]> git.proxmox.com Git - mirror_qemu.git/commitdiff
projects / mirror_qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 244381e)
cadence_gem: fix buffer overflow
authorMichael S. Tsirkin <mst@redhat.com>
Thu, 14 Jan 2016 09:43:30 +0000 (11:43 +0200)
committerJason Wang <jasowang@redhat.com>
Thu, 4 Feb 2016 05:22:06 +0000 (13:22 +0800)
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
hw/net/cadence_gem.c patch | blob | blame | history

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index e513d9d5badebc3df35730b4f47411d419d81223..0346f3e3354ffb7aa7ec6df033b09c99916614bf 100644 (file)
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
             break;
         }
 
+        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
+            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
+                     (unsigned)packet_desc_addr,
+                     (unsigned)tx_desc_get_length(desc),
+                     sizeof(tx_packet) - (p - tx_packet));
+            break;
+        }
+
         /* Gather this fragment of the packet from "dma memory" to our contig.
          * buffer.
          */
QEMU mirror