From: Jason Wang <jasowang@redhat.com>
To: Peter Crosthwaite <crosthwaitepeter@gmail.com>,
Peter Maydell <peter.maydell@linaro.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Prasad Pandit" <ppandit@redhat.com>,
qemu-arm <qemu-arm@nongnu.org>, 刘令 <liuling-it@360.cn>,
"Alistair Francis" <alistair.francis@xilinx.com>
Subject: Re: [Qemu-devel] [Qemu-arm] [PATCH] cadence_gem: fix buffer overflow
Date: Mon, 18 Jan 2016 11:14:03 +0800 [thread overview]
Message-ID: <569C587B.3080505@redhat.com> (raw)
In-Reply-To: <CAPokK=reMoLQ_CF_LgtmezkFZyUrSB3Oh_gB9kKZ=0Ztspq5Ag@mail.gmail.com>
On 01/15/2016 02:19 PM, Peter Crosthwaite wrote:
> On Thu, Jan 14, 2016 at 2:03 AM, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 14 January 2016 at 09:43, Michael S. Tsirkin <mst@redhat.com> wrote:
>>> gem_receive copies a packet received from network into an rxbuf[2048]
>>> array on stack, with size limited by descriptor length set by guest. If
>>> guest is malicious and specifies a descriptor length that is too large,
>>> and should packet size exceed array size, this results in a buffer
>>> overflow.
>>>
>>> Reported-by: 刘令 <liuling-it@360.cn>
>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>>> ---
>>> hw/net/cadence_gem.c | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>>
>>> diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
>>> index 3639fc1..15a0786 100644
>>> --- a/hw/net/cadence_gem.c
>>> +++ b/hw/net/cadence_gem.c
>>> @@ -862,6 +862,14 @@ static void gem_transmit(CadenceGEMState *s)
>>> break;
>>> }
>>>
>>> + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
>>> + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
>>> + (unsigned)packet_desc_addr,
>>> + (unsigned)tx_desc_get_length(desc),
>>> + sizeof(tx_packet) - (p - tx_packet));
>>> + break;
>>> + }
>> Is this what the real hardware does in this situation?
>> Should we log this as a guest error?
>>
> I'm not sure it is a guest error. I think its just a shortcut in the
> original implementation. I guess QEMU needs the whole packet before
> handing off to the net layer and the assumption is that the packet is
> always within 2048. I think the hardware is just going to put the data
> on the wire as it goes.
If we are not sure this is what real hardware did, dropping looks more
safe than sending the truncated packets on the wire.
> The easiest solution is to realloc the buffer
> as it goes with the increasing sizes.
This could allow possible DOS from guest (see
cde31a0e3dc0e4ac83e454d6096350cec584adf1).
> Otherwise you could refactor the
> code to be two pass over the descriptor ring section (containing the
> packet). If we want to fix the buffer overflow more urgently, the
> correct error would be an assert().
>
> Regards,
> Peter
Let's avoid putting guest trigger-able assert() here. The patch looks
good for fixing the issue. Refactoring could be done on top.
Thanks
>
>>> +
>>> /* Gather this fragment of the packet from "dma memory" to our contig.
>>> * buffer.
>>> */
>>> --
>>> MST
>>>
>> thanks
>> -- PMM
>>
next prev parent reply other threads:[~2016-01-18 3:14 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-14 9:43 [Qemu-devel] [PATCH] cadence_gem: fix buffer overflow Michael S. Tsirkin
2016-01-14 10:03 ` [Qemu-devel] [Qemu-arm] " Peter Maydell
2016-01-14 10:11 ` Michael S. Tsirkin
2016-01-15 6:19 ` Peter Crosthwaite
2016-01-15 8:06 ` P J P
2016-01-16 0:20 ` Alistair Francis
2016-01-16 5:23 ` P J P
2016-01-18 3:14 ` Jason Wang [this message]
2016-01-14 10:23 ` [Qemu-devel] " P J P
2016-01-15 3:16 ` Jason Wang
2016-01-15 5:39 ` P J P
2016-01-18 6:50 ` Jason Wang
2016-01-18 7:04 ` Peter Crosthwaite
2016-01-18 8:12 ` Jason Wang
2016-01-18 9:08 ` Peter Crosthwaite
2016-01-18 9:57 ` Jason Wang
2016-01-18 10:06 ` [Qemu-devel] [Qemu-arm] " Peter Maydell
2016-01-18 16:54 ` Alistair Francis
2016-01-19 2:48 ` Jason Wang
2016-01-19 2:48 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569C587B.3080505@redhat.com \
--to=jasowang@redhat.com \
--cc=alistair.francis@xilinx.com \
--cc=crosthwaitepeter@gmail.com \
--cc=liuling-it@360.cn \
--cc=mst@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=ppandit@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).