From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48711)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aQQpq-0007ph-Ri
	for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:55 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aQQpn-00007Y-Ku
	for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:54 -0500
Received: from mx1.redhat.com ([209.132.183.28]:37594)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aQQpn-00006w-Fh
	for qemu-devel@nongnu.org; Mon, 01 Feb 2016 21:36:51 -0500
From: Jason Wang <jasowang@redhat.com>
Date: Tue,  2 Feb 2016 10:36:08 +0800
Message-Id: <1454380581-7881-5-git-send-email-jasowang@redhat.com>
In-Reply-To: <1454380581-7881-1-git-send-email-jasowang@redhat.com>
References: <1454380581-7881-1-git-send-email-jasowang@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 04/17] cadence_gem: fix buffer overflow
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Cc: Jason Wang <jasowang@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>

From: "Michael S. Tsirkin" <mst@redhat.com>

gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest.  If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.

Reported-by: =E5=88=98=E4=BB=A4 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 hw/net/cadence_gem.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index e513d9d..0346f3e 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -867,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s)
             break;
         }
=20
+        if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packe=
t)) {
+            DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x=
%x\n",
+                     (unsigned)packet_desc_addr,
+                     (unsigned)tx_desc_get_length(desc),
+                     sizeof(tx_packet) - (p - tx_packet));
+            break;
+        }
+
         /* Gather this fragment of the packet from "dma memory" to our c=
ontig.
          * buffer.
          */
--=20
2.5.0