Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

P J P Thu, 14 Jan 2016 02:25:16 -0800

+-- On Thu, 14 Jan 2016, Michael S. Tsirkin wrote --+
| gem_receive copies a packet received from network into an rxbuf[2048]
| array on stack, with size limited by descriptor length set by guest.  If
| guest is malicious and specifies a descriptor length that is too large,
| and should packet size exceed array size, this results in a buffer
| overflow.
| 
| diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
| index 3639fc1..15a0786 100644
| --- a/hw/net/cadence_gem.c
| +++ b/hw/net/cadence_gem.c
| @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
|              break;
|          }
|  
| +        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
| +            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 
0x%x\n",
| +                     (unsigned)packet_desc_addr,
| +                     (unsigned)tx_desc_get_length(desc),
| +                     sizeof(tx_packet) - (p - tx_packet));
| +            break;
| +        }
| +


  Commit message says gem_receive, but the patch fixes gem_transmit() routine.

--
 - P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow

Reply via email to