Proxmox-Port/qemu
1
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2025-08-09 01:50:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cadence_gem: fix buffer overflow

Browse Source 
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
This commit is contained in:
Michael S. Tsirkin 2016-01-14 11:43:30 +02:00 committed by Jason Wang
parent 244381ec19
commit d7f053652f
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/net/cadence_gem.c
View File

@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
break; break;
} }
if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) {
DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n",
(unsigned)packet_desc_addr,
(unsigned)tx_desc_get_length(desc),
sizeof(tx_packet) - (p - tx_packet));
break;
}
/* Gather this fragment of the packet from "dma memory" to our contig. /* Gather this fragment of the packet from "dma memory" to our contig.
* buffer. * buffer.
*/ */