From: Anthony Liguori <anthony@codemonkey.ws>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: alex.williamson@redhat.com, qemu-devel@nongnu.org
Subject: [Qemu-devel] Re: [PATCH RFC] e1000: fix access 4 bytes beyond buffer end
Date: Mon, 12 Jul 2010 16:38:06 -0500 [thread overview]
Message-ID: <4C3B8B3E.6050504@codemonkey.ws> (raw)
In-Reply-To: <20100712213023.GB13707@redhat.com>
On 07/12/2010 04:30 PM, Michael S. Tsirkin wrote:
> On Mon, Jul 12, 2010 at 04:07:21PM -0500, Anthony Liguori wrote:
>
>> On 07/12/2010 12:48 PM, Michael S. Tsirkin wrote:
>>
>>> We do range check for size, and get size as buffer,
>>> but copy size + 4 bytes (4 is for FCS).
>>> Let's copy size bytes but put size + 4 in length.
>>>
>>> Signed-off-by: Michael S. Tsirkin<mst@redhat.com>
>>>
>> I think I'd feel slightly better if we zero'd out the FCS before
>> writing it to the guest. It is potentially a data leak.
>>
> It's the buffer guest allocated, and we leave it untouched.
> How does this leak data?
>
Sorry, you're right.
Reviewed-by: Anthony Liguori <aliguori@us.ibm.com>
Regards,
Anthony Liguori
>
>> Regards,
>>
>> Anthony Liguori
>>
>>
>>> ---
>>>
>>> Anthony, Alex, please review.
>>>
>>> hw/e1000.c | 3 +--
>>> 1 files changed, 1 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/hw/e1000.c b/hw/e1000.c
>>> index 0da65f9..70aba11 100644
>>> --- a/hw/e1000.c
>>> +++ b/hw/e1000.c
>>> @@ -649,7 +649,6 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
>>> }
>>>
>>> rdh_start = s->mac_reg[RDH];
>>> - size += 4; // for the header
>>> do {
>>> if (s->mac_reg[RDH] == s->mac_reg[RDT]&& s->check_rxov) {
>>> set_ics(s, 0, E1000_ICS_RXO);
>>> @@ -663,7 +662,7 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
>>> if (desc.buffer_addr) {
>>> cpu_physical_memory_write(le64_to_cpu(desc.buffer_addr),
>>> (void *)(buf + vlan_offset), size);
>>> - desc.length = cpu_to_le16(size);
>>> + desc.length = cpu_to_le16(size + 4 /* for FCS */);
>>> desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM;
>>> } else // as per intel docs; skip descriptors with null buf addr
>>> DBGOUT(RX, "Null RX descriptor!!\n");
>>>
next prev parent reply other threads:[~2010-07-12 21:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-12 17:48 [Qemu-devel] [PATCH RFC] e1000: fix access 4 bytes beyond buffer end Michael S. Tsirkin
2010-07-12 20:18 ` [Qemu-devel] " Alex Williamson
2010-07-12 21:07 ` Anthony Liguori
2010-07-12 21:30 ` Michael S. Tsirkin
2010-07-12 21:38 ` Anthony Liguori [this message]
2010-07-12 22:42 ` Michael S. Tsirkin
2010-07-12 23:00 ` Anthony Liguori
2010-07-13 6:35 ` Gleb Natapov
2010-07-13 11:11 ` Michael S. Tsirkin
2010-07-13 11:23 ` Gleb Natapov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C3B8B3E.6050504@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=alex.williamson@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.