[Qemu-devel] [PULL 0/1] CVE-2015-3209 pcnet tx buffer fix patches

[Qemu-devel] [PULL 0/1] CVE-2015-3209 pcnet tx buffer fix patches

[Stefan Hajnoczi]

This is a security fix for CVE-2015-3209.  Please see the patch for details.

The following changes since commit b0411142f482df92717f8b4a3b746081a62b724f:

  Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150609' into staging (2015-06-09 15:29:34 +0100)

are available in the git repository at:

  git://github.com/stefanha/qemu.git tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request

for you to fetch changes up to 9f7c594c006289ad41169b854d70f5da6e400a2a:

  pcnet: force the buffer access to be in bounds during tx (2015-06-10 15:03:02 +0100)

----------------------------------------------------------------

----------------------------------------------------------------

Petr Matousek (1):
  pcnet: force the buffer access to be in bounds during tx

 hw/net/pcnet.c | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.4.2

[Qemu-devel] [PULL 1/1] pcnet: force the buffer access to be in bounds during tx

[Stefan Hajnoczi]

From: Petr Matousek <pmatouse@redhat.com>

4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.

Fix this by only allowing to queue maximum sizeof(buffer) bytes.

This is CVE-2015-3209.

[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/net/pcnet.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f..68b9981 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
         }
 
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+        /* if multi-tmd packet outsizes s->buffer then skip it silently.
+           Note: this is not what real hw does */
+        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+            s->xmit_pos = -1;
+            goto txdone;
+        }
+
         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
         s->xmit_pos += bcnt;
-- 
2.4.2

Re: [Qemu-devel] [PULL 0/1] CVE-2015-3209 pcnet tx buffer fix patches

[Peter Maydell]

On 10 June 2015 at 15:04, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> This is a security fix for CVE-2015-3209.  Please see the patch for details.
>
> The following changes since commit b0411142f482df92717f8b4a3b746081a62b724f:
>
>   Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150609' into staging (2015-06-09 15:29:34 +0100)
>
> are available in the git repository at:
>
>   git://github.com/stefanha/qemu.git tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request
>
> for you to fetch changes up to 9f7c594c006289ad41169b854d70f5da6e400a2a:
>
>   pcnet: force the buffer access to be in bounds during tx (2015-06-10 15:03:02 +0100)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
>
> Petr Matousek (1):
>   pcnet: force the buffer access to be in bounds during tx
>
>  hw/net/pcnet.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

Applied, thanks.

-- PMM