From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43903)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1aJeRR-0006GA-Vl
	for qemu-devel@nongnu.org; Thu, 14 Jan 2016 04:43:42 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1aJeRR-0004m8-71
	for qemu-devel@nongnu.org; Thu, 14 Jan 2016 04:43:41 -0500
Date: Thu, 14 Jan 2016 11:43:30 +0200
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <1452764448-17953-1-git-send-email-mst@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Peter Crosthwaite <crosthwaite.peter@gmail.com>, Jason Wang <jasowang@redhat.com>, Prasad Pandit <ppandit@redhat.com>, qemu-arm@nongnu.org, =?us-ascii?B?PT9VVEYtOD9xPz1FNT04OD05OD1FND1CQj1BND89?= <liuling-it@360.cn>, Alistair Francis <alistair.francis@xilinx.com>

gem_receive copies a packet received from network into an rxbuf[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: =E5=88=98=E4=BB=A4 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/net/cadence_gem.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 3639fc1..15a0786 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
             break;
         }
=20
+        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packe=
t)) {
+            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x=
%x\n",
+                     (unsigned)packet_desc_addr,
+                     (unsigned)tx_desc_get_length(desc),
+                     sizeof(tx_packet) - (p - tx_packet));
+            break;
+        }
+
         /* Gather this fragment of the packet from "dma memory" to our c=
ontig.
          * buffer.
          */
--=20
MST