|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-4.3-testing] pcnet: force the buffer access to be in bounds during tx
commit 8d882026216a2b9afe74d4b1ef99433620e0ba0a
Author: Petr Matousek <pmatouse@xxxxxxxxxx>
AuthorDate: Sun May 24 10:53:44 2015 +0200
Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Tue Jun 23 11:43:35 2015 +0100
pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
Reported-by: Matt Tait <matttait@xxxxxxxxxx>
Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
---
hw/pcnet.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/hw/pcnet.c b/hw/pcnet.c
index 9f3e1cc..4e81267 100644
--- a/hw/pcnet.c
+++ b/hw/pcnet.c
@@ -1282,6 +1282,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+ Note: this is not what real hw does */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;
--
generated by git-patchbot for /home/xen/git/qemu-xen-4.3-testing.git
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |