All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jason Wang <jasowang@redhat.com>
To: Peter Crosthwaite <crosthwaitepeter@gmail.com>,
	Peter Maydell <peter.maydell@linaro.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Prasad Pandit" <ppandit@redhat.com>,
	qemu-arm <qemu-arm@nongnu.org>, 刘令 <liuling-it@360.cn>,
	"Alistair Francis" <alistair.francis@xilinx.com>
Subject: Re: [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
Date: Mon, 18 Jan 2016 11:14:03 +0800	[thread overview]
Message-ID: <569C587B.3080505@redhat.com> (raw)
In-Reply-To: <CAPokK=reMoLQ_CF_LgtmezkFZyUrSB3Oh_gB9kKZ=0Ztspq5Ag@mail.gmail.com>



On 01/15/2016 02:19 PM, Peter Crosthwaite wrote:
> On Thu, Jan 14, 2016 at 2:03 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 14 January 2016 at 09:43, Michael S. Tsirkin <mst@redhat.com> wrote:
>>> gem_receive copies a packet received from network into an rxbuf[2048]
>>> array on stack, with size limited by descriptor length set by guest.  If
>>> guest is malicious and specifies a descriptor length that is too large,
>>> and should packet size exceed array size, this results in a buffer
>>> overflow.
>>>
>>> Reported-by: 刘令 <liuling-it@360.cn>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>>> ---
>>>  hw/net/cadence_gem.c | 8 ++++++++
>>>  1 file changed, 8 insertions(+)
>>>
>>> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
>>> index 3639fc1..15a0786 100644
>>> --- a/hw/net/cadence_gem.c
>>> +++ b/hw/net/cadence_gem.c
>>> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
>>>              break;
>>>          }
>>>
>>> +        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
>>> +            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
>>> +                     (unsigned)packet_desc_addr,
>>> +                     (unsigned)tx_desc_get_length(desc),
>>> +                     sizeof(tx_packet) - (p - tx_packet));
>>> +            break;
>>> +        }
>> Is this what the real hardware does in this situation?
>> Should we log this as a guest error?
>>
> I'm not sure it is a guest error. I think its just a shortcut in the
> original implementation. I guess QEMU needs the whole packet before
> handing off to the net layer and the assumption is that the packet is
> always within 2048. I think the hardware is just going to put the data
> on the wire as it goes.

If we are not sure this is what real hardware did, dropping looks more
safe than sending the truncated packets on the wire.

>  The easiest solution is to realloc the buffer
> as it goes with the increasing sizes.

This could allow possible DOS from guest (see
cde31a0e3dc0e4ac83e454d6096350cec584adf1).

> Otherwise you could refactor the
> code to be two pass over the descriptor ring section (containing the
> packet). If we want to fix the buffer overflow more urgently, the
> correct error would be an assert().
>
> Regards,
> Peter

Let's avoid putting guest trigger-able assert() here. The patch looks
good for fixing the issue. Refactoring could be done on top.

Thanks

>
>>> +
>>>          /* Gather this fragment of the packet from "dma memory" to our contig.
>>>           * buffer.
>>>           */
>>> --
>>> MST
>>>
>> thanks
>> -- PMM
>>


WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com>
To: Peter Crosthwaite <crosthwaitepeter@gmail.com>,
	Peter Maydell <peter.maydell@linaro.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Prasad Pandit" <ppandit@redhat.com>,
	qemu-arm <qemu-arm@nongnu.org>, 刘令 <liuling-it@360.cn>,
	"Alistair Francis" <alistair.francis@xilinx.com>
Subject: Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
Date: Mon, 18 Jan 2016 11:14:03 +0800	[thread overview]
Message-ID: <569C587B.3080505@redhat.com> (raw)
In-Reply-To: <CAPokK=reMoLQ_CF_LgtmezkFZyUrSB3Oh_gB9kKZ=0Ztspq5Ag@mail.gmail.com>



On 01/15/2016 02:19 PM, Peter Crosthwaite wrote:
> On Thu, Jan 14, 2016 at 2:03 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 14 January 2016 at 09:43, Michael S. Tsirkin <mst@redhat.com> wrote:
>>> gem_receive copies a packet received from network into an rxbuf[2048]
>>> array on stack, with size limited by descriptor length set by guest.  If
>>> guest is malicious and specifies a descriptor length that is too large,
>>> and should packet size exceed array size, this results in a buffer
>>> overflow.
>>>
>>> Reported-by: 刘令 <liuling-it@360.cn>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>>> ---
>>>  hw/net/cadence_gem.c | 8 ++++++++
>>>  1 file changed, 8 insertions(+)
>>>
>>> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
>>> index 3639fc1..15a0786 100644
>>> --- a/hw/net/cadence_gem.c
>>> +++ b/hw/net/cadence_gem.c
>>> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
>>>              break;
>>>          }
>>>
>>> +        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
>>> +            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
>>> +                     (unsigned)packet_desc_addr,
>>> +                     (unsigned)tx_desc_get_length(desc),
>>> +                     sizeof(tx_packet) - (p - tx_packet));
>>> +            break;
>>> +        }
>> Is this what the real hardware does in this situation?
>> Should we log this as a guest error?
>>
> I'm not sure it is a guest error. I think its just a shortcut in the
> original implementation. I guess QEMU needs the whole packet before
> handing off to the net layer and the assumption is that the packet is
> always within 2048. I think the hardware is just going to put the data
> on the wire as it goes.

If we are not sure this is what real hardware did, dropping looks more
safe than sending the truncated packets on the wire.

>  The easiest solution is to realloc the buffer
> as it goes with the increasing sizes.

This could allow possible DOS from guest (see
cde31a0e3dc0e4ac83e454d6096350cec584adf1).

> Otherwise you could refactor the
> code to be two pass over the descriptor ring section (containing the
> packet). If we want to fix the buffer overflow more urgently, the
> correct error would be an assert().
>
> Regards,
> Peter

Let's avoid putting guest trigger-able assert() here. The patch looks
good for fixing the issue. Refactoring could be done on top.

Thanks

>
>>> +
>>>          /* Gather this fragment of the packet from "dma memory" to our contig.
>>>           * buffer.
>>>           */
>>> --
>>> MST
>>>
>> thanks
>> -- PMM
>>

  parent reply	other threads:[~2016-01-18  3:14 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-14  9:43 [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow Michael S. Tsirkin
2016-01-14  9:43 ` [Qemu-devel] " Michael S. Tsirkin
2016-01-14 10:03 ` [Qemu-arm] " Peter Maydell
2016-01-14 10:03   ` [Qemu-devel] " Peter Maydell
2016-01-14 10:11   ` Michael S. Tsirkin
2016-01-14 10:11     ` [Qemu-devel] " Michael S. Tsirkin
2016-01-15  6:19   ` Peter Crosthwaite
2016-01-15  6:19     ` [Qemu-devel] " Peter Crosthwaite
2016-01-15  8:06     ` P J P
2016-01-15  8:06       ` [Qemu-devel] " P J P
2016-01-16  0:20       ` Alistair Francis
2016-01-16  5:23         ` [Qemu-arm] [Qemu-devel] " P J P
2016-01-16  5:23           ` [Qemu-devel] [Qemu-arm] " P J P
2016-01-18  3:14     ` Jason Wang [this message]
2016-01-18  3:14       ` Jason Wang
2016-01-14 10:23 ` [Qemu-devel] " P J P
2016-01-15  3:16 ` Jason Wang
2016-01-15  5:39   ` [Qemu-arm] " P J P
2016-01-15  5:39     ` P J P
2016-01-18  6:50 ` [Qemu-arm] " Jason Wang
2016-01-18  6:50   ` Jason Wang
2016-01-18  7:04   ` Peter Crosthwaite
2016-01-18  8:12     ` [Qemu-arm] " Jason Wang
2016-01-18  8:12       ` Jason Wang
2016-01-18  9:08       ` [Qemu-arm] " Peter Crosthwaite
2016-01-18  9:08         ` Peter Crosthwaite
2016-01-18  9:57         ` [Qemu-arm] " Jason Wang
2016-01-18  9:57           ` Jason Wang
2016-01-18 10:06           ` [Qemu-devel] [Qemu-arm] " Peter Maydell
2016-01-18 16:54             ` [Qemu-arm] [Qemu-devel] " Alistair Francis
2016-01-18 16:54               ` [Qemu-devel] [Qemu-arm] " Alistair Francis
2016-01-19  2:48               ` [Qemu-arm] [Qemu-devel] " Jason Wang
2016-01-19  2:48                 ` [Qemu-devel] [Qemu-arm] " Jason Wang
2016-01-19  2:48             ` [Qemu-arm] [Qemu-devel] " Jason Wang
2016-01-19  2:48               ` [Qemu-devel] [Qemu-arm] " Jason Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=569C587B.3080505@redhat.com \
    --to=jasowang@redhat.com \
    --cc=alistair.francis@xilinx.com \
    --cc=crosthwaitepeter@gmail.com \
    --cc=liuling-it@360.cn \
    --cc=mst@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=ppandit@redhat.com \
    --cc=qemu-arm@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.