[Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
@ 2016-08-09  2:24 chaojianhu
  2016-08-09  2:32 ` no-reply
  2016-08-09  3:51 ` Jason Wang
  0 siblings, 2 replies; 5+ messages in thread
From: chaojianhu @ 2016-08-09  2:24 UTC (permalink / raw)
  To: qemu-devel
  Cc: qemu-trivial, edgar.iglesias, alistair.francis, jasowang,
	qemu-arm, chaojianhu

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowd. All versions of qemu with　xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>

---
 hw/net/xilinx_ethlite.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..6d3eecc 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
     }
 
     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size);
+        return -1;
+    }
     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
 
     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
  2016-08-09  2:24 [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite chaojianhu
@ 2016-08-09  2:32 ` no-reply
  2016-08-09  3:51 ` Jason Wang
  1 sibling, 0 replies; 5+ messages in thread
From: no-reply @ 2016-08-09  2:32 UTC (permalink / raw)
  To: chaojianhu
  Cc: famz, qemu-devel, qemu-trivial, jasowang, alistair.francis,
	qemu-arm, edgar.iglesias

Hi,

Your series seems to have some coding style problems. See output below for
more information:

Message-id: BLU437-SMTP43591ADA801E900D4BCE81DB1C0@phx.gbl
Type: series
Subject: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
    echo "Checking PATCH $n/$total: $(git show --no-patch --format=%s $c)..."
    if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
        failed=1
        echo
    fi
    n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
f29edf0 hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

=== OUTPUT BEGIN ===
Checking PATCH 1/1: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite...
ERROR: space prohibited before that close parenthesis ')'
#26: FILE: hw/net/xilinx_ethlite.c:200:
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {

ERROR: Missing Signed-off-by: line(s)

total: 2 errors, 0 warnings, 10 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
  2016-08-09  2:24 [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite chaojianhu
  2016-08-09  2:32 ` no-reply
@ 2016-08-09  3:51 ` Jason Wang
  1 sibling, 0 replies; 5+ messages in thread
From: Jason Wang @ 2016-08-09  3:51 UTC (permalink / raw)
  To: chaojianhu, qemu-devel
  Cc: qemu-trivial, edgar.iglesias, alistair.francis, qemu-arm



On 2016年08月09日 10:24, chaojianhu wrote:
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowd. All versions of qemu with　xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <chaojianhu@hotmail.com>

Patch looks correct. But as reported, please add Signed-off-by with your 
name and repost.

Thanks

>
> ---
>   hw/net/xilinx_ethlite.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..6d3eecc 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
>       }
>   
>       D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
> +    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4 ) {
> +        D(qemu_log("ethlite packet is too big, size=%x\n", size);
> +        return -1;
> +    }
>       memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>   
>       s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
@ 2016-08-09  3:52 chaojianhu
  2016-08-09  7:26 ` Jason Wang
  0 siblings, 1 reply; 5+ messages in thread
From: chaojianhu @ 2016-08-09  3:52 UTC (permalink / raw)
  To: qemu-devel
  Cc: qemu-trivial, edgar.iglesias, alistair.francis, jasowang,
	qemu-arm, chaojianhu

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>

---
 hw/net/xilinx_ethlite.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..35de353 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
     }
 
     D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+        D(qemu_log("ethlite packet is too big, size=%x\n", size));
+        return -1;
+    }
     memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
 
     s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
-- 
1.9.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
  2016-08-09  3:52 chaojianhu
@ 2016-08-09  7:26 ` Jason Wang
  0 siblings, 0 replies; 5+ messages in thread
From: Jason Wang @ 2016-08-09  7:26 UTC (permalink / raw)
  To: chaojianhu, qemu-devel
  Cc: qemu-trivial, edgar.iglesias, alistair.francis, qemu-arm



On 2016年08月09日 11:52, chaojianhu wrote:
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
>
> ---
>   hw/net/xilinx_ethlite.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..35de353 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
>       }
>   
>       D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
> +    if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
> +        D(qemu_log("ethlite packet is too big, size=%x\n", size));
> +        return -1;
> +    }
>       memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>   
>       s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-08-09  7:27 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-09  2:24 [Qemu-devel] [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite chaojianhu
2016-08-09  2:32 ` no-reply
2016-08-09  3:51 ` Jason Wang
  -- strict thread matches above, loose matches on Subject: below --
2016-08-09  3:52 chaojianhu
2016-08-09  7:26 ` Jason Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).