }
| +

  Commit message says gem_receive, but the patch fixes gem_transmit() routine.

--
 - P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Michael S. Tsirkin, 2016/01/14
- Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Peter Maydell, 2016/01/14
  - Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Michael S. Tsirkin, 2016/01/14
  - Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/15
    - Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/15
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Alistair Francis, 2016/01/15
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/16
    - Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/17
- Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow, P J P <=
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/15
  - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, P J P, 2016/01/15
- Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
  - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Crosthwaite, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Peter Maydell, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Alistair Francis, 2016/01/18
    - Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow, Jason Wang, 2016/01/18

Prev by Date: [Qemu-arm] [PATCH 04/51] audio: use qapi AudioFormat instead of audfmt_e
Next by Date: [Qemu-arm] [PATCH] disas/libvixl: Really suppress gcc 4.6.3 sign-compare warnings
Previous by thread: Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
Next by thread: Re: [Qemu-arm] [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow
Index(es):
- Date
- Thread