[pve-qemu-kvm.git] / debian / patches / net-add-checks-to-validate-ring-buffer-pointers.patch

From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
From: P J P <pjp@fedoraproject.org>
Date: Tue, 15 Sep 2015 16:40:49 +0530
Subject: [PATCH] net: add checks to validate ring buffer pointers

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/net/ne2000.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 3492db3..9278571 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
     }
 
     index = s->curpag << 8;
+    if (index >= NE2000_PMEM_END) {
+        index = s->start;
+    }
     /* 4 bytes for header */
     total_len = size + 4;
     /* address for next packet (4 bytes for CRC) */
@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         offset = addr | (page << 4);
         switch(offset) {
         case EN0_STARTPG:
-            s->start = val << 8;
+            if (val << 8 <= NE2000_PMEM_END) {
+                s->start = val << 8;
+            }
             break;
         case EN0_STOPPG:
-            s->stop = val << 8;
+            if (val << 8 <= NE2000_PMEM_END) {
+                s->stop = val << 8;
+            }
             break;
         case EN0_BOUNDARY:
-            s->boundary = val;
+            if (val << 8 < NE2000_PMEM_END) {
+                s->boundary = val;
+            }
             break;
         case EN0_IMR:
             s->imr = val;
@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             s->phys[offset - EN1_PHYS] = val;
             break;
         case EN1_CURPAG:
-            s->curpag = val;
+            if (val << 8 < NE2000_PMEM_END) {
+                s->curpag = val;
+            }
             break;
         case EN1_MULT ... EN1_MULT + 7:
             s->mult[offset - EN1_MULT] = val;
-- 
1.7.0.4
Commit	Line	Data
08f20d79 WB	1	From 7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755 Mon Sep 17 00:00:00 2001
	2	From: P J P <pjp@fedoraproject.org>
	3	Date: Tue, 15 Sep 2015 16:40:49 +0530
	4	Subject: [PATCH] net: add checks to validate ring buffer pointers
	5
	6	Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
	7	bytes to process network packets. While receiving packets
	8	via ne2000_receive() routine, a local 'index' variable
	9	could exceed the ring buffer size, which could lead to a
	10	memory buffer overflow. Added other checks at initialisation.
	11
	12	Reported-by: Qinghao Tang <luodalongde@gmail.com>
	13	Signed-off-by: P J P <pjp@fedoraproject.org>
	14	Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
	15	(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
	16	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
	17	---
	18	hw/net/ne2000.c \| 19 +++++++++++++++----
	19	1 files changed, 15 insertions(+), 4 deletions(-)
	20
	21	diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
	22	index 3492db3..9278571 100644
	23	--- a/hw/net/ne2000.c
	24	+++ b/hw/net/ne2000.c
	25	@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
	26	}
	27
	28	index = s->curpag << 8;
	29	+ if (index >= NE2000_PMEM_END) {
	30	+ index = s->start;
	31	+ }
	32	/* 4 bytes for header */
	33	total_len = size + 4;
	34	/* address for next packet (4 bytes for CRC) */
	35	@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
	36	offset = addr \| (page << 4);
	37	switch(offset) {
	38	case EN0_STARTPG:
	39	- s->start = val << 8;
	40	+ if (val << 8 <= NE2000_PMEM_END) {
	41	+ s->start = val << 8;
	42	+ }
	43	break;
	44	case EN0_STOPPG:
	45	- s->stop = val << 8;
	46	+ if (val << 8 <= NE2000_PMEM_END) {
	47	+ s->stop = val << 8;
	48	+ }
	49	break;
	50	case EN0_BOUNDARY:
	51	- s->boundary = val;
	52	+ if (val << 8 < NE2000_PMEM_END) {
	53	+ s->boundary = val;
	54	+ }
	55	break;
	56	case EN0_IMR:
	57	s->imr = val;
	58	@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
	59	s->phys[offset - EN1_PHYS] = val;
	60	break;
	61	case EN1_CURPAG:
	62	- s->curpag = val;
	63	+ if (val << 8 < NE2000_PMEM_END) {
	64	+ s->curpag = val;
65	+ }
66	break;
67	case EN1_MULT ... EN1_MULT + 7:
68	s->mult[offset - EN1_MULT] = val;
69	--
70	1.7.0.4
71