* [Qemu-devel] [PULL 0/3] Net patches
@ 2016-08-09 7:34 Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 1/3] net: check fragment length during fragmentation Jason Wang
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Jason Wang @ 2016-08-09 7:34 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Jason Wang
The following changes since commit 53279c76cf071fed07a336948d37c72e3613e0b7:
Update version for v2.7.0-rc2 release (2016-08-08 17:26:11 +0100)
are available in the git repository at:
https://github.com/jasowang/qemu.git tags/net-pull-request
for you to fetch changes up to a0d1cbdacff5df4ded16b753b38fdd9da6092968:
hw/net: Fix a heap overflow in xlnx.xps-ethernetlite (2016-08-09 15:27:18 +0800)
----------------------------------------------------------------
----------------------------------------------------------------
Li Qiang (1):
net: vmxnet3: check for device_active before write
Prasad J Pandit (1):
net: check fragment length during fragmentation
chaojianhu (1):
hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
hw/net/net_tx_pkt.c | 2 +-
hw/net/vmxnet3.c | 4 ++++
hw/net/xilinx_ethlite.c | 4 ++++
3 files changed, 9 insertions(+), 1 deletion(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 1/3] net: check fragment length during fragmentation
2016-08-09 7:34 [Qemu-devel] [PULL 0/3] Net patches Jason Wang
@ 2016-08-09 7:34 ` Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 2/3] net: vmxnet3: check for device_active before write Jason Wang
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Jason Wang @ 2016-08-09 7:34 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Prasad J Pandit, qemu-stable, Jason Wang
From: Prasad J Pandit <pjp@fedoraproject.org>
Network transport abstraction layer supports packet fragmentation.
While fragmenting a packet, it checks for more fragments from
packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/net_tx_pkt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index efd43b4..53dfaa2 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -590,7 +590,7 @@ static bool net_tx_pkt_do_sw_fragmentation(struct NetTxPkt *pkt,
fragment_offset += fragment_len;
- } while (more_frags);
+ } while (fragment_len && more_frags);
return true;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 2/3] net: vmxnet3: check for device_active before write
2016-08-09 7:34 [Qemu-devel] [PULL 0/3] Net patches Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 1/3] net: check fragment length during fragmentation Jason Wang
@ 2016-08-09 7:34 ` Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite Jason Wang
2016-08-09 10:14 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 0 replies; 6+ messages in thread
From: Jason Wang @ 2016-08-09 7:34 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: Li Qiang, Prasad J Pandit, Jason Wang
From: Li Qiang <liqiang6-s@360.cn>
Vmxnet3 device emulator does not check if the device is active,
before using it for write. It leads to a use after free issue,
if the vmxnet3_io_bar0_write routine is called after the device is
deactivated. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/vmxnet3.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index bbf44ad..90f6943 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1167,6 +1167,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
{
VMXNET3State *s = opaque;
+ if (!s->device_active) {
+ return;
+ }
+
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
int tx_queue_idx =
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
2016-08-09 7:34 [Qemu-devel] [PULL 0/3] Net patches Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 1/3] net: check fragment length during fragmentation Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 2/3] net: vmxnet3: check for device_active before write Jason Wang
@ 2016-08-09 7:34 ` Jason Wang
2016-08-09 23:15 ` Alistair Francis
2016-08-09 10:14 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
3 siblings, 1 reply; 6+ messages in thread
From: Jason Wang @ 2016-08-09 7:34 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: chaojianhu, Jason Wang
From: chaojianhu <chaojianhu@hotmail.com>
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/xilinx_ethlite.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 54db2b8..35de353 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
}
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
+ return -1;
+ }
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] Net patches
2016-08-09 7:34 [Qemu-devel] [PULL 0/3] Net patches Jason Wang
` (2 preceding siblings ...)
2016-08-09 7:34 ` [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite Jason Wang
@ 2016-08-09 10:14 ` Peter Maydell
3 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2016-08-09 10:14 UTC (permalink / raw)
To: Jason Wang; +Cc: QEMU Developers
On 9 August 2016 at 08:34, Jason Wang <jasowang@redhat.com> wrote:
> The following changes since commit 53279c76cf071fed07a336948d37c72e3613e0b7:
>
> Update version for v2.7.0-rc2 release (2016-08-08 17:26:11 +0100)
>
> are available in the git repository at:
>
> https://github.com/jasowang/qemu.git tags/net-pull-request
>
> for you to fetch changes up to a0d1cbdacff5df4ded16b753b38fdd9da6092968:
>
> hw/net: Fix a heap overflow in xlnx.xps-ethernetlite (2016-08-09 15:27:18 +0800)
>
> ----------------------------------------------------------------
>
> ----------------------------------------------------------------
Applied, thanks.
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
2016-08-09 7:34 ` [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite Jason Wang
@ 2016-08-09 23:15 ` Alistair Francis
0 siblings, 0 replies; 6+ messages in thread
From: Alistair Francis @ 2016-08-09 23:15 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel@nongnu.org Developers, Peter Maydell, chaojianhu
On Tue, Aug 9, 2016 at 12:34 AM, Jason Wang <jasowang@redhat.com> wrote:
> From: chaojianhu <chaojianhu@hotmail.com>
>
> The .receive callback of xlnx.xps-ethernetlite doesn't check the length
> of data before calling memcpy. As a result, the NetClientState object in
> heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
> will be affected.
>
> Reported-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
> hw/net/xilinx_ethlite.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
> index 54db2b8..35de353 100644
> --- a/hw/net/xilinx_ethlite.c
> +++ b/hw/net/xilinx_ethlite.c
> @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
> }
>
> D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
This might be too late. A new line would be great here, but no big deal.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Thanks,
Alistair
> + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
> + D(qemu_log("ethlite packet is too big, size=%x\n", size));
> + return -1;
> + }
> memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
>
> s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
> --
> 2.7.4
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-08-09 23:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-09 7:34 [Qemu-devel] [PULL 0/3] Net patches Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 1/3] net: check fragment length during fragmentation Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 2/3] net: vmxnet3: check for device_active before write Jason Wang
2016-08-09 7:34 ` [Qemu-devel] [PULL 3/3] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite Jason Wang
2016-08-09 23:15 ` Alistair Francis
2016-08-09 10:14 ` [Qemu-devel] [PULL 0/3] Net patches Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.