[pve-qemu-kvm.git] / debian / patches / CVE-2015-8743-ne2000-ioport-bounds-check.patch

From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 31 Dec 2015 17:05:27 +0530
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations

While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.

Reported-by: Ling Liu <liuling-it@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/ne2000.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
index 010f9ef..a3dffff 100644
--- a/hw/net/ne2000.c
+++ b/hw/net/ne2000.c
@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
                                      uint32_t val)
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
-    if (addr < 32 ||
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+    if (addr < 32
+        || (addr >= NE2000_PMEM_START
+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         stl_le_p(s->mem + addr, val);
     }
 }
@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
 static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
 {
     addr &= ~1; /* XXX: check exact behaviour if not even */
-    if (addr < 32 ||
-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
+    if (addr < 32
+        || (addr >= NE2000_PMEM_START
+            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
         return ldl_le_p(s->mem + addr);
     } else {
         return 0xffffffff;
-- 
2.1.4
Commit	Line	Data
1c771352 WB	1	From ab216355b6d509dce42fda4391f61b49df2ddc93 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Thu, 31 Dec 2015 17:05:27 +0530
	4	Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
	5
	6	While doing ioport r/w operations, ne2000 device emulation suffers
	7	from OOB r/w errors. Update respective array bounds check to avoid
	8	OOB access.
	9
	10	Reported-by: Ling Liu <liuling-it@360.cn>
	11	Cc: qemu-stable@nongnu.org
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13	Signed-off-by: Jason Wang <jasowang@redhat.com>
	14	---
	15	hw/net/ne2000.c \| 10 ++++++----
	16	1 file changed, 6 insertions(+), 4 deletions(-)
	17
	18	diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
	19	index 010f9ef..a3dffff 100644
	20	--- a/hw/net/ne2000.c
	21	+++ b/hw/net/ne2000.c
	22	@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
	23	uint32_t val)
	24	{
	25	addr &= ~1; /* XXX: check exact behaviour if not even */
	26	- if (addr < 32 \|\|
	27	- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
	28	+ if (addr < 32
	29	+ \|\| (addr >= NE2000_PMEM_START
	30	+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
	31	stl_le_p(s->mem + addr, val);
	32	}
	33	}
	34	@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
	35	static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
	36	{
	37	addr &= ~1; /* XXX: check exact behaviour if not even */
	38	- if (addr < 32 \|\|
	39	- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
	40	+ if (addr < 32
	41	+ \|\| (addr >= NE2000_PMEM_START
	42	+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
	43	return ldl_le_p(s->mem + addr);
	44	} else {
	45	return 0xffffffff;
	46	--
	47	2.1.4
	48