* [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Stefan Hajnoczi
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
---
hw/net/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 5c6bcd0..09c9e9d 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
memmove(tp->data, tp->header, tp->hdr_len);
tp->size = tp->hdr_len;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentation error\n");
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/ne2000.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 53c704a..3798a3b 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
}
index = s->curpag << 8;
+ if (index >= NE2000_PMEM_END) {
+ index = s->start;
+ }
/* 4 bytes for header */
total_len = size + 4;
/* address for next packet (4 bytes for CRC) */
@@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
offset = addr | (page << 4);
switch(offset) {
case EN0_STARTPG:
- s->start = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->start = val << 8;
+ }
break;
case EN0_STOPPG:
- s->stop = val << 8;
+ if (val << 8 <= NE2000_PMEM_END) {
+ s->stop = val << 8;
+ }
break;
case EN0_BOUNDARY:
- s->boundary = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->boundary = val;
+ }
break;
case EN0_IMR:
s->imr = val;
@@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
s->phys[offset - EN1_PHYS] = val;
break;
case EN1_CURPAG:
- s->curpag = val;
+ if (val << 8 < NE2000_PMEM_END) {
+ s->curpag = val;
+ }
break;
case EN1_MULT ... EN1_MULT + 7:
s->mult[offset - EN1_MULT] = val;
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278)
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 1/3] e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815) Stefan Hajnoczi
2015-09-15 12:02 ` [Qemu-devel] [PULL 2/3] net: add checks to validate ring buffer pointers(CVE-2015-5279) Stefan Hajnoczi
@ 2015-09-15 12:02 ` Stefan Hajnoczi
2015-09-15 13:04 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Stefan Hajnoczi @ 2015-09-15 12:02 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, qemu-stable, Stefan Hajnoczi, P J P
From: P J P <pjp@fedoraproject.org>
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/ne2000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 3798a3b..010f9ef 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
if (index <= s->stop)
avail = s->stop - index;
else
- avail = 0;
+ break;
len = size;
if (len > avail)
len = avail;
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [Qemu-devel] [PULL 0/3] Net patches
2015-09-15 12:02 [Qemu-devel] [PULL 0/3] Net patches Stefan Hajnoczi
` (2 preceding siblings ...)
2015-09-15 12:02 ` [Qemu-devel] [PULL 3/3] net: avoid infinite loop when receiving packets(CVE-2015-5278) Stefan Hajnoczi
@ 2015-09-15 13:04 ` Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2015-09-15 13:04 UTC (permalink / raw)
To: Stefan Hajnoczi; +Cc: QEMU Developers, qemu-stable
On 15 September 2015 at 13:02, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> The following changes since commit 2752e5bedb26fa0c7291f810f9f534b688b2f1d2:
>
> qapi: Fix cgen() for Python older than 2.7 (2015-09-14 18:02:59 +0100)
>
> are available in the git repository at:
>
> git://github.com/stefanha/qemu.git tags/net-pull-request
>
> for you to fetch changes up to 737d2b3c41d59eb8f94ab7eb419b957938f24943:
>
> net: avoid infinite loop when receiving packets(CVE-2015-5278) (2015-09-15 12:51:14 +0100)
>
> ----------------------------------------------------------------
> This net pull request contains security fixes for qemu.git/master. The patches
> should also be applied to stable trees.
>
> The ne2000 NIC model has QEMU memory corruption issue. Both ne2000 and e1000
> have an infinite loop.
>
> Please see the patches for CVE numbers and details on the bugs.
>
> ----------------------------------------------------------------
Applied to master, thanks.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread