[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-xen master] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Fri, 30 Oct 2020 22:07:18 +0000
Delivery-date: Fri, 30 Oct 2020 22:07:20 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 5519724a13664b43e225ca05351c60b4468e4555
Author:     Mauro Matteo Cascella <mcascell@xxxxxxxxxx>
AuthorDate: Fri Jul 10 11:19:41 2020 +0200
Commit:     Jason Wang <jasowang@xxxxxxxxxx>
CommitDate: Tue Jul 21 21:30:39 2020 +0800

    hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
    
    A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
    occurs while sending an Ethernet frame due to missing break statements
    and improper checking of the buffer size.
    
    Reported-by: Ziming Zhang <ezrakiez@xxxxxxxxx>
    Signed-off-by: Mauro Matteo Cascella <mcascell@xxxxxxxxxx>
    Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
    Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
---
 hw/net/xgmac.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
index 574dd47b41..5bf1b61012 100644
--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
         }
         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
 
+        /*
+         * FIXME: these cases of malformed tx descriptors (bad sizes)
+         * should probably be reported back to the guest somehow
+         * rather than simply silently stopping processing, but we
+         * don't know what the hardware does in this situation.
+         * This will only happen for buggy guests anyway.
+         */
         if ((bd.buffer1_size & 0xfff) > 2048) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
                          __func__, bd.buffer1_size & 0xfff);
+            break;
         }
         if ((bd.buffer2_size & 0xfff) != 0) {
             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
                         __func__, bd.buffer2_size & 0xfff);
+            break;
         }
-        if (len >= sizeof(frame)) {
+        if (frame_size + len >= sizeof(frame)) {
             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
-                        "buffer\n" , __func__, len, sizeof(frame));
+                        "buffer\n" , __func__, frame_size + len, 
sizeof(frame));
             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
                         __func__, bd.buffer1_size, bd.buffer2_size);
+            break;
         }
 
         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

Prev by Date: [qemu-xen master] hw/net: Added plen fix for IPv6
Next by Date: [qemu-xen master] Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
Previous by thread: [qemu-xen master] hw/net: Added plen fix for IPv6
Next by thread: [qemu-xen master] xhci: fix valid.max_access_size to access address registers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.