* [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)
@ 2015-11-30 7:38 Jason Wang
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
0 siblings, 2 replies; 6+ messages in thread
From: Jason Wang @ 2015-11-30 7:38 UTC (permalink / raw)
To: jasowang, qemu-devel; +Cc: Prasad J Pandit, qemu-stable
From: Prasad J Pandit <pjp@fedoraproject.org>
In loopback mode, pcnet_receive routine appends CRC code to the
receive buffer. If the data size given is same as the buffer size,
the appended CRC code overwrites 4 bytes after s->buffer. Added a
check to avoid that.
Reported by: Qinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/pcnet.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 0eb3cc4..309c40b 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
uint32_t fcs = ~0;
uint8_t *p = src;
- while (p != &src[size-4])
+ while (p != &src[size])
CRC(fcs, *p++);
crc_err = (*(uint32_t *)p != htonl(fcs));
}
@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
/* if multi-tmd packet outsizes s->buffer then skip it silently.
- Note: this is not what real hw does */
- if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ * Note: this is not what real hw does.
+ * Last four bytes of s->buffer are used to store CRC FCS code.
+ */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
s->xmit_pos = -1;
goto txdone;
}
--
2.5.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
2015-11-30 7:38 [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Jason Wang
@ 2015-11-30 7:38 ` Jason Wang
2015-11-30 10:46 ` Michael S. Tsirkin
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
1 sibling, 1 reply; 6+ messages in thread
From: Jason Wang @ 2015-11-30 7:38 UTC (permalink / raw)
To: jasowang, qemu-devel; +Cc: Prasad J Pandit, qemu-stable
Backends could provide a packet whose length is greater than buffer
size. Check for this and truncate the packet to avoid rx buffer
overflow in this case.
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/pcnet.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 309c40b..1f4a3db 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
int pktcount = 0;
if (!s->looptest) {
+ if (size > 4092) {
+#ifdef PCNET_DEBUG_RMD
+ fprintf(stderr, "pcnet: truncates rx packet.\n");
+#endif
+ size = 4092;
+ }
memcpy(src, buf, size);
/* no need to compute the CRC */
src[size] = 0;
--
2.5.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
@ 2015-11-30 10:46 ` Michael S. Tsirkin
2015-12-01 5:06 ` Jason Wang
0 siblings, 1 reply; 6+ messages in thread
From: Michael S. Tsirkin @ 2015-11-30 10:46 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-stable, qemu-devel, Prasad J Pandit
On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote:
> Backends could provide a packet whose length is greater than buffer
> size. Check for this and truncate the packet to avoid rx buffer
> overflow in this case.
>
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> hw/net/pcnet.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 309c40b..1f4a3db 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
> int pktcount = 0;
>
> if (!s->looptest) {
> + if (size > 4092) {
> +#ifdef PCNET_DEBUG_RMD
> + fprintf(stderr, "pcnet: truncates rx packet.\n");
> +#endif
> + size = 4092;
> + }
> memcpy(src, buf, size);
> /* no need to compute the CRC */
> src[size] = 0;
> --
> 2.5.0
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512)
2015-11-30 10:46 ` Michael S. Tsirkin
@ 2015-12-01 5:06 ` Jason Wang
0 siblings, 0 replies; 6+ messages in thread
From: Jason Wang @ 2015-12-01 5:06 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: qemu-stable, qemu-devel, Prasad J Pandit
On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote:
> On Mon, Nov 30, 2015 at 03:38:23PM +0800, Jason Wang wrote:
>> Backends could provide a packet whose length is greater than buffer
>> size. Check for this and truncate the packet to avoid rx buffer
>> overflow in this case.
>>
>> Cc: Prasad J Pandit <pjp@fedoraproject.org>
>> Cc: qemu-stable@nongnu.org
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Applied to my -net. Thanks.
>
>> ---
>> hw/net/pcnet.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
>> index 309c40b..1f4a3db 100644
>> --- a/hw/net/pcnet.c
>> +++ b/hw/net/pcnet.c
>> @@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
>> int pktcount = 0;
>>
>> if (!s->looptest) {
>> + if (size > 4092) {
>> +#ifdef PCNET_DEBUG_RMD
>> + fprintf(stderr, "pcnet: truncates rx packet.\n");
>> +#endif
>> + size = 4092;
>> + }
>> memcpy(src, buf, size);
>> /* no need to compute the CRC */
>> src[size] = 0;
>> --
>> 2.5.0
>>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)
2015-11-30 7:38 [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Jason Wang
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
@ 2015-11-30 10:46 ` Michael S. Tsirkin
2015-12-01 5:05 ` Jason Wang
1 sibling, 1 reply; 6+ messages in thread
From: Michael S. Tsirkin @ 2015-11-30 10:46 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-stable, qemu-devel, Prasad J Pandit
On Mon, Nov 30, 2015 at 03:38:22PM +0800, Jason Wang wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> In loopback mode, pcnet_receive routine appends CRC code to the
> receive buffer. If the data size given is same as the buffer size,
> the appended CRC code overwrites 4 bytes after s->buffer. Added a
> check to avoid that.
>
> Reported by: Qinghao Tang <luodalongde@gmail.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> hw/net/pcnet.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 0eb3cc4..309c40b 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
> uint32_t fcs = ~0;
> uint8_t *p = src;
>
> - while (p != &src[size-4])
> + while (p != &src[size])
> CRC(fcs, *p++);
> crc_err = (*(uint32_t *)p != htonl(fcs));
> }
> @@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
> bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
>
> /* if multi-tmd packet outsizes s->buffer then skip it silently.
> - Note: this is not what real hw does */
> - if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
> + * Note: this is not what real hw does.
> + * Last four bytes of s->buffer are used to store CRC FCS code.
> + */
> + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
> s->xmit_pos = -1;
> goto txdone;
> }
> --
> 2.5.0
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504)
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
@ 2015-12-01 5:05 ` Jason Wang
0 siblings, 0 replies; 6+ messages in thread
From: Jason Wang @ 2015-12-01 5:05 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: qemu-stable, qemu-devel, Prasad J Pandit
On 11/30/2015 06:46 PM, Michael S. Tsirkin wrote:
> On Mon, Nov 30, 2015 at 03:38:22PM +0800, Jason Wang wrote:
>> From: Prasad J Pandit <pjp@fedoraproject.org>
>>
>> In loopback mode, pcnet_receive routine appends CRC code to the
>> receive buffer. If the data size given is same as the buffer size,
>> the appended CRC code overwrites 4 bytes after s->buffer. Added a
>> check to avoid that.
>>
>> Reported by: Qinghao Tang <luodalongde@gmail.com>
>> Cc: qemu-stable@nongnu.org
>> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Applied to my -net. Thanks
>> ---
>> hw/net/pcnet.c | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
>> index 0eb3cc4..309c40b 100644
>> --- a/hw/net/pcnet.c
>> +++ b/hw/net/pcnet.c
>> @@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
>> uint32_t fcs = ~0;
>> uint8_t *p = src;
>>
>> - while (p != &src[size-4])
>> + while (p != &src[size])
>> CRC(fcs, *p++);
>> crc_err = (*(uint32_t *)p != htonl(fcs));
>> }
>> @@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s)
>> bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
>>
>> /* if multi-tmd packet outsizes s->buffer then skip it silently.
>> - Note: this is not what real hw does */
>> - if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
>> + * Note: this is not what real hw does.
>> + * Last four bytes of s->buffer are used to store CRC FCS code.
>> + */
>> + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
>> s->xmit_pos = -1;
>> goto txdone;
>> }
>> --
>> 2.5.0
>>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-01 5:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-30 7:38 [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Jason Wang
2015-11-30 7:38 ` [Qemu-devel] [PATCH for 2.5 2/2] pcnet: fix rx buffer overflow(CVE-2015-7512) Jason Wang
2015-11-30 10:46 ` Michael S. Tsirkin
2015-12-01 5:06 ` Jason Wang
2015-11-30 10:46 ` [Qemu-devel] [PATCH for 2.5 1/2] net: pcnet: add check to validate receive data size(CVE-2015-7504) Michael S. Tsirkin
2015-12-01 5:05 ` Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).