From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53167) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmnGY-0003Pn-PY for qemu-devel@nongnu.org; Wed, 21 Sep 2016 15:33:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bmnGV-0002e4-Hb for qemu-devel@nongnu.org; Wed, 21 Sep 2016 15:33:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48468) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmnGV-0002dd-BL for qemu-devel@nongnu.org; Wed, 21 Sep 2016 15:33:07 -0400 References: <1474465547-31638-1-git-send-email-ppandit@redhat.com> <99c87ec2-40d3-3b7d-8e11-f2e90cc3a2ec@redhat.com> From: Paolo Bonzini Message-ID: <5925e77f-5b3d-ad38-c537-2066726866e3@redhat.com> Date: Wed, 21 Sep 2016 21:33:01 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH] net: mcf: check buffer descriptor length List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P Cc: Qemu Developers , Jason Wang , Li Qiang On 21/09/2016 19:50, P J P wrote: > +-- On Wed, 21 Sep 2016, Paolo Bonzini wrote --+ > | On 21/09/2016 15:45, P J P wrote: > | > DPRINTF("tx_bd %x flags %04x len %d data %08x\n", > | > addr, bd.flags, bd.length, bd.data); > | > - if ((bd.flags & FEC_BD_R) == 0) { > | > + if (!bd.length || (bd.flags & FEC_BD_R) == 0) { > | > /* Run out of descriptors to transmit. */ > | > break; > | > } > | > | Is this a bug? > > Yes, a guest user can control the contents of buffer descriptor 'bd' and > could set its length to zero and bd.flags to FEC_BD_R; Thus making the loop > run infinite iterations. Not exactly, because addr changes on every call to mcf_fec_read_bd. You can add a limit (e.g. 1024 or 2048 descriptors), but the patches are incorrect. Paolo > Thank you. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >