From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
P J P <pjp@fedoraproject.org>
Subject: [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279)
Date: Tue, 15 Sep 2015 13:02:30 +0100 [thread overview]
Message-ID: <1442318551-27609-3-git-send-email-stefanha@redhat.com> (raw)
In-Reply-To: <1442318551-27609-1-git-send-email-stefanha@redhat.com>
From: P J P <pjp@fedoraproject.org>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/ne2000.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 53c704a..3798a3b 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
}
index = s->curpag << 8;
+ if (index >= NE2000_PMEM_END) {
+ index = s->start;
+ }
/* 4 bytes for header */
total_len = size + 4;
/* address for next packet (4 bytes for CRC) */
@@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
offset = addr | (page << 4);
switch(offset) {
case EN0_STARTPG:
- s->start = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->start = val << 8;
+ }
break;
case EN0_STOPPG:
- s->stop = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->stop = val << 8;
+ }
break;
case EN0_BOUNDARY:
- s->boundary = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->boundary = val;
+ }
break;
case EN0_IMR:
s->imr = val;
@@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
s->phys[offset - EN1_PHYS] = val;
break;
case EN1_CURPAG:
- s->curpag = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->curpag = val;
+ }
break;
case EN1_MULT ... EN1_MULT + 7:
s->mult[offset - EN1_MULT] = val;
--
2.4.3
next prev parent reply other threads:[~2015-09-15 12:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
2015-09-15 12:02 ` Stefan Hajnoczi [this message]
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1442318551-27609-3-git-send-email-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).