50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
|
|
From: Petr Matousek <pmatouse@redhat.com>
|
|
Date: Sun, 24 May 2015 10:53:44 +0200
|
|
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
|
|
|
|
4096 is the maximum length per TMD and it is also currently the size of
|
|
the relay buffer pcnet driver uses for sending the packet data to QEMU
|
|
for further processing. With packet spanning multiple TMDs it can
|
|
happen that the overall packet size will be bigger than sizeof(buffer),
|
|
which results in memory corruption.
|
|
|
|
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
|
|
|
|
This is CVE-2015-3209.
|
|
|
|
[Fixed 3-space indentation to QEMU's 4-space coding standard.
|
|
--Stefan]
|
|
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
Reported-by: Matt Tait <matttait@google.com>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
---
|
|
hw/net/pcnet.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
|
index bdfd38f..68b9981 100644
|
|
--- a/hw/net/pcnet.c
|
|
+++ b/hw/net/pcnet.c
|
|
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
|
|
}
|
|
|
|
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
|
|
+
|
|
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
|
|
+ Note: this is not what real hw does */
|
|
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
|
|
+ s->xmit_pos = -1;
|
|
+ goto txdone;
|
|
+ }
|
|
+
|
|
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
|
|
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
|
|
s->xmit_pos += bcnt;
|
|
--
|
|
2.2.1
|
|
|