* [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
@ 2016-04-07 10:26 P J P
2016-04-07 15:44 ` Markus Armbruster
2016-04-26 7:16 ` Jason Wang
0 siblings, 2 replies; 6+ messages in thread
From: P J P @ 2016-04-07 10:26 UTC (permalink / raw)
To: Qemu Developers; +Cc: Oleksandr Bazhaniuk, Jason Wang, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/mipsnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
index f261011..e134b31 100644
--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
if (!mipsnet_can_receive(nc))
return 0;
+ if (size >= sizeof(s->rx_buffer)) {
+ return 0;
+ }
s->busy = 1;
/* Just accept everything. */
--
2.5.5
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
2016-04-07 10:26 [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer P J P
@ 2016-04-07 15:44 ` Markus Armbruster
2016-04-11 7:37 ` P J P
2016-04-26 7:16 ` Jason Wang
1 sibling, 1 reply; 6+ messages in thread
From: Markus Armbruster @ 2016-04-07 15:44 UTC (permalink / raw)
To: P J P; +Cc: Oleksandr Bazhaniuk, Jason Wang, Qemu Developers, Prasad J Pandit
P J P <ppandit@redhat.com> writes:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When receiving packets over MIPSnet network device, it uses
> receive buffer of size 1514 bytes. In case the controller
> accepts large(MTU) packets, it could lead to memory corruption.
> Add check to avoid it.
>
> Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/mipsnet.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
> index f261011..e134b31 100644
> --- a/hw/net/mipsnet.c
> +++ b/hw/net/mipsnet.c
> @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
> if (!mipsnet_can_receive(nc))
> return 0;
>
> + if (size >= sizeof(s->rx_buffer)) {
> + return 0;
> + }
> s->busy = 1;
>
> /* Just accept everything. */
Prompted by Peter Maydell's review of the buddy patch to stellaris_enet:
What does the physical device do when it receives such a packet?
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
2016-04-07 15:44 ` Markus Armbruster
@ 2016-04-11 7:37 ` P J P
2016-04-11 8:27 ` Jason Wang
0 siblings, 1 reply; 6+ messages in thread
From: P J P @ 2016-04-11 7:37 UTC (permalink / raw)
To: Markus Armbruster; +Cc: Qemu Developers, Oleksandr Bazhaniuk, Jason Wang
+-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+
| P J P <ppandit@redhat.com> writes:
|
| > --- a/hw/net/mipsnet.c
| > +++ b/hw/net/mipsnet.c
| > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
| > if (!mipsnet_can_receive(nc))
| > return 0;
| >
| > + if (size >= sizeof(s->rx_buffer)) {
| > + return 0;
| > + }
| > s->busy = 1;
|
| Prompted by Peter Maydell's review of the buddy patch to stellaris_enet:
| What does the physical device do when it receives such a packet?
I tried to find a device specification, but couldn't find any reference
MIPSnet.
Jason, wdyt?
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
2016-04-11 7:37 ` P J P
@ 2016-04-11 8:27 ` Jason Wang
2016-04-11 8:51 ` P J P
0 siblings, 1 reply; 6+ messages in thread
From: Jason Wang @ 2016-04-11 8:27 UTC (permalink / raw)
To: P J P, Markus Armbruster; +Cc: Oleksandr Bazhaniuk, Qemu Developers
On 04/11/2016 03:37 PM, P J P wrote:
> +-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+
> | P J P <ppandit@redhat.com> writes:
> |
> | > --- a/hw/net/mipsnet.c
> | > +++ b/hw/net/mipsnet.c
> | > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
> | > if (!mipsnet_can_receive(nc))
> | > return 0;
> | >
> | > + if (size >= sizeof(s->rx_buffer)) {
> | > + return 0;
> | > + }
> | > s->busy = 1;
> |
> | Prompted by Peter Maydell's review of the buddy patch to stellaris_enet:
> | What does the physical device do when it receives such a packet?
>
> I tried to find a device specification, but couldn't find any reference
> MIPSnet.
>
> Jason, wdyt?
Can't find either. Looking at kernel driver git logs, the driver was
even removed since 2012 because it was not longer supported by MIPS.
Consider it indeed fixes a memory corruption, I tend to apply this first
for 2.6.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
2016-04-11 8:27 ` Jason Wang
@ 2016-04-11 8:51 ` P J P
0 siblings, 0 replies; 6+ messages in thread
From: P J P @ 2016-04-11 8:51 UTC (permalink / raw)
To: Jason Wang; +Cc: Markus Armbruster, Oleksandr Bazhaniuk, Qemu Developers
+-- On Mon, 11 Apr 2016, Jason Wang wrote --+
| Can't find either. Looking at kernel driver git logs, the driver was even
| removed since 2012 because it was not longer supported by MIPS. Consider it
| indeed fixes a memory corruption, I tend to apply this first for 2.6.
Okay, thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer
2016-04-07 10:26 [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer P J P
2016-04-07 15:44 ` Markus Armbruster
@ 2016-04-26 7:16 ` Jason Wang
1 sibling, 0 replies; 6+ messages in thread
From: Jason Wang @ 2016-04-26 7:16 UTC (permalink / raw)
To: P J P, Qemu Developers; +Cc: Oleksandr Bazhaniuk, Prasad J Pandit
On 04/07/2016 06:26 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When receiving packets over MIPSnet network device, it uses
> receive buffer of size 1514 bytes. In case the controller
> accepts large(MTU) packets, it could lead to memory corruption.
> Add check to avoid it.
>
> Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/mipsnet.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
> index f261011..e134b31 100644
> --- a/hw/net/mipsnet.c
> +++ b/hw/net/mipsnet.c
> @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
> if (!mipsnet_can_receive(nc))
> return 0;
>
> + if (size >= sizeof(s->rx_buffer)) {
> + return 0;
> + }
> s->busy = 1;
>
> /* Just accept everything. */
Apply to net-next.
Thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-04-26 7:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-07 10:26 [Qemu-devel] [PATCH] net: mipsnet: check packet length against buffer P J P
2016-04-07 15:44 ` Markus Armbruster
2016-04-11 7:37 ` P J P
2016-04-11 8:27 ` Jason Wang
2016-04-11 8:51 ` P J P
2016-04-26 7:16 ` Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).